Vulnerability Scanning and Prioritization
Key Takeaways
- Vulnerability management is a lifecycle: scope, identify, scan, validate, prioritize, remediate, verify, and report.
- Credentialed and agent-based scans find accurate host-level detail; unauthenticated scans show only the attacker's external view.
- Prioritization combines CVSS severity, exploitability, asset criticality, exposure, compensating controls, and business impact, not score alone.
- False positives, false negatives, scan scope, and scan timing are operational realities SY0-701 expects you to manage.
- A rescan or other validation step confirms whether remediation actually closed the finding before the ticket is closed.
Scanning Is Discovery, Not the Finish Line
SY0-701 objective 4.3 covers vulnerability management activities. The goal is to reduce risk by turning raw findings into prioritized, verified remediation. A clean scan report with nothing fixed reduces no risk. Authorization comes first: scans send traffic and can crash fragile services, so they must be approved and scoped.
Vulnerability Management Lifecycle
- Define scope and obtain written authorization.
- Identify assets and their business owners.
- Scan with appropriate methods (credentialed, agent, network, web, image).
- Validate findings and remove false positives.
- Prioritize based on risk, not score alone.
- Remediate, mitigate, accept, or transfer the risk.
- Rescan or otherwise verify closure.
- Report trends, overdue items, and exceptions to stakeholders.
Scan Types
| Scan type | What it does best | Limitation |
|---|---|---|
| Credentialed scan | Inspects installed patches, config, local software | Requires secure credential handling |
| Unauthenticated scan | Shows what an external attacker sees | Misses local/host detail |
| Agent-based scan | Reports from the endpoint regardless of network location | Needs agent deployment and health |
| Network scan | Finds reachable services and devices | Misses firewalled or offline hosts |
| Web application scan | Tests app inputs and behaviors | Needs tuning; can miss logic flaws |
| Container/image scan | Finds vulnerable packages in images | Does not prove runtime exposure alone |
| SCA (software composition analysis) | Finds vulnerable dependencies | Needs build/dependency visibility |
Know the distinction CompTIA tests most: a credentialed scan logs in and reads local package versions and registry settings, so it is the most accurate way to confirm a missing OS patch. An unauthenticated scan only fingerprints exposed services from the outside.
CVSS and Prioritization Factors
The Common Vulnerability Scoring System (CVSS) rates severity 0.0-10.0 (0.0 none, 0.1-3.9 low, 4.0-6.9 medium, 7.0-8.9 high, 9.0-10.0 critical). CVSS is the base input, not the whole decision. Real prioritization layers on exposure, exploitability, and asset value.
| Factor | Higher-priority clue |
|---|---|
| Severity (CVSS) | Critical or high base score |
| Exploitability | Known exploit, active exploitation, low complexity |
| Exposure | Internet-facing, unauthenticated, broad reach |
| Asset criticality | Domain controller, payment system, sensitive data store |
| Compensating controls | None, or controls are weak |
| Business impact | Outage or compromise materially hurts operations |
| Remediation effort | A quick, low-risk fix that removes real risk gets bumped up |
Worked Prioritization Example
| Finding | CVSS | Exposure | Asset | Priority | Why |
|---|---|---|---|---|---|
| RCE on internet-facing VPN, exploit available | 9.8 | Internet | Remote-access gateway | 1 | High, exposed, exploitable, critical path |
| Public bucket with confidential data | N/A | Internet | Customer reports | 2 | Data exposure can outrank a numeric score |
| Missing patch on isolated kiosk | 7.5 | Restricted | Low data value | 3 | Compensating controls cut urgency |
| Medium TLS finding on internal lab host | 5.3 | Internal | Non-production lab | 4 | Low impact and exposure |
Notice that the 9.8 RCE outranks the 7.5 patch even though both are "high" by score, because exposure and exploitability align. And a finding with no numeric score (public data exposure) can still be priority 2 because impact is severe. CompTIA rewards this risk-based reasoning over blind CVSS sorting.
False Positives, False Negatives, and Scan Hygiene
| Term | Meaning | Example |
|---|---|---|
| False positive | Scanner reports a vuln that is not really present | Backported patch leaves an old version string |
| False negative | Scanner misses a real vulnerability | Auth failure blocks the local package check |
| Scan noise | Too many low-value alerts dull attention | Untuned informational findings |
| Scan window | Time chosen to limit operational impact | Off-hours credentialed scan |
A backported patch is the classic false-positive trap: the distribution fixes the flaw but keeps the version banner, so a version-only check thinks it is still vulnerable. A credentialed scan resolves it.
Common Traps
| Trap | Better exam reasoning |
|---|---|
| Patch purely by CVSS score | Add exploitability, exposure, asset value, and controls |
| Skip authorization for scanning | Scans can affect systems and must be approved |
| Accept a screenshot as closure | Verify by rescan, config review, or test |
| Assume an unauthenticated scan is complete | Credentialed or agent scans are needed for host detail |
Quick Drill
Rank these first to last:
- Critical unauthenticated RCE on an internet-facing firewall.
- Public storage exposure containing confidential data.
- High-severity vuln on an internal host with no route from user networks.
- Low-severity banner disclosure on a test host.
Items 1 and 2 are urgent because they combine internet exposure with high impact. Item 3 is real but mitigated by network isolation; item 4 is low value. Exact order between 1 and 2 depends on business context, but both outrank the internal and test findings.
Which scan type is most likely to identify missing OS patches on a server accurately?
A critical vulnerability has an available exploit and affects an internet-facing VPN. What should drive its priority?
Which items help prioritize vulnerability remediation? Select two.
Select all that apply