CompTIA CySA+ Objective 2.2

Microscope

Given a scenario, analyze the output resulting from a vulnerability scan.

CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0

Analyze Reports from a Vulnerability Scan

The data from a vulnerability scan must be interpreted and analyzed to turn it into usable and actionable information. 

One of the first parts of this analysis is the review the data for any false positives.  False positives are listed vulnerabilities that really do not exist.  An example of a false positive would be detecting an IIS web server vulnerability on a Linux server that is running Apache.  Some false positives may be less obvious and may require deeper analysis to find.

Another part of the analysis process is to identify and review exceptions.  Some vulnerabilities may require exceptions in firewalls and security software to allow the scan to be successful.  These exceptions must be documented as part of any reporting.

Finally, the report must be analyzed for prioritization.  Not every vulnerability found may be fixed at the same time.  Some will be more pressing and some will require resources (time, money, personnel) that are not currently available.  Each decision on prioritization should also be documented.

Validate Results and Correlate Other Data Points

After positively validating the vulnerabilities, the first step to remediation is to compare the vulnerabilities to industry best practices and compliance requirements.  Often the knowledge gained by others can be used to shorten the remediation process.  Another step in remediation is to reconcile the results.  Current processes, disaster recovery plans and policies must be reviewed to reconcile them to the vulnerabilities and the ways to prevent them.  Logs and other data sources can provide insights about the vulnerabilities as well.  They can be used to spot trends as well.