In this project, we simulate the implementation of a comprehensive vulnerability management program, from inception to completion.
Inception State: the organization has no existing policy or vulnerability management practices in place.
Completion State: a formal policy is enacted, stakeholder buy-in is secured, and a full cycle of organization-wide vulnerability remediation is successfully completed.
- Tenable (enterprise vulnerability management platform)
- Azure Virtual Machines (Nessus scan engine + scan targets)
- PowerShell & BASH (remediation scripts)
- Vulnerability Management Policy Draft Creation
- Mock Meeting: Policy Buy-In (Stakeholders)
- Policy Finalization and Senior Leadership Sign-Off
- Mock Meeting: Initial Scan Permission (Server Team)
- Initial Scan of Server Team Assets
- Vulnerability Assessment and Prioritization
- Distributing Remediations to Remediation Teams
- Mock Meeting: Post-Initial Discovery Scan (Server Team)
- Mock CAB Meeting: Implementing Remediations
- Remediation Round 1: Outdated Wireshark Removal
- Remediation Round 2: Insecure Protocols & Ciphers
- Remediation Round 3: Guest Account Group Membership
- Remediation Round 4: Windows OS Updates and CVE-2013-3900
- Remediation Round 6: Windows Defender Update
- First Cycle Remediation Effort Summary
This phase focuses on drafting a Vulnerability Management Policy as a starting point for stakeholder engagement. The initial draft outlines scope, responsibilities, and remediation timelines, and may be adjusted based on feedback from relevant departments to ensure practical implementation before final approval by upper management.
Draft Policy
In this phase, a meeting with the server team introduces the draft Vulnerability Management Policy and assesses their capability to meet remediation timelines. Feedback leads to adjustments, like extending the critical remediation window from 48 hours to one week, ensuring collaborative implementation.
- Josh
- Jimmy
Josh:
Good morning, Jimmy. How have things been lately? I know everyone has been busy these past few weeks.
Jimmy:
Good morning, Josh. It’s been a bit hectic, but we’re managing. Thanks for asking. I had a chance to review the policy draft, and overall it makes sense. However, with our current staffing levels, we can’t meet the aggressive remediation timelines—especially the 48-hour window for critical vulnerabilities.
Josh:
I understand. It is a bit aggressive, especially at the beginning. Perhaps we can extend the timeline for critical vulnerabilities to one week as a compromise for now. We can reserve the 48-hour window for truly severe zero-day vulnerabilities.
Jimmy:
That sounds reasonable. We appreciate the flexibility. Could we also have some leeway in the beginning as we work through the remediation and patching process, at least for the first few months?
Josh:
Absolutely. After the policy is finalized, we’ll officially start the program, but we plan to give all departments about six months to adjust and become comfortable with the new process. Does that sound fair?
Jimmy:
Yes, that sounds fair. Thanks, Josh. We’ll do our best. I appreciate you including us in the decision-making process—it really helps us feel like part of the solution.
Josh:
Of course. We’re all in this together. Thanks for working with us.
Jimmy:
No problem. Thanks for the quick meeting.
Josh:
Those are my favorite kinds. Take care.
Jimmy:
See you later.
After gathering feedback from the server team, the policy is revised, addressing aggressive remediation timelines. With final approval from upper management, the policy now guides the program, ensuring compliance and reference for pushback resolution.
Finalized Policy
The team collaborates with the server team to initiate scheduled credential scans. A compromise is reached to scan a single server first, monitoring resource impact, and using just-in-time Active Directory credentials for secure, controlled access.
- Josh
- Jimmy
Josh:
Good morning, Jimmy.
Jimmy:
Good morning. I heard you're ready to conduct some scans.
Josh:
Yes. Now that our vulnerability management policy is in place, I wanted to start conducting scheduled credentialed scans of your environment.
Jimmy:
Sounds good to me. What’s involved, and how can we help?
Josh:
We’re planning to schedule weekly scans of the server infrastructure. We estimate it will take about 4–6 hours to scan all 200 assets. We’ll need administrative credentials so the scan engine can remotely log into the targets and perform deeper assessments.
