In this project, we simulate the implementation of a comprehensive vulnerability management program, from inception to completion.
Inception State: the organization has no existing policy or vulnerability management practices in place.
Completion State: a formal policy is enacted, stakeholder buy-in is secured, and a full cycle of organization-wide vulnerability remediation is successfully completed.
- Tenable (enterprise vulnerability management platform)
- Azure Virtual Machines (Nessus scan engine + scan targets)
- PowerShell & BASH (remediation scripts)
- Vulnerability Management Policy Draft Creation
- Mock Meeting: Policy Buy-In (Stakeholders)
- Policy Finalization and Senior Leadership Sign-Off
- Mock Meeting: Initial Scan Permission (Server Team)
- Initial Scan of Server Team Assets
- Vulnerability Assessment and Prioritization
- Distributing Remediations to Remediation Teams
- Mock Meeting: Post-Initial Discovery Scan (Server Team)
- Mock CAB Meeting: Implementing Remediations
- Remediation Round 1: Outdated Wireshark Removal
- Remediation Round 2: Insecure Protocols & Ciphers
- Remediation Round 3: Guest Account Group Membership
- Remediation Round 4: Windows OS Updates
- First Cycle Remediation Effort Summary
This phase focuses on drafting a Vulnerability Management Policy as a starting point for stakeholder engagement. The initial draft outlines scope, responsibilities, and remediation timelines, and may be adjusted based on feedback from relevant departments to ensure practical implementation before final approval by upper management.
Draft Policy
In this phase, a meeting with the server team introduces the draft Vulnerability Management Policy and assesses their capability to meet remediation timelines. Feedback leads to adjustments, like extending the critical remediation window from 48 hours to one week, ensuring collaborative implementation.
Click to expand conversation
Raji (Cyber/VM Analyst): Hey morning JT, how’s everything been recently? I know everyone’s been busy these last few weeks.
JT (Server Team Manager): Good morning Raji, yeah it’s been a bit hectic but we’re hanging in there, thanks for asking. I had the chance to read through the policy draft and overall it makes sense, but with our current staffing, the remediation schedules are a little too aggressive for us, especially the 48 hour window for critical vulnerabilities.
Raji: I completely understand, it is a little aggressive, especially to start. Maybe we can extend the criticals to one week, it might be a decent compromise for now, and then we can just reserve that 48 hour window for those truly critical zero day vulnerabilities. What do you think?
JT: Yeah that sounds reasonable, thanks for that flexibility. Can we have a bit of leeway in the beginning as we get used to the remediation and patching process? Just for the first couple months or so.
Raji: Absolutely, after the policy is finalized we’ll officially start the program, but we’re planning on giving all the departments 6 months or so to adjust and get comfortable with the new process. Does that sound fair?
JT: That would be great. Thanks Raji, I appreciate you including us in the decision making process. It helps us feel like we’re part of the solution.
Raji: Yep, we’re all in it together, thanks for taking the time to work on this with us.
JT: You got it, thanks for the quick meeting and I’ll see you next time.
Raji: Sounds good, take care.
After gathering feedback from the server team, the policy is revised, addressing aggressive remediation timelines. With final approval from upper management, the policy now guides the program, ensuring compliance and reference for pushback resolution.
Finalized Policy
The team collaborates with the server team to initiate scheduled credential scans. A compromise is reached to scan a single server first, monitoring resource impact, and using just-in-time Active Directory credentials for secure, controlled access.
Click to expand conversation
Raji (Cyber/VM Analyst): Morning, JT.
JT (Server Team Manager): Morning, I heard you’re ready to conduct some scans?
Raji: Yeah, now that our vulnerability management policy is in place, I wanted to get started on conducting some scheduled credentialed scans of your environment.
JT: Sounds good to me, what’s involved, how can we help?
Raji: We’re planning to schedule some weekly scans of the server infrastructure. We estimate 4-6 hours to scan all 200 assets. We’ll need you to provide us with some admin credentials though so the scan engine can remotely log into the targets to assess them better.
JT: Oh, woah, hold on, what would scanning actually entail? I’m kind of worried about resource utilization. Also you want admin credentials to all 200 machine? That doesn’t sound safe.
Raji: Yeah those are valid concerns. So, the scan engine basically sends different traffic to the servers that will check for the existence of certain vulnerabilities which include looking into the registry and seeing if any out-of-date software is installed or if there’s any insecure protocols or software suites…that kind of thing. That’s why we’d need the credentials.
