In this project, we simulate the implementation of a comprehensive vulnerability management program, from inception to completion.
Inception State: the organization has no existing policy or vulnerability management practices in place.
Completion State: a formal policy is enacted, stakeholder buy-in is secured, and a full cycle of organization-wide vulnerability remediation is successfully completed.
- Tenable (enterprise vulnerability management platform)
- Azure Virtual Machines (Nessus scan engine + scan targets)
- PowerShell & BASH (remediation scripts)
- Vulnerability Management Policy Draft Creation
- Mock Meeting: Policy Buy-In (Stakeholders)
- Policy Finalization and Senior Leadership Sign-Off
- Mock Meeting: Initial Scan Permission (Server Team)
- Initial Scan of Server Team Assets
- Vulnerability Assessment and Prioritization
- Distributing Remediations to Remediation Teams
- Mock Meeting: Post-Initial Discovery Scan (Server Team)
- Mock CAB Meeting: Implementing Remediations
- Remediation Round 1: Outdated Wireshark Removal
- Remediation Round 2: Insecure Protocols & Ciphers
- Remediation Round 3: Guest Account Group Membership
- Remediation Round 4: Windows OS Updates
- First Cycle Remediation Effort Summary
This phase focuses on drafting a Vulnerability Management Policy as a starting point for stakeholder engagement. The initial draft outlines scope, responsibilities, and remediation timelines, and may be adjusted based on feedback from relevant departments to ensure practical implementation before final approval by upper management.
Draft Policy
In this phase, a meeting with the server team introduces the draft Vulnerability Management Policy and assesses their capability to meet remediation timelines. Feedback leads to adjustments, like extending the critical remediation window from 48 hours to one week, ensuring collaborative implementation. See the the transcript from the meeting below between the server team manager (Jimmy) and the vm analyst (John)..
John: Hey, good morning Jimmy! How's everything been lately? I know things have been pretty busy these past few weeks.
Jimmy: Good morning, John. Yeah, it's been a bit hectic, but we're hanging in there—thanks for asking. I had a chance to review the policy draft, and overall, it makes sense. However, with our current staffing, we won’t be able to meet the aggressive remediation timelines—especially the 48-hour window for critical vulnerabilities.
John: Yeah, I totally get that. It is a bit aggressive, especially at the start. Maybe we can extend the critical remediation window to one week for now as a compromise. Then we can reserve the 48-hour window for the really serious zero-day vulnerabilities.
Jimmy: That sounds reasonable. We really appreciate the flexibility. Would it also be possible to have a bit of leeway in the beginning—just for the first few months—while we get used to the new remediation and patching process?
John: Absolutely. Once the policy is finalized, we’ll officially launch the program, but we’re planning to give all departments around six months to adjust and get comfortable with the new process. Does that sound fair?
Jimmy: Thanks, John. We’ll do our best. I really appreciate you including us in the decision-making process—it helps us feel like we’re part of the solution.
John: Of course—we’re all in this together. Thanks for working with us.
Jimmy: No problem. And thanks for keeping this meeting short.
John: Yeah, those are my favorite kind! Take care!
Jimmy: See you later.
After gathering feedback from the server team, the policy is revised, addressing aggressive remediation timelines. With final approval from upper management, the policy now guides the program, ensuring compliance and reference for pushback resolution.
Finalized Policy
The team collaborates with the server team to initiate scheduled credential scans. A compromise is reached to scan a single server first, monitoring resource impact, and using just-in-time Active Directory credentials for secure, controlled access. Check out the transcript from the meeting..
John (VM Analyst): Morning, Jimmy.
Jimmy (Server Team Manager): Good morning. I heard you're ready to start some scans?
John (VM Analyst): Yep! Now that our Vulnerability Management Policy is in place, I wanted to get started with some scheduled credential scans of your environment.
Jimmy (Server Team Manager): Sounds good to me. What’s involved? How can we help?
John (VM Analyst): We’re planning to run weekly scans on the server infrastructure. We estimate it’ll take about 4 to 6 hours to scan all 200 assets. We’ll need you to provide administrative credentials so the scan engine can remotely log into the targets and perform a deeper assessment.
Jimmy (Server Team Manager): Whoa, hold on. What exactly does scanning entail? I’m a bit concerned about resource utilization. Also, you’re asking for admin credentials to all 200 machines? That doesn’t sound very safe.
