Quiz: Vulnerability Management

A 26-question self-check covering the vulnerability-management lifecycle, scanning, the CVSS/EPSS/KEV prioritization signals, patch SLAs, exceptions, the never-fixed vulnerability, and reporting. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] A unique public identifier for a specific disclosed vulnerability (e.g., CVE-2021-44228) is a: A. CVSS score B. CVE C. KEV entry D. EPSS value

2. [Sec+] CVSS primarily measures a vulnerability's: A. probability of exploitation B. intrinsic severity C. presence on an exploited-in-the-wild list D. business impact to your specific assets

3. Which signal tells you a vulnerability is being actively exploited in the wild right now? A. CVSS B. EPSS C. KEV D. CVE

4. EPSS expresses: A. severity on a 0–10 scale B. the probability of exploitation in the next 30 days (0–1) C. a list of patched CVEs D. the number of affected assets

5. [CISSP] The single best one-line description of vulnerability management is: A. running a scanner once a quarter B. patching every Critical CVSS finding first C. a continuous closed-loop process of risk reduction under permanent scarcity D. eliminating all vulnerabilities from the environment

6. An authenticated (credentialed) scan is preferred over an unauthenticated scan when you need to: A. see your true external attack surface B. read exact installed patch levels and local configuration C. simulate an anonymous attacker D. avoid provisioning any credentials

7. [Sec+] Two findings have the same CVE, CVSS, and EPSS, and both are on KEV. One is on an internet-facing portal; the other on an isolated internal box. The correct conclusion is: A. they are identical priority B. the internal one is higher priority C. the internet-facing one is higher priority because of asset exposure D. CVSS decides, so it's a tie

8. The lifecycle stage that separates a real program from theater — confirming a fix actually worked — is: A. Discover B. Assess C. Remediate D. Verify

9. [CISSP] A documented, time-bound, approved decision to deviate from a patch SLA for a specific finding is a(n): A. compensating control B. exception / risk acceptance C. false positive D. SLA breach

10. The most dangerous reason a real vulnerability stays unpatched for years is: A. the CVSS is too low to notice B. organizational drift (an unowned, un-re-reviewed exception) C. the scanner missed it D. the EPSS is high

11. [Sec+] Which scan approach is the standard answer for fragile operational-technology devices that may crash when actively probed? A. maximum-intensity unauthenticated scanning B. passive discovery (traffic fingerprinting) C. no scanning at all, ever D. scanning only during the busiest hours

12. A patch SLA's clock should start at: A. the moment the remediation team opens the ticket B. the vulnerability's discovery C. the vendor's patch-release date D. the next quarterly review

13. "We have 41,000 open vulnerabilities" is a poor headline metric mainly because: A. the number is too large to print B. it rises when discovery improves and doesn't measure risk C. it is always inaccurate D. boards prefer percentages

14. [CISSP] Prioritizing remediation strictly by CVSS descending is dangerous because CVSS: A. is computed incorrectly by most tools B. measures severity in the abstract, not actual risk (it ignores exploitation likelihood and your asset context) C. is always lower than EPSS D. only applies to network vulnerabilities

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

15. "A clean unauthenticated perimeter scan proves your hosts are not missing OS patches."

16. [Sec+] "If a finding is on the KEV catalog and present in your environment, it should jump the remediation queue."

17. "Mitigation (segmentation, WAF rules) is only a consolation prize; the real fix is always the patch."

18. "A vulnerability with a CVSS of 10.0 is always a higher remediation priority than one with a CVSS of 6.5."

19. "An exception with no compensating control and no expiry date is acceptable as long as it is documented."

20. [CISSP] "Meeting PCI-DSS patching expectations means your patch SLAs are aggressive enough to be genuinely secure."

Section 3 — Fill in the blank (1 pt each)

21. The four signals of risk-based vulnerability prioritization are CVSS (severity), _ (predicted exploit probability), _ (active exploitation, a fact), and asset __.

22. The six stages of the vulnerability-management lifecycle are discover, assess, _, remediate, _, and report.

23. [Sec+] The continuous discovery and inventory of all exposed assets — especially forgotten internet-facing ones — is called _ _ management.

Section 4 — Short answer (2 pts each)

24. Explain, in two or three sentences, why CVSS is "severity, not priority," and name the two additional signals that turn severity into risk-based priority.

25. A business-critical legacy system has a known, KEV-listed vulnerability and no available patch, and must stay in production. Describe two distinct things you do to manage the risk without patching, and the one process control that keeps the resulting exception from becoming permanent.

