Vulnerability Scans
(OBJ 4.9)
Vulnerability Scan Report
- Generated automatically after completing a vulnerability scan
- Analysis of the report is essential to confirm the validity of identified vulnerabilities
- Review the vulnerability scan results to confirm if the detected vulnerabilities actually exist in the system
False Positives
- Vulnerability scanners may produce false positives, meaning they report vulnerabilities that don't actually exist on your system
- It is crucial to differentiate real vulnerabilities from false positives
Analysis of Vulnerabilities
- For each identified vulnerability, assess whether it was detected by the scanner and if it exists on your system
- Determine the severity and criticality of each vulnerability
- Create a plan of action and milestones for remediation
Components of a Vulnerability Scan Report
- Report ID
- Scan Date and Time
- System or Software Version
- Scan Initiator
- The person who ran the scan
- Executive Summary
- Highlights themes and trends for large networks
- Vulnerabilities – listed by severity (critical, high, medium, low, informational) or by hosts
- CVE (Common Vulnerability and Exposure) ID – Vulnerability ID
- CVE website (cve.org) contains detailed information about vulnerabilities
- Description
- Affected system
- Impact
- Common Vulnerability Scoring System (CVSS) Score
- Measures severity
- Critical, High, Medium, Low
- Top score is a 10, lowest score is a 0.
- Prioritize vulnerable hosts starting from the most critical to aid in addressing them efficiently
- Measures severity
- Remediation Recommendations
- CVE (Common Vulnerability and Exposure) ID – Vulnerability ID
- Additional Findings
- Recommendations
- Conclusion
- Summarized actions taken and findings
Example of a Vulnerability Scan Report
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250724180347.png)
- Apply Windows Update
- To secure systems, update the vulnerable security patch if RDP is essential for remote desktop support
- Authenticated attacker
- Insider threat
- Unauthenticated attacker
- Anyone will be able to connect using RDP
- Score is lower because of what it is impacting
- RDP impacts individual workstations, while Exchange servers affect the entire organization's email services
- Authenticated attacker
- Apache remote code execution, install the latest version of Apache Druid to address this vulnerability
- When updating isn't an option, alternative compensating controls are necessary for addressing vulnerabilities
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250724181218.png)
4. Update the Spring Framework version
5. Only affects very few applications using Log4j. Update to Log4j version 2.15.0 or higher.
Review the vulnerability scan report thoroughly beyond automated rankings based on CVE posture or CVSS scores
- You may have mitigations in placed that these systems don't realize
- Example:
- If knowing that the Exchange server will be decommissioned tomorrow or shortly so no action is needed at that point