Exercises: Vulnerability Management

DataField.Dev

Exercises: Vulnerability Management

These exercises move from vocabulary to the judgment calls a real vulnerability-management program makes every day. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.

Work in your own notebook or a private repository. Where an exercise asks you to "prioritize," "rank," or "score," there is rarely one perfect answer; the reasoning — and whether you used the right signals — matters more than the exact label. All scan output, CVEs-in-tables, and figures are illustrative (Tier 3) unless a real CVE is named.

Part A — Core vocabulary and the lifecycle ⭐

1.† In one sentence each, define CVE, CVSS, EPSS, and KEV, then write a single sentence that uses all four correctly to describe prioritizing Log4Shell.

2. Name the six stages of the vulnerability-management lifecycle in order, and state in one phrase what each stage produces.

3. Explain the difference between patch management (Chapter 11) and vulnerability management. Give one question each discipline answers that the other does not.

4.† A finding is marked "remediated" in the ticket system the instant the patch is deployed. Which lifecycle stage has been skipped, why does the distinction matter, and what would actually confirm the finding is closed?

5. Define attack surface management and explain, in two sentences, why an asset nobody remembers owning is more dangerous than one with a known critical vulnerability.

6. What is an SBOM, and how would having one have changed Meridian's first hour of the Log4Shell response? (One short paragraph.)

Part B — Scanning: depth, safety, and reading output ⭐⭐

7.† For each goal, state whether you would use an authenticated or unauthenticated scan and why: (a) confirm which internal servers are missing the latest OS patches; (b) see exactly what an anonymous internet attacker can discover about your perimeter; (c) inventory the installed library versions on a managed Linux fleet; (d) validate that a host you believe is internal is not in fact reachable from the internet.

8. Your team must scan a network segment containing legacy ATM controllers and a batch of older embedded sensors. Write a five-step plan to scan it without causing an outage, naming a specific technique at each step.

9.† Analyze this scan output. An authenticated scan of an internal Linux web server returns (illustrative):

HOST 10.20.4.18  (app-web-03, internal, segmented from cardholder data)
  CVE-2014-0160  "Heartbleed"   CVSS 7.5   pkg: openssl 1.0.1f-1ubuntu2.27   conf: HIGH
  CVE-2023-XXXXX "ExampleRCE"   CVSS 9.8   service: not running (installed only)  conf: MEDIUM
  CVE-2021-44228 "Log4Shell"    CVSS 10.0  pkg: log4j-core present                conf: HIGH

(a) The Heartbleed line shows OpenSSL 1.0.1f-...ubuntu2.27. Why might this be a false positive, and how would you confirm? (b) The ExampleRCE finding is CVSS 9.8 but the service is "installed only, not running." How does that change its priority? (c) Rank the three findings by the order you would actually remediate them, and name the non-CVSS signals you would gather first.

10. A perimeter (unauthenticated) scan of Meridian's external IP range comes back completely clean. Your manager says, "Great, the outside is secure." Write a three-sentence correction explaining what a clean unauthenticated scan does and does not prove.

11.† Explain why a privileged read-only scanning account is itself a high-value target, and list three controls you would put around it.

Part C — Prioritize these vulnerabilities ⭐⭐

12.† Prioritize these vulns. Using CVSS + EPSS + KEV + asset context, assign each finding a priority (P1-Emergency / P2-Critical / P3-High / P4-Routine) and justify each in one phrase.

#	Vulnerability	CVSS	EPSS	KEV?	Affected asset
a	RCE in web framework	9.8	0.91	Yes	Internet-facing customer portal
b	RCE in web framework	9.8	0.91	Yes	Isolated dev sandbox, no inbound path
c	Info-disclosure bug	5.3	0.88	Yes	Internet-facing API gateway
d	Privilege escalation	8.4	0.004	No	Internal workstation
e	Deserialization flaw	9.1	0.03	No	Internal batch server, segmented

13. Two findings have identical CVSS (8.6), identical EPSS (0.07), and neither is on KEV. One is on the internet-facing online-banking portal; the other is on an isolated internal print server. Are they equal priority? Explain using the risk equation, and state which factor breaks the tie.

14.† A junior analyst proposes the team's prioritization rule: "Sort every scan by CVSS descending and work top to bottom." Write a one-paragraph critique that names the specific failure mode (with a concrete example of a finding that this rule would dangerously deprioritize), then state the rule you would use instead.

15. EPSS for a particular CVE is 0.02 today. A working exploit is published and the CVE is added to KEV next week. (a) Which signal — CVSS, EPSS, or KEV — is most likely to move first, and how? (b) How should your priority for this finding change, and on what timescale?

16. ⭐⭐⭐ You have capacity to remediate exactly 20 findings this week out of 4,000 open. Describe, in steps, the filtering pipeline you would run to get from 4,000 to a defensible top 20. Name the signal applied at each stage and the order you apply them.

Part D — Set patch SLAs and write the policy ⭐⭐–⭐⭐⭐

17.† Set patch SLAs. Draft a five-tier, risk-based patch-SLA table for a hospital network (which has both internet-facing systems and un-patchable clinical devices). For each tier give the definition, the SLA for an internet-facing asset, and the SLA for an internal asset. Justify why your top tier is tighter than a typical compliance minimum.

