Vulnerability Management or Scare Your Management
Some cybersecurity practitioners conduct vulnerability management (VM) by just using automated vulnerability scanning tool (scanner) to uncover system vulnerabilities and then job is done. Even the worst, the scanner is placed next to the component using the target’s administrative credential to probe. Raw results from the scanner is presented to the Management of vulnerabilities detected highlighting how many critical, high, moderate, low risks.
This is a totally incorrect approach. The vulnerability scan is only the 1st step of the VM. The raw result gives you the worst scenario. It illustrates the system weakness assuming the adversaries have already gained the network access to that component by evading all the cybersecurity perimeter controls plus system privileges escalated.
We must not forget the 2nd step is to evaluate if there are other controls (e.g. network segmentation, anomalies detection, system lock down etc.) implemented in reducing the likelihood of exploitation. This is the most forgotten step by cybersecurity practitioners. The scanner has ZERO knowledge of the surrounding controls because you placed the scanner next to the scanning target.
Then the 3rd step is to validate if these controls are effectively sustained. Place the scanner outside the target system boundary and probe the components again. And if the target is still reachable with detected weakness without administrative privileges, then this will really be the critical rating that needs immediate fix.
Don’t blindly follow the scanner results as the results all depend where you place it. You need to help Management understand there are always technical risks and these risks cannot be eliminated for a variety of reasons. It is common in the industry. The scanner result is unimportant. What is important how these identified weaknesses are managed and what are the controls implemented in place. Or else you are not doing the proper vulnerability management but to scare your Management.