In this project, we simulate the implementation of a comprehensive vulnerability management program, from inception to completion.
Inception State: the organization has no existing policy or vulnerability management practices in place.
Completion State: a formal policy is enacted, stakeholder buy-in is secured, and a full cycle of organization-wide vulnerability remediation is successfully completed.
- Tenable (enterprise vulnerability management platform)
- Azure Virtual Machines (Nessus scan engine + scan targets)
- PowerShell & BASH (remediation scripts)
- Vulnerability Management Policy Draft Creation
- Mock Meeting: Policy Buy-In (Stakeholders)
- Policy Finalization and Senior Leadership Sign-Off
- Mock Meeting: Initial Scan Permission (Server Team)
- Initial Scan of Server Team Assets
- Vulnerability Assessment and Prioritization
- Distributing Remediations to Remediation Teams
- Mock Meeting: Post-Initial Discovery Scan (Server Team)
- Mock CAB Meeting: Implementing Remediations
- Remediation Round 1: Outdated Wireshark Removal
- Remediation Round 2: Insecure Protocols & Ciphers
- Remediation Round 3: Guest Account Group Membership
- First Cycle Remediation Effort Summary
- On-going Vulnerability Management (Maintenance Mode)
This phase focuses on drafting a Vulnerability Management Policy as a starting point for stakeholder engagement. The initial draft outlines scope, responsibilities, and remediation timelines, and may be adjusted based on feedback from relevant departments to ensure practical implementation before final approval by upper management.
Draft Policy
In this phase, a meeting with the server team introduces the draft Vulnerability Management Policy and assesses their capability to meet remediation timelines. Feedback leads to adjustments, like extending the critical remediation window from 48 hours to one week, ensuring collaborative implementation.
Remediation Policy Discussion (Dialogue)
Ryan: Hey, good morning Jimmy. How’s everything been? I know everyone’s been pretty busy these last few weeks.
Jimmy: Good morning, Ryan. Yeah, it’s been a bit hectic, but we’re hanging in there. Thanks for asking. I reviewed the policy draft, and overall it makes sense. However, with our current staffing levels, we can’t meet the aggressive remediation timelines—especially the 48-hour window for critical vulnerabilities.
Ryan: Yeah, I totally understand. It is a bit aggressive, especially for the initial rollout. Maybe we can extend the critical remediation window to one week for now, and reserve the 48-hour requirement only for truly severe, zero-day–type vulnerabilities.
Jimmy: That sounds reasonable. We appreciate the flexibility. Would it be possible to have some leeway during the first few months while we get used to the new remediation and patching process?
Ryan: Absolutely. Once the policy is finalized, we’ll officially start the program, but we’re planning to give all departments around six months to adjust and get comfortable with the new process. Does that sound fair?
Jimmy: Thanks, Ryan. We’ll do our best. I appreciate you including us in the decision-making process—it really helps us feel like we’re part of the solution.
Ryan: Of course. We’re all in this together. Thanks for working with us.
Jimmy: No problem. And thanks for keeping the meeting short—those are my favorite kind. Bye now.
Ryan: See you later.
After gathering feedback from the server team, the policy is revised, addressing aggressive remediation timelines. With final approval from upper management, the policy now guides the program, ensuring compliance and reference for pushback resolution.
Finalized Policy
The team collaborates with the server team to initiate scheduled credential scans. A compromise is reached to scan a single server first, monitoring resource impact, and using just-in-time Active Directory credentials for secure, controlled access.
Server Team Meeting - Initial Discovery Scan (Dialogue)
Ryan: Good morning, Jimmy.
Jimmy: Good morning. I heard you're ready to conduct some scans.
Ryan: Yep. Now that our vulnerability management policy is in place, I wanted to get started with some scheduled credentialed scans of your environment.
Jimmy: Sounds good to me. What’s involved? How can we help?
Ryan: We’re planning to run weekly scans on the server infrastructure. We estimate it will take about 4–6 hours to scan all 2,200 assets. We’ll need you to provide administrative credentials so the scan engine can remotely log in to the targets for a deeper assessment.
