■ Vulnerability Management Program

Vulnerability Management Program:
Inception to Maintenance

Complete vulnerability management lifecycle — from stakeholder buy-in and authenticated scanning through prioritized remediation, independent verification by rescan, and transition to maintenance mode. Built on Azure with Tenable and a reusable remediation script library.

Tenable VM (Cloud) Microsoft Azure PowerShell + Bash Remediation
Executive Summary
What This Project Demonstrates
This project implements a vulnerability management program — not just a scan. The distinction matters: scanning finds weaknesses, but a program encompasses the entire workflow from initial risk assessment and stakeholder alignment through prioritized remediation, verification, and sustainable operations.
Every remediation is scripted, tested, and validated through independent rescan — the same discipline required in enterprise environments where unverified fixes create compliance gaps and false confidence. The project includes a reusable remediation library that maps Tenable Plugin IDs and CVEs to executable scripts, enabling repeatable fixes across environments.
🔎 Discover & Assess

Authenticated scanning on Azure VMs using Tenable with credentialed checks — validating patch levels, local security policy, and installed software beyond what network-only scans reveal.

🛠 Remediate & Verify

Scripted remediation with rollback capability, staged deployment (one host first), and independent verification through rescan — not self-attestation.

📊 Measure & Sustain

Quantified risk reduction (80% vulnerability decrease), KPI tracking, and transition to recurring scan cadence with SLA-driven follow-up.

Lab Architecture
Azure Environment & Scan Topology
The lab uses Microsoft Azure to host the scan infrastructure and target VMs. Tenable Vulnerability Management (cloud console) orchestrates scans through a Nessus scan engine deployed inside the Azure environment. This architecture mirrors how enterprise organizations deploy distributed scanning — the management plane stays in SaaS while scan engines sit close to targets for credentialed access.
SCAN ARCHITECTURE
SaaS Console
Tenable VM
cloud.tenable.com
Scan Engine
Nessus (Azure VM)
Private subnet
Targets
Windows + Linux
Intentionally vulnerable
Console ↔ Engine (API)   |   Engine → Targets (Credentialed Scans)
Design Decision

Targets use intentionally weakened configurations — outdated software, legacy protocols enabled, misconfigured permissions — to generate realistic scan findings. This creates a genuine remediation backlog rather than scanning a hardened system and claiming zero vulnerabilities.

Program Framework
Vulnerability Management Lifecycle
The lifecycle follows enterprise methodology: each phase has defined inputs, outputs, and gates. Remediation only moves to the next round after rescan verification confirms the fix. This prevents the common failure mode where teams mark vulnerabilities as "resolved" without independent validation.
Phase 01
Stakeholder Buy-In
Policy + scope + ownership
Phase 02
Authenticated Scan
Credentialed baseline
Phase 03
Triage & Prioritize
Risk-based ranking
Phase 04
CAB & Remediate
Scripted + staged fixes
Phase 05
Verify by Rescan
Independent validation
Phase 06
Maintenance
Recurring ops + KPIs
Discovery Phase
Authenticated Scanning & Baseline Analysis
Why Authenticated Scanning

Unauthenticated (network) scans see what an external attacker sees. Authenticated scans log into the target and inspect installed patches, local group membership, registry settings, file permissions, and service configurations. The difference is often 3-5x more findings — and the additional findings are typically the ones that matter most for local privilege escalation and lateral movement.

Prioritization Strategy

Raw scan results were triaged into remediation rounds using this priority order — attack surface reduction first, then defense hardening, then patching. This sequence maximizes risk reduction per hour of effort.

Priority Category Rationale
P1 Attack Surface Removal Remove unnecessary software (Wireshark, outdated Firefox) — eliminates entire vulnerability classes
P2 Cryptographic Hardening Disable legacy protocols (SSL 2.0/3.0, TLS 1.0/1.1) and enforce strong cipher suites
P3 Privilege & Access Fixes Remove guest from Administrators, disable guest account, fix file permissions
P4 OS & Software Patching Apply OS updates, upgrade OpenSSL, address remaining CVEs
Remediation Execution
Structured Remediation Rounds
Each remediation follows a consistent workflow: document the finding, explain the risk in business terms, prepare the script with rollback, stage on one host, verify by rescan, then roll to remaining targets. This mirrors the Change Advisory Board (CAB) process used in ITIL-governed environments.
Round 1 Outdated Software Removal — Wireshark & Firefox

Finding: Third-party tools installed on servers where they serve no operational purpose. Outdated versions contain known CVEs exploitable for local privilege escalation or remote code execution.

