Skip to main content
Network Security
CHAPTER 12

Network Vulnerability Management

Updated: May 15, 2026
20 min read

# CHAPTER 12

Network Vulnerability Management

1. Introduction

A network is never static. New servers are spun up, new software is installed, and developers constantly push new code. With every change, new security holes (vulnerabilities) can be accidentally introduced. Furthermore, software vendors discover new flaws in their own products daily. Vulnerability Management is the continuous, proactive cycle of identifying, classifying, remediating, and mitigating these security flaws before attackers can exploit them. In this chapter, we will explore vulnerability scanning, patch management, and the concept of Attack Surface Reduction.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define Vulnerability Management as a continuous lifecycle.
  • Understand the mechanics of automated Vulnerability Scanning.
  • Explain the Common Vulnerability Scoring System (CVSS).
  • Define Patch Management and its critical importance.
  • Apply Attack Surface Reduction hardening techniques.

3. Beginner-Friendly Explanation

Imagine maintaining a massive fleet of delivery trucks.
  • The Vulnerability: The manufacturer announces that the brakes on all 2022 models have a defect and might fail at high speeds.
  • Scanning: You use a computer system to instantly scan your fleet and identify exactly which 50 trucks are the 2022 models.
  • Risk Assessment: You realize 10 of those trucks are currently driving through the mountains. Those are Critical Risk. The other 40 are parked in the lot. Those are Low Risk.
  • Patch Management: You recall the 10 mountain trucks immediately to replace the brakes (Applying the Patch). You schedule the other 40 for maintenance next week.

Vulnerability management is finding the broken brakes on your network before the truck crashes.

4. Vulnerability Scanning vs. Penetration Testing

  • Vulnerability Scanning: An automated software tool (like Nessus, Qualys, or OpenVAS) that rapidly checks thousands of IPs against a database of known flaws (CVEs). It is fast, cheap, and run weekly. It identifies the open doors.
  • Penetration Testing: A manual process where a human ethical hacker attempts to actively exploit the vulnerabilities found to prove how far they can get. It is slow, expensive, and run annually. It walks through the doors to see what can be stolen.

5. Prioritization and CVSS

When a vulnerability scanner finishes, it might report 5,000 vulnerabilities. The IT team cannot fix them all today. Vulnerabilities are prioritized using the Common Vulnerability Scoring System (CVSS), which assigns a score from 0.0 to 10.0.
  • Critical (9.0 - 10.0): Remote Code Execution (RCE). A hacker can take over the server over the internet without needing a password. Must be patched immediately (within 24 hours).
  • High (7.0 - 8.9): Significant threat, often requiring the hacker to have some level of access first. Patch within 7-14 days.
  • Medium/Low: Minor information leaks. Patch during the next scheduled maintenance window.

6. Patch Management

Finding the vulnerability is only step one; fixing it is the goal. Patch Management is the formal process of acquiring, testing, and installing software updates. *The Challenge:* In an enterprise, you cannot simply click "Update All" on a Friday afternoon. What if the Windows update breaks the custom hospital billing software? IT departments must first deploy the patch to a small "Testing Network" to verify stability before deploying it to all 5,000 corporate machines. This balance between speed and stability is the core challenge of security engineering.

7. Mini Project: Perform a Vulnerability Assessment Conceptually

How does a security analyst process a scanner report?

The Triage Workflow:

  1. 1. Review the Report: The scanner flags Server A with a CVSS 9.8 vulnerability in Apache.
  1. 2. Verify (Remove False Positives): The analyst manually checks Server A. Is it actually running that version of Apache? Sometimes scanners are wrong.
  1. 3. Assess Contextual Risk: The CVSS score is 9.8, but Server A is completely disconnected from the internet and locked in an isolated internal VLAN. The *real-world risk* is actually lower because the attack surface is reduced.
  1. 4. Remediate: Instruct the sysadmin to apply the Apache software patch.
  1. 5. Re-scan: Run the vulnerability scanner again to prove the patch actually worked and the vulnerability is gone.

8. Real-World Scenarios

In 2017, the WannaCry ransomware worm devastated global networks, including the UK's National Health Service, causing billions of dollars in damage. The worm exploited a vulnerability in the Windows SMB protocol (EternalBlue). Microsoft had actually released a patch for this exact vulnerability two months *before* the attack occurred. The organizations that were compromised had failed at Patch Management. If they had simply run Windows Update in those two months, they would have been completely immune to the attack.

9. Best Practices

  • Attack Surface Reduction (Hardening): The easiest way to manage vulnerabilities is to have fewer things to patch. If a Windows Server is only acting as a file server, uninstall the IIS Web Server role entirely, disable Bluetooth, and turn off the Print Spooler service. If the software isn't installed, it can't be exploited.

10. Legal and Ethical Notes

Running an automated vulnerability scanner against an IP address or domain is incredibly noisy and is considered an active attack by intrusion detection systems. You must never run tools like Nessus or Nmap against targets you do not own without explicit, written legal authorization.

11. Exercises

  1. 1. Explain the difference between an automated Vulnerability Scan and a manual Penetration Test.
  1. 2. Why must enterprise IT departments test a patch in a lab environment before deploying it to production servers, despite the security risk of delaying the patch?

12. FAQs

Q: Can a vulnerability scanner find zero-day vulnerabilities? A: No. Vulnerability scanners look for *known* signatures (CVEs). A zero-day is a vulnerability that the vendor does not know about yet, so there is no signature for it in the scanner's database. This is why Anomaly Detection (IPS) and Defense in Depth are required.

13. Interview Questions

  • Q: Describe the Common Vulnerability Scoring System (CVSS). How would you factor in "Asset Criticality" when prioritizing the remediation of a CVSS 7.0 vulnerability on a public web server versus a CVSS 9.0 vulnerability on an isolated internal test server?
  • Q: An automated scanner flags a critical vulnerability on an embedded medical IoT device, but the manufacturer has gone out of business and will never release a patch. Detail a compensating control strategy to mitigate this risk.

14. Summary

In Chapter 12, we embraced the reality that software is inherently flawed. We defined Vulnerability Management as the continuous lifecycle of discovering, prioritizing, and fixing these flaws. We utilized the CVSS framework to triage alerts, highlighting the delicate balance of enterprise Patch Management. Ultimately, we reinforced the principle of Attack Surface Reduction—asserting that the most secure software is the software you uninstall.

15. Next Chapter Recommendation

Traditional vulnerability management focuses on physical servers and local networks. But modern infrastructure has moved to the cloud, changing the rules entirely. Proceed to Chapter 13: Cloud Network Security.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Authentication and Access Control
Next Chapter Cloud Network Security

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5

🧪 Related Labs 1