Jimmy: Whoa, hold on. What exactly does scanning entail? I’m a bit worried about resource utilization. Also, you want admin credentials to all 2,200 machines? That doesn’t sound safe.
Ryan: Those are valid concerns. The scan engine sends specific traffic to the servers to check for vulnerabilities—things like outdated software, insecure protocols, weak cipher suites, or registry entries that indicate issues. That’s why credentials are needed for a full assessment.
Jimmy: I see. As long as it doesn’t bring the servers offline, we should be okay.
Ryan: Absolutely. Let’s start by scanning just a single server and monitor the resource utilization. That way you can see the impact firsthand.
Jimmy: Not a bad idea.
Ryan: Great. For the credentials, could you set up an account in Active Directory for us? You can keep it disabled until we're ready to scan. Then you can enable it during the scan and disable or deprovision it afterward—basically a just-in-time access workflow.
Jimmy: That sounds good. I’ll ask Susan to get started on the automation for provisioning the account.
Ryan: Awesome. Talk soon.
Jimmy: Sounds good. I’ll get back to you once the credentials are set up. See you later.
Ryan: See you later.
In this phase, an insecure Windows Server is provisioned to simulate the server team's environment. After creating vulnerabilities, an authenticated scan is performed, and the results are exported for future remediation steps.
We assessed vulnerabilities and established a remediation prioritization strategy based on ease of remediation and impact. The following priorities were set:
- Third Party Software Removal (Wireshark)
- Windows OS Secure Configuration (Protocols & Ciphers)
- Windows OS Secure Configuration (Guest Account Group Membership
The server team received remediation scripts and scan reports to address key vulnerabilities. This streamlined their efforts and prepared them for a follow-up review.
The server team reviewed vulnerability scan results, identifying outdated software, insecure accounts, and deprecated protocols. The remediation packages were prepared for submission to the Change Control Board (CAB).
Server Team Meeting – Post-Initial Discovery Scan (Dialogue)
Ryan: Morning, Jimmy. How are you doing?
Jimmy: Not bad for a Monday. And yourself?
Ryan: I’m still alive, so I can’t complain. Before we get into the vulnerabilities—how did the actual scan go on your end? Any outages or overutilization?
Jimmy: The scan went well. We were monitoring everything, and aside from all the open connections, we never would’ve known a scan was taking place.
Ryan: That’s good news. I expected as much. We can continue monitoring going forward, but I don’t anticipate any issues with resource utilization. Do you mind if I dive into the vulnerability findings?
Jimmy: Yeah, absolutely.
Ryan: Cool. I’m going to share my screen real quick. So, basically, the majority of these vulnerabilities come from Wireshark being installed. You can see several findings tied to it—it’s just extremely out of date.
One interesting thing I found is that the local Guest account on the servers actually belongs to a group—and specifically, it belongs to the Local Administrators group. I’m not sure why that is.
Some of the other vulnerabilities—like the Microsoft Edge (Chromium) one and a few others—may get automatically resolved by upcoming Windows Updates. Same with this one here; not entirely sure, but likely.
We don’t need to worry about the self-signed certificate finding—it’s just the server generating its own cert. But these medium-strength cipher suites and TLS 1.1/1.0 protocols are deprecated, so those should definitely be remediated.
So, to summarize:
Remove or update Wireshark
Address deprecated protocols (TLS 1.0/1.1)
Address weak cipher suites
Remove or fix the Guest account issue
Jimmy: Very interesting. The good news is I suspect most of our servers will have the same vulnerabilities, so hopefully remediation will be easier since it’ll be the same fixes across the board.
Ryan: Yeah, that’s actually good news—more of a uniform loadout. Do you foresee any issues remediating the cipher suites or insecure protocols?
Jimmy: I highly doubt it. We’ll run it through the next Change Control Board. Uninstalling Wireshark and fixing the Guest account shouldn’t be an issue either—those shouldn’t be on the servers anyway. I’ll talk to our CIS admins about that.
Ryan: Perfect. I’ll start building some remediation packages to make things easier when you’re ready to apply the fixes.
Jimmy: That sounds great. Oh—one question: Do you already have something in place for the Windows Update–related vulnerabilities? Patch management, etc.?