Risk: Every unnecessary application expands the attack surface. An outdated Wireshark on a server is a privilege escalation vector that exists purely because no one removed it.

Action
Silent uninstall via PowerShell scripts
Validation
Tenable rescan — related plugin findings cleared
Rollback
Reinstall from archived installer if needed
Round 2 Protocol & Cipher Suite Hardening

Finding: Legacy SSL/TLS protocols (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1) and weak cipher suites enabled. SMBv1 active on endpoints.

Risk: Weak cryptographic protocols enable man-in-the-middle attacks and are targeted by tools like POODLE (SSL 3.0) and BEAST (TLS 1.0). SMBv1 is the attack surface for EternalBlue (MS17-010).

Action
Registry-based protocol/cipher toggles, SMBv1 feature disable
Validation
Rescan + app compatibility check
Staging
One host first — legacy clients may break
Round 3 Privilege & Access Control Remediation

Finding: Guest account active and added to local Administrators group. Linux file permissions on /etc/shadow and /etc/passwd set to world-readable/writable (777).

Risk: Guest-in-Administrators is a textbook privilege escalation path — any user can authenticate as Guest and inherit full admin rights. World-writable shadow files allow any local user to modify password hashes.

Windows Fix
Remove Guest from Admins, disable Guest account
Linux Fix
Restore /etc/shadow (400), /etc/passwd (644)
Validation
Rescan + group membership verification
Round 4 OS Updates & CVE Patching

Finding: OS patch level stale, OpenSSL vulnerable to known CVEs, WinVerifyTrust signature validation bypass (CVE-2013-3900) unpatched.

Risk: Known vulnerabilities with public exploits remain active. CVE-2013-3900 allows attackers to modify signed executables without invalidating the signature — a defense evasion technique used in real-world supply chain attacks.

Windows
Registry fix for CVE-2013-3900, Windows Update
Linux
OpenSSL source build (3.0.5), full apt upgrade
Telnet
Service stop, package purge, dependency cleanup
Remediation Library
Scripted Remediation — Select Examples
Every remediation is scripted for repeatability and audit trail. The library maps each Tenable Plugin ID to a CVE and a corresponding script. Below are representative examples from each remediation category.
Software Removal — Wireshark Uninstall

PowerShell Requires Admin

remediation-wireshark-uninstall.ps1
# Silent uninstall of Wireshark from target system $uninstallerPath = "$env:ProgramFiles\Wireshark\uninstall.exe" $silentSwitch = "/S" function Is-WiresharkInstalled { return Test-Path -Path $uninstallerPath } function Uninstall-Wireshark { if (Is-WiresharkInstalled) { Write-Output "Uninstalling Wireshark..." & $uninstallerPath $silentSwitch Write-Output "Wireshark has been uninstalled." } else { Write-Output "Wireshark is not installed." } } Uninstall-Wireshark
Protocol Hardening — Disable SMBv1

PowerShell Requires Admin

remediation-SMBv1.ps1
# Disable SMBv1 protocol, client, and server components Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart # Disable SMBv1 Client — block insecure guest auth Set-ItemProperty -Path "HKLM:\...\LanmanWorkstation\Parameters" \ -Name "AllowInsecureGuestAuth" -Value 0 Set-ItemProperty -Path "HKLM:\...\mrxsmb10" \ -Name "Start" -Value 4 # 4 = Disabled # Disable SMBv1 Server Set-ItemProperty -Path "HKLM:\...\LanmanServer\Parameters" \ -Name "SMB1" -Value 0
Linux Permissions — Restore Shadow File Security

Bash Requires Root

passwd-Linux-Remediate.sh
#!/bin/bash # Restore secure file permissions on critical auth files chmod 400 /etc/shadow # Owner read-only (root) chmod 644 /etc/passwd # Owner read-write, world readable
Telnet Service Removal

Bash Requires Root

remediation-Telnet-Remove.sh
#!/bin/bash # Stop, disable, and fully purge Telnet service sudo systemctl stop inetd.service sudo systemctl disable inetd.service sudo apt remove --purge telnetd -y sudo apt remove --purge inetutils-inetd -y sudo apt autoremove -y sudo apt update
Script Library Design

Each script in the library maps to a specific Tenable Plugin ID and CVE. The naming convention (remediation-{component}.{ext}) enables rapid lookup during remediation sprints. Toggle scripts allow both vulnerability creation (for lab reset) and remediation, supporting repeatable testing cycles.