John (VM Analyst): Those are definitely valid concerns. The scan engine sends various traffic to the servers to check for known vulnerabilities. That includes looking into the registry, checking for outdated software, insecure protocols, cipher suites, and so on. That’s why we need credentials—to get an accurate picture of the system state.
Jimmy (Server Team Manager): Got it. As long as it doesn’t take the servers offline, I think we’ll be okay.
John (VM Analyst): Absolutely. Let’s start by scanning a single server and monitoring resource usage. That way we can be sure it won’t impact performance.
Jimmy (Server Team Manager): Not a bad idea.
John (VM Analyst): Also, for the credentials—can you create an account in Active Directory for us? Something we can keep disabled until scan time. We’d enable it during the scan, then disable or deprovision it right after—kind of a just-in-time access model.
Jimmy (Server Team Manager): That works. I’ll ask Susan to start automating the account provisioning.
John (VM Analyst): Awesome. Talk soon!
Jimmy (Server Team Manager): Sounds good. I’ll let you know once the credentials are set up.
John (VM Analyst): Great. See you later.
Jimmy (Server Team Manager): See you later.
In this phase, an insecure Windows Server is provisioned to simulate the server team's environment. After creating vulnerabilities, an authenticated scan is performed, and the results are exported for future remediation steps.
We assessed vulnerabilities and established a remediation prioritization strategy based on ease of remediation and impact. The following priorities were set:
- Third Party Software Removal (Wireshark)
- Windows OS Secure Configuration (Protocols & Ciphers)
- Windows OS Secure Configuration (Guest Account Group Membership)
- Windows OS Updates
The server team received remediation scripts and scan reports to address key vulnerabilities. This streamlined their efforts and prepared them for a follow-up review.
The server team reviewed vulnerability scan results, identifying outdated software, insecure accounts, and deprecated protocols. The remediation packages were prepared for submission to the Change Control Board (CAB). See the transcript from the meeting..
John (VM Analyst): Morning, Jimmy. How are you doing?
Jimmy (Server Team Manager): Not bad for a Monday. And you?
John (VM Analyst): Still alive, so I can’t complain. Before we dive into the vulnerabilities, how did the scan go on your end? Any outages, performance issues, or overutilization?
Jimmy (Server Team Manager): The scan went well. We were monitoring everything, and aside from a lot of open connections, you wouldn't even know a scan was running.
John (VM Analyst): That’s great to hear. Pretty much what I expected. We’ll continue to monitor going forward, but I don’t anticipate any issues with resource usage. Do you mind if I jump into the findings?
Jimmy (Server Team Manager): Go for it.
John (VM Analyst): Cool, I’ll share my screen real quick. So, the majority of these vulnerabilities stem from Wireshark being installed—it’s severely outdated. That’s the main issue.
One interesting thing I did find: The local guest account on several servers is part of the local administrators group. I’m not sure why that’s the case.
Some vulnerabilities, like the Microsoft Edge Chromium one, might be resolved with Windows Updates. A few others could be as well, though I’ll need to confirm.
The self-signed certificate vulnerability isn’t a big concern—it’s just the computer’s self-signed cert. But the medium-strength cipher suites and support for TLS 1.0 and 1.1—those are deprecated protocols we should definitely address.
So in summary:
Remove outdated Wireshark Disable deprecated protocols and cipher suites Remove or fix the guest account issue Jimmy (Server Team Manager): Interesting. The good news is, I suspect most of our servers will have the same set of vulnerabilities, which should simplify remediation.
John (VM Analyst): Exactly. A uniform rollout will make things easier. Do you foresee any issues with addressing the cipher suites or protocols?
Jimmy (Server Team Manager): Highly doubt it. We'll take it to the next Change Control Board. Uninstalling Wireshark and fixing the guest account shouldn’t be a problem—they shouldn’t be there in the first place. I’ll check in with our CIS admins about that.
John (VM Analyst): Sounds good. I’ll get started on building out some remediation packages to make it easier when the time comes.
Jimmy (Server Team Manager): Perfect. Oh—do you already have something in place for the Windows Update-related vulnerabilities? Patch management?
John (VM Analyst): Yes, I’m not worried about those. Windows Updates should take care of them—we’ve got patch management in place, and things should be handled automatically by next week.