Jimmy:
Hold on. What exactly does scanning involve? I’m concerned about resource utilization. Also, you’re asking for admin credentials to 200 machines—that doesn’t sound very safe.
Josh:
Those are valid concerns. The scan engine sends different types of traffic to the servers to check for known vulnerabilities. This includes examining the registry, checking for outdated software, and identifying insecure protocols or cipher suites. That’s why credentials are required.
Jimmy:
I see. As long as it doesn’t bring the servers offline, we should be okay.
Josh:
Absolutely. Let’s start by scanning a single server and monitor the resource utilization.
Jimmy:
That’s a good idea.
Josh:
Also, regarding the credentials, could you create an account in Active Directory for us? The account can remain disabled until we’re ready to run the scan. Once enabled for the scan, it can be disabled or deprovisioned afterward—similar to a just-in-time access approach.
Jimmy:
That sounds good. I’ll ask Susan to start automating the account provisioning.
Josh:
Great. Let’s talk soon.
Jimmy:
Sounds good. I’ll get back to you once the credentials are set up.
Josh:
See you later.
Jimmy:
See you later.
In this phase, an insecure Windows Server is provisioned to simulate the server team's environment. After creating vulnerabilities, an authenticated scan is performed, and the results are exported for future remediation steps.
We assessed vulnerabilities and established a remediation prioritization strategy based on ease of remediation and impact. The following priorities were set:
- Third Party Software Removal (Wireshark)
- Windows OS Secure Configuration (Protocols & Ciphers)
- Windows OS Secure Configuration (Guest Account Group Membership)
- Windows OS Updates
The server team received remediation scripts and scan reports to address key vulnerabilities. This streamlined their efforts and prepared them for a follow-up review.
The server team reviewed vulnerability scan results, identifying outdated software, insecure accounts, and deprecated protocols. The remediation packages were prepared for submission to the Change Control Board (CAB).
- Josh
- Jimmy
Josh:
Good morning, Jimmy. How are you doing?
Jimmy:
Not bad for a Monday. How about you?
Josh:
I’m still alive, so I can’t complain. Before we get into the vulnerabilities, how did the scan go on your end? Did you experience any outages or resource overutilization?
Jimmy:
The scan went well. We monitored the systems, and aside from the open connections, we wouldn’t have known a scan was taking place.
Josh:
That’s good news. I expected that outcome. We’ll continue monitoring going forward, but I don’t anticipate any issues with resource utilization. Do you mind if I walk through the vulnerability findings?
Jimmy:
Not at all—go ahead.
Josh:
I’ll share my screen quickly. The majority of the vulnerabilities appear to come from Wireshark being installed and significantly out of date.
One interesting finding is that the local guest account on the servers belongs to the Local Administrators group. I’m not sure why that configuration exists.
Some vulnerabilities may resolve automatically through Windows Updates, such as the Microsoft Edge Chromium findings.
The self-signed certificate finding isn’t a major concern. However, the medium-strength cipher suites and deprecated TLS protocols (TLS 1.0 and TLS 1.1) are insecure and should be remediated.
Key remediation areas:
- Removing or updating Wireshark
- Disabling deprecated TLS protocols and insecure cipher suites
- Removing the guest account from the administrators group
Jimmy:
That’s very interesting. Most of our servers likely share the same configuration, which should make remediation easier.
Josh:
Having a uniform configuration is helpful. Do you foresee any issues fixing the cipher suites or insecure protocols?
Jimmy:
I doubt it. We’ll run the changes through the next Change Control Board. Uninstalling Wireshark and fixing the guest account shouldn’t be a problem since those shouldn’t be on the servers. I’ll also discuss this with our CIS administrators.
Josh:
Good to hear. I’ll start building remediation packages to make it easier when implementing the fixes.
Jimmy:
That sounds great. One question—do you have a process for addressing Windows Update-related vulnerabilities?
Josh:
Yes. Windows Updates will handle those automatically by next week, as our patch management process is already in place.
Jimmy:
Excellent.