Results
Risk Reduction Metrics
All metrics are based on Tenable rescan results — not self-reported status. Each remediation round was followed by an independent scan to confirm that findings were resolved, not just assumed fixed.
Aggregate Vulnerability Reduction
Total Vulnerabilities 30 → 6
80% REDUCTION
Round Category Findings Resolved Method
R1 Software Removal Wireshark + Firefox findings cleared Silent uninstall scripts
R2 Crypto Hardening SSL/TLS + cipher + SMBv1 findings cleared Registry toggles + feature disable
R3 Privilege Fixes Guest/admin + file permission findings cleared Group policy + chmod scripts
R4 Patching CVE + OS update findings cleared Registry fix, apt upgrade, OpenSSL build
Sustainment
Transition to Maintenance Mode
Remediation is a sprint. Maintenance is the marathon. Transitioning to maintenance mode means establishing recurring scan cadences, SLA-tracked follow-ups, and KPIs that measure program health — not just point-in-time vulnerability counts.
Operational Cadence

Scheduled authenticated scans on a recurring cycle (weekly for critical assets, monthly for standard). Each scan generates a diff report against the previous baseline, highlighting new findings, recurring issues, and successfully maintained remediations.

Program KPIs
MTTRMean Time to Remediate — by severity
SLA Compliance% of findings remediated within SLA window
Recurrence RatePreviously fixed findings that reappear
Patch Compliance% of systems at current patch baseline
Exception TrackingAccepted risks with defined expiry dates
Tools & Technologies
Technology Stack
ToolRoleCategory
Tenable VM Cloud vulnerability management console — scan orchestration and reporting Scanner
Nessus (Azure VM) Distributed scan engine — credentialed scanning of targets Scanner
Microsoft Azure Cloud infrastructure — scan engine and target VM hosting Infrastructure
Windows Server 2019 Target OS — intentionally misconfigured for scan findings Target
Ubuntu Linux Target OS — file permission and service vulnerabilities Target
PowerShell 5.1 Windows remediation scripting — registry, services, features Remediation
Bash Linux remediation scripting — permissions, packages, services Remediation
Reflections
Lessons Learned & Key Takeaways
Authenticated > Unauthenticated

The gap between credentialed and non-credentialed scan results was substantial. Local privilege issues, file permission weaknesses, and registry misconfigurations are invisible to network-only scans — yet these are often the findings that matter most for lateral movement.

Verification Prevents False Confidence

Without rescan verification, "remediated" just means "we ran a script and hope it worked." Two of four remediation rounds required follow-up adjustments that would have been missed without independent validation.

Prioritization Multiplies Impact

Removing two unnecessary applications in Round 1 eliminated more findings than the full OS patching cycle in Round 4. Attack surface reduction is the highest-leverage remediation category — and it requires no patching windows or change control risk.

Scripts Enable Scale

A remediation that works once on one host has limited value. Scripted, parameterized remediations with toggle capability can be deployed across hundreds of systems in a maintenance window — and reversed if something breaks.

Roadmap
Future Improvements

AUTOMATION

Integrate Tenable API exports with a remediation orchestration pipeline — automatically map new findings to existing scripts and generate deployment packages.

COMPLIANCE

Map scan findings to CIS Benchmark controls and NIST 800-53 requirements to demonstrate compliance posture alongside vulnerability status.

REPORTING

Build an automated dashboard using Tenable API data — trend lines for MTTR, SLA compliance tracking, and executive-ready risk reduction visualizations.

EXPANSION

Extend the remediation library to cover Linux-specific hardening (SSH configuration, kernel parameters, auditd rules) and cloud-native misconfiguration findings.