Ryan: Oh yes, I’m not worried about those. Windows Updates should be handled automatically by next week—we have patch management in place.
Jimmy: Excellent.
Ryan: Alright, I’ll start researching the best way to remediate these findings and get back to you before the next Change Control Board.
Jimmy: Sounds good. Talk to you soon.
Ryan: Cool, cool. Talk to you soon.
The Change Control Board (CAB) reviewed and approved the plan to remove insecure protocols and cipher suites. The plan included a rollback script and a tiered deployment approach.
CAB Meeting with the Server Team (Dialogue)
Chairperson: Okay, next up on the list are a couple of vulnerability remediations for the server team:
Removal of insecure protocols
Removal of insecure cipher suites
It looks like Ryan from the Risk Department is working in conjunction with Jimmy from Infrastructure on this. Jimmy, do you want to walk us through the technical aspects of the change being implemented?
Jimmy: Normally I would, but do you mind giving this one to Ryan? He actually built the solution for us—we’re still getting used to the process.
Ryan: Yeah, I can explain these. So, insecure cipher suites and insecure protocols basically mean the system is still capable of negotiating or using algorithms and protocols that are deprecated. If the system connects to a server that only supports those outdated protocols, it’s possible it will use them.
These are controlled through the Windows Registry. It’s a simple fix—we wrote a PowerShell script that disables all insecure protocols and cipher suites, and then enables the standardized, secure ones that align with current best practices. It’s very straightforward.
CAB Member: That sounds good, but what if something goes wrong? Do we have a rollback plan in place? Did you think about that?
Ryan: Yes, absolutely. We’re doing a tiered deployment:
A pilot group (very small),
Then pre-production,
Then full production once everything checks out.
On top of that, we’ve built fully automated rollback scripts for each remediation. If anything unexpected happens, the script will restore the original protocol and cipher configuration.
CAB Member: That sounds good. I notice the fixes are just simple registry updates, so I’m not too concerned.
Ryan: Yep, exactly.
Chairperson: Any more questions from anyone? Great—that wraps things up for this week’s CAB meeting. See you all next week.
Jimmy: See you later.
The server team used a PowerShell script to remove outdated Wireshark. A follow-up scan confirmed successful remediation.
Wireshark Removal Script
Scan 2 - Third Party Software Removal
The server team used PowerShell scripts to remediate insecure protocols and cipher suites. A follow-up scan verified successful remediation, and the results were saved for reference.
PowerShell: Insecure Protocols Remediation
PowerShell: Insecure Ciphers Remediation
Scan 3 - Ciphersuites and Protocols
The server team removed the guest account from the administrator group. A new scan confirmed remediation, and the results were exported for comparison.
PowerShell: Guest Account Group Membership Remediation
Scan 4 - Guest Account Group Removal
The remediation process reduced total vulnerabilities by 80%, from 30 to 6. Critical vulnerabilities were resolved by the second scan (100%), and high vulnerabilities dropped by 90%. Mediums were reduced by 76%. In an actual production environment, asset criticality would further guide future remediation efforts.
After completing the initial remediation cycle, the vulnerability management program transitions into Maintenance Mode. This phase ensures that vulnerabilities continue to be managed proactively, keeping systems secure over time. Regular scans, continuous monitoring, and timely remediation are crucial components of this phase. (See Finalized Policy for scanning and remediation cadence requirements.)
Key activities in Maintenance Mode include:
- Scheduled Vulnerability Scans: Perform regular scans (e.g., weekly or monthly) to detect new vulnerabilities as systems evolve.
- Patch Management: Continuously apply security patches and updates, ensuring no critical vulnerabilities remain unpatched.
- Remediation Follow-ups: Address newly identified vulnerabilities promptly, prioritizing based on risk and impact.
- Policy Review and Updates: Periodically review the Vulnerability Management Policy to ensure it aligns with the latest security best practices and organizational needs.
- Audit and Compliance: Conduct internal audits to ensure compliance with the vulnerability management policy and external regulations.
- Ongoing Communication with Stakeholders: Maintain open communication with teams responsible for remediation, ensuring efficient coordination.
By maintaining an active vulnerability management process, organizations can stay ahead of emerging threats and ensure long-term security resilience.