Security+ Flashcards: Vulnerability Management, Scanning, Patching, Hardening

Vulnerability scanning uses automated tools to identify known security weaknesses in systems, applications, and network devices by comparing configurations and software versions against databases of known vulnerabilities. Scans should be performed at minimum monthly for production systems, after any significant changes to the environment, and continuously for high-value assets using agent-based scanning. Credentialed scans that log into systems find more vulnerabilities than uncredentialed scans that test from outside.

A vulnerability scan is an automated process that identifies potential weaknesses without attempting exploitation, producing a list of vulnerabilities ranked by severity. It is broad, fast, and safe to run frequently. A penetration test is a manual, targeted effort where skilled testers actively exploit vulnerabilities to determine what an attacker could actually accomplish, including data access and lateral movement. Penetration tests are deeper but narrower in scope, more expensive, and carry some risk of system disruption.

System hardening is the process of reducing the attack surface by eliminating unnecessary functions, services, and access points. Common practices include removing or disabling unnecessary services and ports, changing default passwords and accounts, applying the latest security patches, configuring firewalls to allow only required traffic, enabling audit logging, implementing file system permissions based on least privilege, disabling unnecessary protocols, removing sample files and documentation, and applying security baselines from sources like CIS Benchmarks or DISA STIGs.

Patch management is the systematic process of identifying, testing, and deploying software updates that fix security vulnerabilities and bugs. It is critical because unpatched vulnerabilities are one of the most common attack vectors. A structured patch management process includes inventorying all systems and software, monitoring vendor announcements and vulnerability databases for new patches, assessing patch criticality and relevance, testing patches in a non-production environment, deploying patches within defined timeframes based on severity, and verifying successful installation.

Center for Internet Security Benchmarks are consensus-based configuration guidelines that provide specific, actionable hardening recommendations for operating systems, applications, cloud platforms, network devices, and mobile devices. Each benchmark contains hundreds of settings organized into two profiles: Level 1 for general security suitable for most environments, and Level 2 for higher security environments where operational impact is acceptable.

A false positive occurs when a vulnerability scanner incorrectly reports a vulnerability that does not actually exist, causing wasted time investigating and remediating a non-issue. A false negative occurs when the scanner fails to detect a real vulnerability, leaving the organization exposed to a threat it believes does not exist. False negatives are more dangerous because they create a false sense of security. Credentialed scans reduce both types by giving the scanner deeper access to verify findings.

A security baseline is the minimum set of security controls and configuration settings required for a system to be considered acceptably secure within a specific organization. It is tailored to the organization's risk tolerance and regulatory requirements. A benchmark is an external reference document, like CIS Benchmarks or DISA STIGs, providing industry-standard hardening recommendations. Organizations typically start with an external benchmark and customize it to create their internal baseline. Baselines are enforced through automated compliance scanning and deviation reporting. ---