Section 5 — Applied scenario (5 pts)

26. During the Log4Shell crisis, Meridian's scan finds the same CVE-2021-44228 (CVSS 10.0, EPSS 0.94, on KEV) on two assets: (A) the internet-facing online-banking portal, and (B) an internal, segmented log-aggregation server with no inbound internet path. (a) Assign each a priority and a patch SLA, and justify the difference using the risk equation. (b) For whichever asset cannot be patched in the first hour, name two compensating controls you would apply tonight. (c) State one metric you would report to the board the next morning about the bank's Log4Shell exposure.

Answer Key

Click to reveal answers and explanations 1. **B** — a CVE is the unique identifier; CVSS/EPSS/KEV are scoring/cataloging systems applied to it. 2. **B** — CVSS rates intrinsic severity, not likelihood or your specific impact. 3. **C** — KEV is CISA's catalog of vulnerabilities with evidence of active exploitation. 4. **B** — EPSS is a 0–1 probability of exploitation in the next 30 days. 5. **C** — it is a continuous closed loop; zero is unreachable, and "patch all Criticals first" is the wrong heuristic. 6. **B** — only a credentialed scan reads exact installed versions and local config. 7. **C** — identical intrinsic risk, but exposure (asset context) makes the internet-facing instance higher priority. 8. **D** — Verify (re-scan) confirms the fix; "deployed" ≠ "remediated." 9. **B** — a governed exception / risk acceptance. 10. **B** — organizational drift leaves the risk unowned and unwatched, the softest target. 11. **B** — passive discovery avoids crashing fragile OT. 12. **B** — the clock starts at discovery, so blindness time counts. 13. **B** — the count rises with better discovery and doesn't reflect risk. 14. **B** — CVSS is abstract severity; it ignores exploitation likelihood and asset context. 15. **F** — an unauthenticated scan can't see local patch levels; only authenticated scanning can. 16. **T** — active exploitation (KEV) is the strongest likelihood signal; it jumps the queue. 17. **F** — a well-mitigated vulnerability can be *lower* real risk than an unaddressed patchable one; mitigation is genuine risk reduction. 18. **F** — a lower-CVSS finding that is KEV-listed and exposed can far outrank a 10.0 nobody is exploiting on an isolated box. 19. **F** — documentation alone is not enough; without a compensating control and expiry/re-review it is a rubber stamp, not risk management. 20. **F** — compliance is the floor, not the ceiling; the standard's bar may be slower than the attacker. 21. EPSS; KEV; context (exposure & value). 22. prioritize; verify. 23. attack surface (management). 24. CVSS rates only intrinsic severity in a vacuum, so it can't tell you what is actually being exploited or how exposed *your* asset is; adding **EPSS/KEV** (exploit likelihood) and **asset context** (exposure and value) converts severity into risk-based priority. 25. Two of: **mitigate** (segment/isolate the asset, add a WAF or strict firewall rules, restrict access, disable the vulnerable feature) and **monitor intensely** (wire it into the SIEM/detection so any exploitation attempt alerts); the process control is an **expiry date with mandatory re-review** that forces a conscious, senior re-decision instead of silent renewal. 26. (a) **A = P1-Emergency, ~24–72h** (max severity, near-certain exploitation, KEV, internet-facing crown-jewel asset → likelihood and impact both maximal); **B = P2-Critical, longer SLA** (same flaw, but internal and segmented with no inbound path → *reachable* likelihood far lower, so risk is lower). (b) For B (or A if the patch can't land immediately): block outbound/egress from the host, apply a WAF/network rule to filter the exploit string, restrict reachable access, and raise monitoring. (c) e.g., "Number of internet-facing assets with Log4Shell: now 0 (patched/mitigated); internal instances: N, all with compensating controls, on track to patch within SLA" — a KEV-exposure trend, not a raw finding count. **Topics to review by question:** missed 1–4, 21 → §23.3 (CVE/CVSS/EPSS/KEV); 5, 8, 22 → §23.1 (lifecycle); 6, 11, 15 → §23.2 (scanning); 7, 13, 14, 18, 24, 26 → §23.3 (prioritization); 9, 12, 16, 19, 20, 25 → §23.4 (SLAs/exceptions); 10, 17, 23 → §23.5 (never-fixed) and §23.1 (attack surface); 13 → §23.6 (reporting).