JT: Ah I see, well, as long as it doesn’t bring the servers offline I guess we should be okay.
Raji: Yeah we should be all good, but to start off let’s just scan a single server, and we’ll keep an eye on the resource utilization.
JT: Not a bad idea.
Raji: Great, also for the credentials, can you set up something in Active Directory for us - some kind of Active Directory credentials? You can just leave them disabled until we’re able to do the scan, enable them during the scan, and then when it’s done we can deprovision or disable the account as required, like a just in time access process.
JT: Yeah that would work. I’ll ask Ross to get started on the automation for the account provisioning.
Raji: Awesome, we’ll talk soon, see you later.
JT: Great, I’ll get back to you when the credentials are set up. See yah.
In this phase, an insecure Windows Server is provisioned to simulate the server team's environment. After creating vulnerabilities, an authenticated scan is performed, and the results are exported for future remediation steps.
We assessed vulnerabilities and established a remediation prioritization strategy based on ease of remediation and impact. The following priorities were set:
- Third Party Software Removal (Wireshark)
- Windows OS Secure Configuration (Protocols & Ciphers)
- Windows OS Secure Configuration (Guest Account Group Membership)
- Windows OS Updates
The server team received remediation scripts and scan reports to address key vulnerabilities. This streamlined their efforts and prepared them for a follow-up review.
The server team reviewed vulnerability scan results, identifying outdated software, insecure accounts, and deprecated protocols. The remediation packages were prepared for submission to the Change Control Board (CAB).
Click to expand conversation
Raji: Morning, JT. How are you doing?
JT: Not bad for a Monday, and yourself?
Raji: I'm still alive, so I can't complain. But before we get into the vulnerabilities, how did the actual scan go on your end? Did you have any outages or overutilization or anything?
JT: The scan went well. We were monitoring them, and aside from all the open connections, we would have never known a scan was taking place.
Raji: Yeah, that's good news. I kind of expected that much. We can keep monitoring going forward, but I don't expect we'll have any issues with resource utilization. Do you mind if I dive into the vulnerability findings?
JT: Yeah, absolutely.
Raji: Cool, I'm going to share my screen really quick. So basically, the majority of these vulnerabilities come from Wireshark being installed. You can see all these Wiresharks because it's just super out of date. That's all. One interesting thing I did find is that the local guest account on the servers actually belongs to a group, and when I looked deeper, it belongs to the local administrators group. I'm not sure why that is. Also, some of these might be automatically resolved by Windows updates, like this Microsoft Edge Chromium one, and I'm not sure about this one either — could be resolved by Windows updates, I'm not really sure. But these we don't have to worry about: the self-signed certificate one, 'cause it's just the computer's self-signed cert. But these medium-strength cipher suites and TLS 1.1 and 1.0 — these are deprecated cipher suites and protocols, so I think we should take some time to remediate these. So, basically just removing Wireshark, the protocols, cipher suites, and the guest account is what we're looking at.
JT: Very interesting. The good news is, I suspect most of our servers are going to have the same vulnerabilities, hopefully making things easier during remediation.
Raji: Yeah, that's actually good news — a uniform loadout. Do you foresee any issues with remediating any, specifically the cipher suites and the insecure protocols?
JT: I highly doubt there will be any issues. We'll run it through the next Change Control Board. Uninstalling Wireshark and fixing the guest account, those shouldn't be an issue. Those aren't supposed to be on the servers anyway. I'll have to talk to our CIS admins about that.
Raji: Yeah, that's good news. I'll go ahead and get started on building out some remediation packages for you to make your life easier when it comes time to fix them.
JT: Yeah, that sounds great. Oh, I wanted to ask, do you have anything in place to actually fix the Windows update-related vulnerabilities? Like, do you have patch management already?
Raji: Oh, yes. I'm not actually worried about that. Windows update should be handled automatically. By next week, we have patch management in place.
JT: Okay, excellent.
Raji: Alright, I'll get started on researching the best way to remediate these findings and I'll get back to you before the next Change Control Board.
JT: Sounds good. Talk to you soon.
Raji: Cool, cool. Talk to you soon.
The Change Control Board (CAB) reviewed and approved the plan to remove insecure protocols and cipher suites. The plan included a rollback script and a tiered deployment approach.