Jimmy (Server Team Manager): Excellent.
John (VM Analyst): Alright, I’ll start researching the best way to remediate these findings and circle back before the next Change Control Board.
Jimmy (Server Team Manager): Sounds good. Talk to you soon.
John (VM Analyst): Cool, talk soon.
The Change Control Board (CAB) reviewed and approved the plan to remove insecure protocols and cipher suites. The plan included a rollback script and a tiered deployment approach. See the meeting trasnscript below..
Facilitator: Okay, next up on the list are a couple of vulnerability remediations for the server team. Number one: removal of insecure protocols. Number two: removal of insecure cipher suites.
It looks like John (VM Analyst) from the risk department is working in conjunction with Jimmy (Server Team Manager) on this. Jimmy, do you want to walk us through the technical aspects of the change being implemented?
Jimmy (Server Team Manager): Normally I would, but do you mind handing this one over to John? He actually built the solution for us—we're still getting used to the process.
John (VM Analyst): Sure, I can explain. So, basically, the presence of insecure cipher suites and protocols on a system means it’s still capable of negotiating connections using deprecated algorithms or protocols. If a server communicates with a client that only supports these outdated methods, it might fall back and use them, which opens up security risks.
These configurations are controlled through the Windows Registry. It's actually a pretty straightforward fix—we wrote a PowerShell script that disables all insecure protocols and ciphers, and enables the current secure standards.
Facilitator: That sounds good. But what if something goes wrong? Do we have a rollback plan in place?
John (VM Analyst): Yes, definitely. First, we’re doing a tiered deployment—starting with a small pilot group, then pre-production, and finally full production. On top of that, we’ve built automated rollback scripts for each remediation. If anything unexpected happens, the script can restore the original registry settings, including all previously enabled protocols and ciphers.
Jimmy (Server Team Manager): That sounds good. Since it’s just registry updates, I’m not too worried.
John (VM Analyst): Exactly—simple and controlled.
Facilitator: Any more questions from anyone?
(silence)
Great, that wraps up this week's CAP meeting. See you all next week!
Everyone: See you later.
The server team used a PowerShell script to remove outdated Wireshark. A follow-up scan confirmed successful remediation.
Wireshark Removal Script
Scan 2 - Third Party Software Removal
The server team used PowerShell scripts to remediate insecure protocols and cipher suites. A follow-up scan verified successful remediation, and the results were saved for reference.
PowerShell: Insecure Protocols Remediation
PowerShell: Insecure Ciphers Remediation
Scan 3 - Ciphersuites and Protocols
The server team removed the guest account from the administrator group. A new scan confirmed remediation, and the results were exported for comparison.
PowerShell: Guest Account Group Membership Remediation
Scan 4 - Guest Account Group Removal
Windows updates were re-enabled and applied until the system was fully up to date. A final scan verified the changes
The remediation process reduced total vulnerabilities by 76%, from 29 to 7. Critical vulnerabilities were resolved by the second scan (100%), and high vulnerabilities dropped by 90%. Mediums were reduced by 76%. In an actual production environment, asset criticality would further guide future remediation efforts.
After completing the initial remediation cycle, the vulnerability management program transitions into Maintenance Mode. This phase ensures that vulnerabilities continue to be managed proactively, keeping systems secure over time. Regular scans, continuous monitoring, and timely remediation are crucial components of this phase. (See Finalized Policy for scanning and remediation cadence requirements.)
Key activities in Maintenance Mode include:
- Scheduled Vulnerability Scans: Perform regular scans (e.g., weekly or monthly) to detect new vulnerabilities as systems evolve.
- Patch Management: Continuously apply security patches and updates, ensuring no critical vulnerabilities remain unpatched.
- Remediation Follow-ups: Address newly identified vulnerabilities promptly, prioritizing based on risk and impact.
- Policy Review and Updates: Periodically review the Vulnerability Management Policy to ensure it aligns with the latest security best practices and organizational needs.
- Audit and Compliance: Conduct internal audits to ensure compliance with the vulnerability management policy and external regulations.
- Ongoing Communication with Stakeholders: Maintain open communication with teams responsible for remediation, ensuring efficient coordination.
By maintaining an active vulnerability management process, organizations can stay ahead of emerging threats and ensure long-term security resilience.