In this project, we simulate the implementation of a comprehensive vulnerability management program, from inception to completion.
Inception State: organization has no existing policy or vulnerability management practices in place.
Completion State: formal policies and standards are enacted, stakeholders are bought-in, and a full cycle of organization-wide vulnerability remediation is successfully completed.
- Tenable (enterprise vulnerability management platform)
- Azure Virtual Machines (Nessus scan engine + scan targets)
- PowerShell & BASH (remediation scripts)
- Vulnerability Management Policy Draft Creation
- Meeting: Policy Buy-In with Stakeholders
- Policy Finalization and Senior Leadership Sign-Off
- Meeting: Initial Scan Permission (Server Team)
- Initial Scan of Server Team Assets
- Vulnerability Assessment and Prioritization
- Distributing Remediations to Remediation Teams
- Meeting: Post-Initial Discovery Scan (Server Team)
- CAB Meeting: Implementing Remediations
- Remediation Round 1: Outdated Wireshark Removal
- Remediation Round 2: Insecure Protocols and Ciphers
- Remediation Round 3: Guest Account Group Membership
- Remediation Round 4: Windows OS Updates
- First Cycle Remediation Effort Summary
We focus on drafting a Vulnerability Management Policy as a starting point for stakeholder engagement. The initial draft outlines scope, responsibilities, and remediation timelines using industry standards. The policy may be adjusted based on feedback from relevant departments to ensure practical implementation before final approval by upper management.
Draft Policy
In this phase, we meet with the server team to introduce the policy draft and assess their capability to meet remediation timelines. Feedback leads to adjustments, like extending the critical remediation window, ensuring collaborative implementation.
π¦ General Check-in
- Introductions with server team.
π Policy Draft Feedback
- Review the policy draft and discuss scope.
- Open discussion on any concerns the server team may have about the policy (i.e., remediation timelines too aggressive given current staffing levels).
π Proposed Adjustment
- Discuss adjustments to allow for compromise.
- Adjust remediation timelines as needed (consider asset criticality and vulnerability severity).
β³ Onboarding Flexibility
- Allow for some leeway during the initial months to adapt to the new process.
- Determine start date based on onboarding discussions.
β Collaboration & Appreciation
- Stakeholders will appreciate being included in the decision-making process, which makes them feel involved.
- Emphasize that vulnerability management is a team effort and requires collaboration.
π Closing
- Express appreciation for the meeting and wrap things up on a friendly note.
After gathering feedback from the server team, the policy is revised, deciding on appropriate remediation timelines. With final approval from upper management, the policy now guides the program, ensuring compliance and reference for pushback resolution.
Finalized Policy
The cyber team collaborates with the server team to initiate scheduled credential scans. A compromise is reached to scan a single server first, monitoring resource impact, and using just-in-time AD credentials for secure, controlled access.
π’ Kick-off & Context
- Inform server team that you are ready to start scheduled credentialed scans now that the policy is in place.
- Review scan cadence outlined in policy.
π₯οΈ Scan Details
- Review scan duration and scope of scan (# of assets being scanned).
- Remind server team that admin credentials are required for in-depth checks.
- Review and discuss possible concerns (i.e., resource utilization, potential server impact, security risk with providing admin credentials, etc.)
π Provide Clarification
- Explain how the scan works: scan sends traffic to check for vulnerabilities (i.e., out-of-date software, insecure protocols); credentials are needed for authenticated scans to access registry data and detect deeper issues; scans will not take servers offline.
β Agreement & Risk Mitigation
- Agreement to start by scanning just one server first to monitor performance and resource impact.
- Suggestion to use AD credentials with a just-in-time access approach.
- Have the IAM team create the AD account for you ahead of time.
- Enable the account only during scans.
- Disable or deprovision upon scan completion.
π Next Steps
- Server team agrees and will ask IAM team to begin automating the account provisioning process.
- IAM team will follow up once credentials are set up.
In this phase, an insecure Windows Server is provisioned to simulate the server team's environment. After creating vulnerabilities, an authenticated scan is performed, and results are exported for future remediation.
We assessed vulnerabilities and established a remediation prioritization strategy based on ease of remediation and impact. The following priorities were set:
- Third Party Software Removal (Wireshark)
- Windows OS Secure Configuration (Protocols & Ciphers)
- Windows OS Secure Configuration (Guest Account Group Membership)
- Windows OS Updates
We created remediation scripts and pulled scan results, then sent them to the server team to address key vulnerabilities. This streamlined their efforts and prepared them for a follow-up review.
