This project showcases the end-to-end execution of a vulnerability management program, from assessment and scanning to remediation and reporting.
The implementation process is designed to reflect real-world practices, moving systematically from an initial baseline to a fully operational program.
Inception State: The organization begins with no established policy, procedures, or tools for identifying, assessing, or remediating vulnerabilities.
Completion State: A formal vulnerability management policy is established, stakeholder alignment is achieved, and a complete vulnerability assessment and remediation cycle is executed across the organization’s environment.
- Tenable
Enterprise-grade vulnerability management platform used for asset discovery, assessment, and risk prioritization. - Microsoft Azure Virtual Machines
Deployed as both Nessus scan engines and target hosts, enabling scalable, cloud-based testing and validation. - PowerShell
Used to automate remediation tasks, apply configuration changes, and verify system hardening across Windows environments.
- Vulnerability Management Policy Draft Creation
- Mock Meeting: Policy Buy-In (Stakeholders)
- Policy Finalization and Senior Leadership Sign-Off
- Mock Meeting: Initial Scan Permission (Server Team)
- Initial Scan of Server Team Assets
- Vulnerability Assessment and Prioritization
- Distributing Remediations to Remediation Teams
- Mock Meeting: Post-Initial Discovery Scan (Server Team)
- Mock CAB Meeting: Implementing Remediations
- Remediation Round 1: Outdated Wireshark Removal
- Remediation Round 2: Insecure Protocols & Ciphers
- Remediation Round 3: Guest Account Group Membership
- Remediation Round 4: Windows OS Updates
- First Cycle Remediation Effort Summary
This phase focuses on creating an initial Vulnerability Management Policy to establish a foundation for stakeholder engagement. The draft defines the program scope, roles and responsibilities, and remediation timelines. It serves as a working document that may be refined through feedback from relevant departments to ensure the policy is both practical and enforceable prior to final approval by executive management.
In this phase, a meeting with the server team is conducted to introduce the draft Vulnerability Management Policy and evaluate their ability to meet remediation timelines. Feedback from stakeholders informs adjustments to the policy, such as extending the critical vulnerability remediation window from 48 hours to one week, ensuring a collaborative and practical implementation approach.
Meeting Transcript
Danny: Good morning, Luca. How’s everything been recently? I know everyone’s been busy these last few weeks.
Luca: Good morning, Danny. Yeah, it’s been a bit hectic, but we’re hanging in there. Thanks for asking. I had a chance to read through the policy draft, and overall it makes sense. However, with our current staffing, we can’t meet the aggressive remediation timelines, especially the 48-hour window for critical vulnerabilities.
Danny: I totally understand. It is a bit aggressive, especially to start. Perhaps we can extend the critical remediation window to one week for now. We can reserve the 48-hour window for truly severe zero-day vulnerabilities.
Luca: That sounds reasonable. We appreciate the flexibility. Can we have a bit of leeway in the beginning as we get used to the remediation and patching process, just for the first few months?
Danny: Absolutely. After the policy is finalized, we’ll officially start the program, but all departments will have about six months to adjust and become comfortable with the new process. Does that sound fair?
Luca: Thanks, Danny. We’ll do our best. I appreciate you including us in the decision-making process. It really helps us feel like we’re part of the solution.
Danny: Of course. We’re all in this together. Thanks for working with us.
Luca: No problem. Thanks for the short meeting.
Danny: Yeah, those are my favorite types. Bye now.
Luca: See you later.
After gathering feedback from the server team, the Vulnerability Management Policy is revised to address aggressive remediation timelines. With final approval from senior leadership, the policy becomes the guiding document for the program, ensuring organizational compliance and providing a clear reference for resolving any disputes or pushback.
In this phase, the vulnerability management team collaborates with the server team to initiate scheduled credentialed scans. A compromise is reached to scan a single server first, monitoring resource impact and using just-in-time Active Directory credentials to ensure secure, controlled access.
Meeting Transcript
Danny: Morning, Luca.
Luca: Good morning! I heard you’re ready to conduct some scans.
Danny: Yep. Now that our Vulnerability Management Policy is in place, I wanted to get started on conducting some scheduled credentialed scans of your environment.
Luca: Sounds good to me. What’s involved? How can we help?
Danny: We’re planning to schedule some weekly scans of the server infrastructure. We estimate it’ll take about 4 to 6 hours to scan all 200 assets. We’ll need you to provide administrative credentials, which will allow the scan engine to remotely log into the targets and better assess them.
Luca: Whoa, hold on. What does scanning actually entail? I’m a bit worried about resource utilization. Also, you want admin credentials to all 200 machines? That doesn’t sound safe.