18. Explain why a patch SLA's clock should start at discovery rather than at "when the remediation team picks up the ticket." What real-world exposure does the "discovery" start point force you to account for?

19.† Write the policy. Draft the exception (risk-acceptance) section of a vulnerability- management policy. It must specify the five elements that make an exception legitimate and the rule for who may approve exceptions of different risk levels. Keep it to one page a GRC analyst could put in front of an auditor.

20. Your SLA table sets "Critical = 7 days, internet-facing." A vendor patch for a critical, KEV-listed finding on your payment portal won't ship for 30 days. You cannot meet the SLA and cannot remove the asset. Write the mitigation + monitoring plan you would put in the exception while you wait, naming at least three specific compensating controls.

Part E — Find the exception abuse ⭐⭐

21.† Find the exception abuse. Review this (illustrative) exception register and identify every red flag. For each, say what is wrong and what the fix is.

EXC-0007  CVE-2019-... (KEV)  asset: vpn-gw-01 (internet-facing remote access)
          justification: "upgrade planned"   compensating control: (blank)
          owner: "IT"   approved-by: "team lead"   filed: 2021-03   expires: (none)
          re-reviewed: never

EXC-0042  CVE-2023-... (CVSS 4.1, not KEV)  asset: lab-test-09 (isolated lab)
          justification: "test box, low value"   compensating control: network isolation
          owner: "J. Park, Lab Manager"   approved-by: "J. Park"   filed: 2024-09  expires: 2025-09
          re-reviewed: 2024-09

EXC-0051  CVE-2022-... (CVSS 9.8, EPSS 0.80, KEV)  asset: core-db-iface (cardholder data)
          justification: "patch breaks core banking; vendor fix Q3"
          compensating control: "WAF rule + restricted access" (added 2 yrs ago)
          owner: "M. Reyes, SOC Manager"   approved-by: "team lead"   filed: 2022-01  expires: 2022-06
          re-reviewed: never (still 'active')

22. Of the three exceptions above, exactly one is basically healthy. Identify it and explain what makes it acceptable when the others are not.

23.† Describe the phenomenon of the permanent "temporary" exception (organizational drift). Name the single most important process control that prevents it, and explain how that control turns "nobody is deciding" back into "someone is consciously deciding."

24. A business owner refuses to fund a fix for a KEV-listed, internet-facing vulnerability and wants to "just accept the risk indefinitely." As the security lead, what do you put in writing, who do you escalate to, and why is leaving an undocumented verbal acceptance the worst possible outcome?

Part F — Respond to this incident & design it ⭐⭐–⭐⭐⭐

25.† Respond to this. Log4Shell drops at 9:40 p.m. You are the on-call analyst at Meridian. List, in order, the first six actions you take in the first two hours — covering discovery ("where do we have it?"), prioritization, immediate mitigation, and communication. (You cannot patch everything tonight.)

26. Design it. Design the Discover stage for Meridian: how would you continuously inventory all internet-facing assets (including forgotten cloud instances and shadow IT) so that the next Log4Shell doesn't catch you blind? Name the data sources you would pull from.

27. A known-vulnerable, un-patchable legacy system must stay in production for two more years. Sketch the full risk-management plan: mitigation, monitoring, the exception's governance, and what you report about it to the board. (Half a page.)

28. ⭐⭐⭐ Design it. Your CISO wants a one-page board metrics view for vulnerability management. Choose the four trend lines you would show (no raw counts), draw or describe each, and explain in one sentence per metric why a board member should care.

Part G — CTF-style challenge ⭐⭐⭐

29.† The inverted backlog. You inherit a program whose published "top priorities" are simply the 50 highest-CVSS findings, worked top-down. Buried at position 800 — because its CVSS is only 6.4 — is a KEV-listed, EPSS-0.93 vulnerability on the internet-facing VPN. (a) Explain precisely how the program's methodology caused this dangerous inversion. (b) Show the corrected prioritization that surfaces the VPN finding, naming the signals. (c) Write the two-sentence justification you would give the CISO for re-working the entire backlog. (d) What single metric, had it been tracked, would have caught this?

Part H — Interleaved & forward-looking ⭐⭐

30. (Interleaves Chapter 12.) Log4Shell was a vulnerability in a dependency. Connect software composition analysis (SCA) and the SBOM idea to the Discover stage of vulnerability management: how do appsec practices and vuln-management practices reinforce each other?

31. (Interleaves Chapter 2.) Map "an attacker exploits an unpatched KEV-listed vulnerability" to a stage of the cyber kill chain. Explain why rapid KEV remediation is one of the highest-leverage disruptions a defender can make to the attacker's plan.

32. (Interleaves Chapters 6–7.) A finding cannot be patched for six months. Describe how network segmentation and firewall rules serve as compensating controls that lower the finding's risk without changing its CVSS, and tie this to the risk = likelihood × impact model.

33. ⭐⭐⭐ (Forward-looking.) This chapter introduced SBOM and noted Chapter 29 owns it. Predict, in a short paragraph, why software supply-chain risk makes vulnerability management harder than scanning your own code — what can a scanner not easily see about a third-party component?

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor. The prioritization exercises especially reward discussing your reasoning out loud: the disagreement is where the learning is.