Server team reviewed the scan results, identifying outdated software, insecure accounts, and deprecated protocols. The remediation packages were prepared for submission to the Change Advisory Board (CAB).
π Scan Summary
- The scan completed successfully with no outages or resource overutilization.
- The scan was mostly undetectable, except for some open connections.
- Ongoing monitoring will continue, but no performance issues are expected.
π‘οΈ Vulnerability Findings
- Outdated Wireshark installations found across target systems.
- The local guest account on servers is incorrectly a member of the local admin group.
- Presence of deprecated TLS protocols (1.0 & 1.1) and medium-strength cipher suites.
- Some vulnerabilities (e.g. MS Edge Chromium) may be resolved via Windows Updates.
- Self-signed certificates noted, but not considered a risk.
π οΈ Remediation Plan
- Remove outdated Wireshark installations.
- Remove local guest account from the local admin group.
- Disable deprecated cipher suites and TLS protocols.
- No known issues anticipated with remediation steps.
- All changes will be submitted to the CAB team prior to implementation.
π§° Tools and Support
- A patch management system is in place, so Windows updates are expected to resolve certain issues automatically by next week.
- Remediation packages will be prepared to streamline the fix process.
- Uniform vulnerabilities across servers will make remediation more efficient.
β Next Steps
- One party will begin remediation package development.
- Further research on remediation will be done.
- Follow-up will occur before the next CAB meeting.
The CAB team reviewed and approved the plan to remove insecure protocols and cipher suites. The plan included a rollback script and a tiered deployment approach.
π οΈ Remediation Overview
- Two main vulnerability remediations for the server team: removal of insecure protocols & removal of insecure cipher suites
π₯ Team Responsibilities
- Risk Department leads the technical solution discussion.
- Infrastructure Team supports implementation discussion.
π§ Technical Approach
- Insecure protocols and cipher suites can still be used if enabled in the system, even if theyβre deprecated.
- These are controlled via Windows registry settings.
- A PowerShell script was developed to disable insecure protocols/ciphers and enable secure, current standards.
π Rollback Plan: A tiered deployment will be used:
- Pilot group (small set of systems)
- Pre-production
- Full production rollout
- An automated rollback script is in place to restore original registry settings if issues occur.
β Outcome & Confidence
- The fix is straightforward and low-risk (just registry updates).
- No major concerns raised by the team.
- The meeting concludes with no further questions.
The server team used a PowerShell script created by the cyber team to remove outdated Wireshark. A follow-up scan verified successful remediation.
Wireshark Removal Script
Scan 2 - Third Party Software Removal
The server team used PowerShell scripts created by the cyber team to remediate insecure protocols and cipher suites. A follow-up scan verified successful remediation, and results were saved for reference.
Insecure Protocols Remediation
Scan 3 - Ciphersuites and Protocols
The server team removed the guest account from the admin group. A follow-up scan confirmed remediation, and results were exported for comparison.
Guest Account Group Membership Remediation
Scan 4 - Guest Account Group Removal
Windows updates were re-enabled and applied until the system was fully up to date. A follow-up scan verified the changes.
The remediation process reduced overall vulnerabilities by 76% (from 29 down to 7). All critical vulnerabilities were resolved by the second scan, and high vulnerabilities reduced by 89%. Mediums were reduced by 71%. In an actual production environment, asset criticality would further guide future remediation efforts.
After completing the initial remediation cycle, the vulnerability management program transitions into Maintenance Mode. This phase ensures that vulnerabilities continue to be managed proactively, keeping systems secure over time. Regular scans, continuous monitoring, and timely remediation are crucial components of this phase. (See Finalized Policy for scanning and remediation cadence requirements.)
Key activities in Maintenance Mode include:
- Scheduled Vulnerability Scans: Perform regular scans (e.g., weekly or monthly) to detect new vulnerabilities as systems evolve.
- Patch Management: Continuously apply security patches and updates, ensuring no critical vulnerabilities remain unpatched.
- Remediation Follow-ups: Address newly identified vulnerabilities promptly, prioritizing based on risk and impact.
- Policy Review and Updates: Periodically review the Vulnerability Management Policy to ensure it aligns with the latest security best practices and organizational needs.
- Audit and Compliance: Conduct internal audits to ensure compliance with the vulnerability management policy and external regulations.
- Ongoing Communication with Stakeholders: Maintain open communication with stakeholders for remediation, ensuring efficient coordination.
By maintaining an active vulnerability management process, organizations can stay ahead of emerging threats and ensure long-term security resilience.