Danny: Those are valid concerns. The scan engine sends traffic to the servers to check for certain vulnerabilities like examining the registry, detecting out-of-date software, or identifying insecure protocols and cipher suites. That’s why credentials are required.
Luca: I see. Well, as long as it doesn’t bring the servers offline, I guess we should be okay.
Danny: Absolutely. Let’s just scan a single server for now and monitor resource utilization.
Luca: Not a bad idea.
Danny: Great. Also, for the credentials, can you set up something in Active Directory? Create credentials that are disabled until we’re ready to scan, enable them just before the scan, and then deprovision or disable the account afterward. Kind of like a just-in-time access situation.
Luca: That sounds good. I’ll ask Susan to get started on the automation for the account provisioning and get back to you once the credentials are set up.
Danny: Awesome! Thanks so much! See you later!
Luca: See you later.
An insecure Windows Server is provisioned to simulate the server team's environment. Known vulnerabilities are intentionally introduced, then an authenticated (credentialed) Nessus scan is executed against the host. Scan results are exported and archived for tracking and remediation planning in subsequent steps.
Following the initial scan, vulnerabilities were analyzed to determine severity, exploitability, and remediation effort.
A prioritization strategy was established focusing on both ease of remediation and overall system impact.
The following priorities were set:
- Third-Party Software Removal (Wireshark)
- Remove non-essential network analysis tools from production systems to reduce exposure.
- Windows OS Secure Configuration (Protocols & Ciphers)
- Disable deprecated protocols (e.g., SSLv2, SSLv3, TLS 1.0) and weak cipher suites.
- Windows OS Secure Configuration (Guest Account Group Membership)
- Verify that the Guest account is disabled or not assigned to privileged groups.
- Windows OS Updates
- Apply missing patches and cumulative updates to mitigate known vulnerabilities.
- CVE-2013-3900
- Enable certificate padding check.
- ICMP Timestamp
- Filter ICMP timestamp requests/replies to prevent data disclosure.
The server team received remediation scripts and scan reports to address key vulnerabilities. This streamlined their efforts and prepared them for a follow-up review.
The server team reviewed vulnerability scan results, identifying outdated software, insecure accounts, and deprecated protocols. The remediation packages were prepared for submission to the Change Control Board (CAB).
The Change Control Board (CAB) reviewed and approved the plan to remove insecure protocols and cipher suites. The plan included a rollback script and a tiered deployment approach.
The server team used a PowerShell script to remove outdated Wireshark. A follow-up scan confirmed successful remediation.
Wireshark Removal Script
Scan 2 - Third Party Software Removal
The server team used PowerShell scripts to remediate insecure protocols and cipher suites. A follow-up scan verified successful remediation, and the results were saved for reference.
PowerShell: Insecure Protocols Remediation
PowerShell: Insecure Ciphers Remediation
Scan 3 - Ciphersuites and Protocols
The server team removed the guest account from the administrator group. A new scan confirmed remediation, and the results were exported for comparison.
PowerShell: Guest Account Group Membership Remediation
Scan 4 - Guest Account Group Removal
Windows updates were re-enabled and applied until the system was fully up to date. A final scan verified the changes
The remediation process reduced total vulnerabilities by 80%, from 30 to 6. Critical vulnerabilities were resolved by the second scan (100%), and high vulnerabilities dropped by 90%. Mediums were reduced by 76%. In an actual production environment, asset criticality would further guide future remediation efforts.
After completing the initial remediation cycle, the vulnerability management program transitions into Maintenance Mode. This phase ensures that vulnerabilities continue to be managed proactively, keeping systems secure over time. Regular scans, continuous monitoring, and timely remediation are crucial components of this phase. (See Finalized Policy for scanning and remediation cadence requirements.)
Key activities in Maintenance Mode include:
- Scheduled Vulnerability Scans: Perform regular scans (e.g., weekly or monthly) to detect new vulnerabilities as systems evolve.
- Patch Management: Continuously apply security patches and updates, ensuring no critical vulnerabilities remain unpatched.
- Remediation Follow-ups: Address newly identified vulnerabilities promptly, prioritizing based on risk and impact.
- Policy Review and Updates: Periodically review the Vulnerability Management Policy to ensure it aligns with the latest security best practices and organizational needs.
- Audit and Compliance: Conduct internal audits to ensure compliance with the vulnerability management policy and external regulations.
- Ongoing Communication with Stakeholders: Maintain open communication with teams responsible for remediation, ensuring efficient coordination.
By maintaining an active vulnerability management process, organizations can stay ahead of emerging threats and ensure long-term security resilience.