Vulnerability Assessment

Why It Matters

Modern enterprises run thousands of assets across cloud, on-premises, mobile, and IoT environments. Each asset can harbor known vulnerabilities (CVEs), misconfigurations, or insecure default settings. Without a systematic assessment program, organizations are blind to the weaknesses attackers will inevitably find.

The 2017 Equifax breach exploited an unpatched Apache Struts vulnerability disclosed two months earlier. The Log4Shell vulnerability (CVE-2021-44228) gave attackers remote code execution on millions of internet-facing systems. These incidents demonstrate that vulnerability assessment is not optional, it is the prerequisite for risk management in any security program.

The Vulnerability Assessment Process

1. Asset Discovery

You cannot protect what you do not know exists. Use combinations of network discovery, agent telemetry, cloud APIs, CMDB integration, and external attack surface management to enumerate every asset.

2. Scanning

Authenticated scanning produces dramatically better results than unauthenticated. Common scan types:

3. Validation

Scanners produce false positives. Validate critical findings through manual testing, exploitation proof-of-concept, or correlation with multiple sources.

4. Prioritization

Not every vulnerability matters equally. Modern programs use:

Risk = CVSS × EPSS × Asset Criticality × Exposure

Critical priority indicators:
- CVE in CISA KEV catalog (proven exploitation)
- EPSS > 50% (high exploitation probability)
- Internet-facing asset
- Sensitive data or critical business function
- No compensating controls

5. Remediation

Patching, configuration changes, compensating controls, or risk acceptance with documented justification. Track SLAs by severity (e.g., Critical 7 days, High 30 days, Medium 90 days).

6. Verification

Rescan to confirm fixes are effective. Track mean time to remediate (MTTR) as a key program KPI.

Key Standards and Sources

• CVE: Common Vulnerabilities and Exposures (MITRE)
• NVD: National Vulnerability Database with CVSS scores
• CWE: Common Weakness Enumeration (categories of flaws)
• CISA KEV: Known Exploited Vulnerabilities catalog
• EPSS: Exploit Prediction Scoring System

Best Practices

1. Continuous scanning rather than quarterly point-in-time assessments.
2. Authenticated scans wherever possible for accurate CVE detection.
3. Risk-based prioritization combining CVSS, EPSS, and business context.
4. Track CISA KEV as immediate priority regardless of CVSS.
5. Integrate with ticketing to drive accountability and SLA tracking.
6. Measure outcomes like MTTR, exposure window, and remediation rate.

Related Concepts

• Risk Management
• Threat Hunting
• Security Framework
• Exploit