Josh:
I’ll research the best ways to remediate the remaining findings and get back to you before the next Change Control Board.
Jimmy:
Sounds good. Talk to you soon.
Josh:
Talk to you soon.
The Change Control Board (CAB) reviewed and approved the plan to remove insecure protocols and cipher suites. The plan included a rollback script and a tiered deployment approach.
- Josh (Risk Department)
- Jimmy (Infrastructure Team)
Josh:
Okay, next up are a couple of vulnerability remediations for the server team:
- Removal of insecure protocols
- Removal of insecure cipher suites
It looks like I’m working with Jimmy on this. Jimmy, do you want to walk us through the technical aspects of the change?
Jimmy:
Normally I would, but I’ll let Josh handle this one—he actually built the solution for us. We’re still getting used to the process.
Josh:
Sure. So basically, insecure cipher suites and protocols exist on the system because the computer can negotiate and use algorithms or protocols that are deprecated.
If a system connects to a server that only supports these outdated protocols, it might use them. These settings are controlled through the Windows Registry.
The fix is straightforward: we wrote a PowerShell script that disables all insecure protocols and ciphers, then enables only standardized, modern, and secure ones.
Jimmy:
That sounds good. But what if something goes wrong—do we have a rollback plan?
Josh:
Absolutely. We’re doing a tiered deployment:
- Pilot group (small set of pre-production computers)
- Pre-production group
- Full production rollout
Additionally, each remediation has a fully automated rollback script. If any issues arise, the script restores the original protocols and cipher settings.
Jimmy:
That’s reassuring. Since the fixes are just registry updates, I’m not too concerned.
Josh:
Exactly. Any more questions from anyone?
Team:
No.
Josh:
Great. That wraps up this week’s CAP meeting. See you all next week.
Jimmy:
See you later.
The server team used a PowerShell script to remove outdated Wireshark. A follow-up scan confirmed successful remediation.
Scan 2 - Third Party Software Removal
The server team used PowerShell scripts to remediate insecure protocols and cipher suites. A follow-up scan verified successful remediation, and the results were saved for reference.
Scan 3 - Ciphersuites and Protocols
The server team removed the guest account from the administrator group. A new scan confirmed remediation, and the results were exported for comparison.
Scan 4 - Guest Account Group Removal
Windows updates were re-enabled and applied until the system was fully up to date, and a PowerShell script was used to enable CertPaddingCheck. The results were exported for comparison.
Scan 5 - Windows OS Updates and CVE 2013-3900 Remediation
The server team used a batch script that updated the Windows Defender malware signature. A final scan verified the changes
Scan 6 - Windows Defender Signature Update
The remediation process reduced total vulnerabilities by 80%, from 29 to 6. Critical vulnerabilities were resolved by the second scan (100%), and high vulnerabilities dropped by 90%. Mediums were reduced by 76%. In an actual production environment, asset criticality would further guide future remediation efforts.
After completing the initial remediation cycle, the vulnerability management program transitions into Maintenance Mode. This phase ensures that vulnerabilities continue to be managed proactively, keeping systems secure over time. Regular scans, continuous monitoring, and timely remediation are crucial components of this phase. (See Finalized Policy for scanning and remediation cadence requirements.)
Key activities in Maintenance Mode include:
- Scheduled Vulnerability Scans: Perform regular scans (e.g., weekly or monthly) to detect new vulnerabilities as systems evolve.
- Patch Management: Continuously apply security patches and updates, ensuring no critical vulnerabilities remain unpatched.
- Remediation Follow-ups: Address newly identified vulnerabilities promptly, prioritizing based on risk and impact.
- Policy Review and Updates: Periodically review the Vulnerability Management Policy to ensure it aligns with the latest security best practices and organizational needs.
- Audit and Compliance: Conduct internal audits to ensure compliance with the vulnerability management policy and external regulations.
- Ongoing Communication with Stakeholders: Maintain open communication with teams responsible for remediation, ensuring efficient coordination.
By maintaining an active vulnerability management process, organizations can stay ahead of emerging threats and ensure long-term security resilience.