5.1 Describe management concepts
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
1. Purpose of Vulnerability Management
The main goal is to:
- Identify security weaknesses before attackers do
- Reduce risk to systems and data
- Maintain a strong security posture
- Support compliance with security policies and standards
2. Key Concepts
Vulnerability vs Threat vs Risk
- Vulnerability → A weakness (e.g., outdated software)
- Threat → Something that can exploit the weakness (e.g., malware)
- Risk → The potential damage if the threat exploits the vulnerability
👉 Formula:
Risk = Threat × Vulnerability × Impact
3. Vulnerability Management Lifecycle
This is a continuous cycle and very important for the exam.
1. Asset Discovery
- Identify all systems in the network:
- Servers
- Endpoints
- Network devices
- Applications
- You cannot protect what you do not know exists
2. Vulnerability Scanning
- Use automated tools to scan systems for weaknesses
- Detect:
- Missing patches
- Misconfigurations
- Open ports
- Weak passwords
Types of Scanning
- Authenticated Scan
- Uses login credentials
- More accurate and detailed
- Unauthenticated Scan
- No credentials used
- Simulates external attacker view
3. Vulnerability Identification
- Compare scan results with known vulnerability databases such as:
- CVE (Common Vulnerabilities and Exposures)
- Each vulnerability gets an ID (e.g., CVE-2024-XXXX)
4. Risk Assessment & Prioritization
Not all vulnerabilities are equally important.
Common factors:
- Severity level
- System importance (critical server vs normal PC)
- Exposure (internet-facing vs internal)
- Exploit availability
CVSS (Common Vulnerability Scoring System)
- Provides a score from 0 to 10
- 0–3.9 → Low
- 4.0–6.9 → Medium
- 7.0–8.9 → High
- 9.0–10 → Critical
5. Remediation (Fixing Vulnerabilities)
Common remediation methods:
- Apply patches and updates
- Change configurations
- Disable unnecessary services
- Replace vulnerable software
Other actions:
- Mitigation → Reduce risk if full fix is not possible
- Workaround → Temporary solution
6. Verification (Rescanning)
- Scan again after fixing issues
- Ensure vulnerabilities are properly removed
7. Reporting & Documentation
- Create reports for:
- Security teams
- Management
- Track:
- Open vulnerabilities
- Fixed vulnerabilities
- Risk levels
4. Types of Vulnerabilities
1. Software Vulnerabilities
- Bugs or flaws in applications or operating systems
2. Configuration Vulnerabilities
- Incorrect system settings
- Example:
- Open ports
- Default credentials
3. Network Vulnerabilities
- Weak firewall rules
- Unsecured protocols
4. Human-related Vulnerabilities
- Weak passwords
- Lack of awareness
5. Vulnerability Scanning Tools
Common tools used in IT environments:
- Network vulnerability scanners
- Web application scanners
- Endpoint security tools
Examples (for exam awareness):
- Nessus
- OpenVAS
- Qualys
6. Authenticated vs Unauthenticated Scans (Important Exam Topic)
| Feature | Authenticated | Unauthenticated |
|---|---|---|
| Access Level | Internal | External |
| Accuracy | High | Lower |
| Detail | Deep system info | Surface-level |
| Use Case | Internal audits | External attack simulation |
7. False Positives and False Negatives
False Positive
- Tool reports a vulnerability that does not actually exist
False Negative
- Tool fails to detect a vulnerability that does exist
👉 Important:
- False negatives are more dangerous
8. Patch Management vs Vulnerability Management
| Patch Management | Vulnerability Management |
|---|---|
| Focus on updates | Focus on identifying + fixing risks |
| Applies patches | Full lifecycle process |
| Reactive | Proactive + continuous |
9. Vulnerability Databases and Standards
CVE (Common Vulnerabilities and Exposures)
- Public database of known vulnerabilities
NVD (National Vulnerability Database)
- Provides detailed info and CVSS scores
CVSS (Common Vulnerability Scoring System)
- Measures severity of vulnerabilities
10. Remediation Strategies (Exam Focus)
1. Patching
- Install security updates
2. Configuration Changes
- Secure system settings
3. Network Controls
- Firewall rules
- Access control
4. Compensating Controls
- Use alternative security measures if patching is not possible
11. Challenges in Vulnerability Management
- Large number of vulnerabilities
- Limited resources
- Downtime during patching
- Legacy systems that cannot be updated
- False positives/negatives
12. Best Practices
- Perform regular scans
- Prioritize critical vulnerabilities first
- Automate scanning and reporting
- Maintain asset inventory
- Integrate with patch management
- Continuously monitor systems
13. Real IT Environment Example
- A vulnerability scanner detects that a web server is running outdated software
- The vulnerability is linked to a known CVE with a high CVSS score
- The system is internet-facing → high risk
- The security team:
- Applies the latest patch
- Rescans the server
- Confirms the issue is fixed
- Updates the report
14. Key Exam Points to Remember
- Vulnerability management is continuous
- Includes scan → assess → fix → verify → report
- CVSS scoring is used to prioritize vulnerabilities
- Authenticated scans are more accurate
- Understand false positives vs false negatives
- Know difference between patch management and vulnerability management
- CVE and NVD are important databases