Click to expand conversation
Yan (CAB Facilitator): Okay, next up is a couple of vulnerability remediations for the server team. First, removal of insecure protocols, and number two, removal of insecure cipher suites. It looks like Raji from the Risk Dept. is working with JT from infrastructure on this. JT, do you want to walk us through the technical aspects of the change implementation?
JT (Server Team Manager): Normally I would, but let’s give this one to Raji. He’s actually the one who built the solution. We’re still getting used to the process.
Raji (Cyber/VM Analyst): Yeah, I can explain these. So basically insecure cipher suites and protocols being on our systems means the possibility of the systems using some kind of algorithm or protocol that’s deprecated. If it connects to a server and the server only wants to use those protocols, it’s possible that the computer will use them, and these are controlled by the Windows registry. So this is actually a really simple fix: we just wrote a Powershell script that goes through and disables all the insecure protocols and ciphers and then enables the ones that are up to current secure standards. It was really straightforward.
Fergie (Lead Sys. Engr.): Yeah that sounds good, but what if something goes wrong? Did we consider putting a rollback plan in place?
Raji: Yes, absolutely. So, first of all we’re going to do a tier-to-deployment, which means a pilot group, which is a really small group of computers, pre-pilot, pre-production, and then finally production where it goes everywhere. On top of this we have a fully built-in test automated rollback script for each remediation. So the script will actually restore the original protocols and ciphers should there be any unknown issues.
Fergie: Well that sounds good, I guess. I notice the fixes are simple registry updates. I’m not too concerned, I suppose.
Raji: Yep, exactly, yeah. Any more questions from anyone?
Yan: Great, that wraps things up for this week’s CAB meeting. See you all next week.
Remediation Round 1: Outdated Wireshark Removal
The server team used a PowerShell script to remove outdated Wireshark. A follow-up scan confirmed successful remediation.
Wireshark Removal Script
Scan 2 - Third Party Software Removal
Remediation Round 2: Insecure Protocols & Ciphers
The server team used PowerShell scripts to remediate insecure protocols and cipher suites. A follow-up scan verified successful remediation, and the results were saved for reference.
PowerShell: Insecure Protocols Remediation
PowerShell: Insecure Ciphers Remediation
Scan 3 - Ciphersuites and Protocols
Remediation Round 3: Guest Account Group Membership
The server team removed the guest account from the administrator group. A new scan confirmed remediation, and the results were exported for comparison.
PowerShell: Guest Account Group Membership Remediation
Scan 4 - Guest Account Group Removal
Remediation Round 4: Windows OS Updates
Windows updates were re-enabled and applied until the system was fully up to date. A scan verified the changes
Remediation Round 5: WinVerifyTrust Remediation
A Powershell script was written following CVE-2013-3900 guidelines to mitigate WinVerifyTrust Signature Validation vulnerabilies and clear all "High" Tenable entries. A final scan verified remediation.
Scan 6 - Post CVE-2013-3900 Remediation
The remediation process reduced total vulnerabilities by 83%, from 30 to 5. Critical vulnerabilities were resolved by the second scan (100%), and high vulnerabilities dropped by 100% by the final scan. Medium vulnerabilities were reduced by 76%. In an actual production environment, asset criticality would further guide future remediation efforts.
After completing the initial remediation cycle, the vulnerability management program transitions into Maintenance Mode. This phase ensures that vulnerabilities continue to be managed proactively, keeping systems secure over time. Regular scans, continuous monitoring, and timely remediation are crucial components of this phase. (See Finalized Policy for scanning and remediation cadence requirements.)
Key activities in Maintenance Mode include:
- Scheduled Vulnerability Scans: Perform regular scans (e.g., weekly or monthly) to detect new vulnerabilities as systems evolve.
- Patch Management: Continuously apply security patches and updates, ensuring no critical vulnerabilities remain unpatched.
- Remediation Follow-ups: Address newly identified vulnerabilities promptly, prioritizing based on risk and impact.
- Policy Review and Updates: Periodically review the Vulnerability Management Policy to ensure it aligns with the latest security best practices and organizational needs.
- Audit and Compliance: Conduct internal audits to ensure compliance with the vulnerability management policy and external regulations.
- Ongoing Communication with Stakeholders: Maintain open communication with teams responsible for remediation, ensuring efficient coordination.
By maintaining an active vulnerability management process, organizations can stay ahead of emerging threats and ensure long-term security resilience.
