Vulnerability Management Detection Lifecycle

Document created by DMFezzaReed Employee on Oct 9, 2019Last modified by DMFezzaReed Employee on Oct 9, 2019
Version 3Show Document
  • View in full screen mode

A vulnerability detection has a lifecycle.  I have described this many times for new administrators, and recently included the information in a post response which prompted me to create this document in hopes I will be making the information easier to find.

 

Going into this, let's all try to remember three very important facts:

  1. that all detections are a snapshot in time, a momentary capture of information that could change the very next moment. 
  2. detections are entered in the database keyed by a specific combination of IP, QID and Port.
    • Example:  Many detections that report on port tcp/80 will also report on tcp/443.  These are two detections made unique by the tcp port.
  3. Vulnerability management is a never ending cycle of of trust, but verify.

 

Detection Statuses Explained (in my own words): 

 

NEW = First Time Detected (ever), occurs once, and only once for a specific combination of IP, QID and Port.

 

ACTIVE = Detected in 2 or more consecutive scans on a specific combination of IP, QID, and Port.

  • This status is reported on the next scan following a NEW or REOPENED status is reported and will continue to report until FIXED is reported.

 

FIXED = Not detected in the very last scan, on a specific combination of IP, QID and Port.

  • This status can occur following NEW, ACTIVE or REOPENED and can be achieved multiple times over, hence the reason for Last Fixed Date.
  • FIXED means the condition found previously was INACTIVE at the time of the most current detection scan.

 

REOPENED = First time detected following a FIXED status result on a specific combination of  IP, QID and Port.

  • REOPENED will appear only ONCE after a previous scan returned a FIXED status, all subsequent detections will be marked ACTIVE until FIXED is reported.
  • This status can occur more than once, hence the reason for Last Reopened Date.
  • IMPORTANT:  Vulnerability detections scans are a snapshot in time.  If you see a QID "flapping" between ACTIVE > REOPENED > FIXED additional research into the detection and asset status is needed.

 

NEW, ACTIVE, REOPENED = ACTIVE, unmitigated, potentially exploitable risk.

 

FIXED = INACTIVE, potentially exploitable risk was not detected in the last detection scan occurrence.

2 people found this helpful

Attachments

    Outcomes