Chapter 85 · Concepts

Analyzing Vulnerabilities — Concept Tables

Six reference tables covering scan error types, CVSS scoring, CVE databases, vulnerability classification, exposure factor, and environmental prioritization.

Table 1 — False Positive vs. False Negative (The Two Scan Errors)
PropertyFalse PositiveFalse Negative
DefinitionVulnerability reported that does not actually existVulnerability exists but scanner did not detect it
Direction of errorOver-reporting (too many findings)Under-reporting (too few findings)
Primary causeImprecise or outdated signature; patched system; configuration mismatchSignature database out of date; no signature for the vulnerability yet exists
Immediate consequenceWasted analyst time; unnecessary remediation workBlind spot: organization believes system is safe when it is not
Security consequenceLow — no real vulnerability is missedHigh — real vulnerability remains unpatched and unmonitored
Primary defenseTune scanner; validate findings before acting; keep signatures currentUpdate signatures before every scan; supplement with threat intelligence
Exam trapA low-severity real finding is NOT a false positive — it is a real finding at low priorityAn unexpectedly clean report may indicate outdated signatures, not a secure environment
Which is more dangerous?Less dangerous — creates work but not breach riskMore dangerous — leaves real risk unrecognized and unaddressed
Table 2 — CVSS Score Ranges and Version Differences
Score RangeSeverity LabelTypical SLAExample Characteristics
9.0 – 10.0Critical24–72 hoursNetwork-exploitable, no authentication, full system compromise
7.0 – 8.9High7–14 daysNetwork-exploitable, some complexity, significant data exposure
4.0 – 6.9Medium30 daysLimited access vector, authentication required, partial impact
0.1 – 3.9LowNext maintenance windowLocal access only, difficult to exploit, minimal impact
0.0None / InformationalScheduled reviewNo direct security impact; configuration note or best practice
CVSS VersionStatusKey Difference
CVSS 2.0Legacy; still appears in older reportsOlder methodology; generally produces lower scores than 3.x for the same vulnerability
CVSS 3.xCurrent industry standardAdds scope metric; distinguishes vulnerable component from impacted component; more granular scoring
Same vulnerability may score differently under each version. Always note which version a score is from before comparing findings across systems or time periods.
Table 3 — CVE Reference Databases and Their Roles
DatabaseMaintained ByPrimary Use
CVE List (cve.mitre.org/cve)MITREAuthoritative source for CVE numbering and identifiers; each entry uniquely names one vulnerability
National Vulnerability Database (nvd.nist.gov)NISTAdds CVSS scores, severity ratings, enhanced search, and links to vendor patches; synchronized with CVE list
Microsoft Security Response CenterMicrosoftVendor-specific remediation details; patch download links; Windows/Office/Azure-specific guidance
Vendor Security PortalsIndividual vendorsPlatform-specific advisories, patches, and workarounds; more actionable than generic CVE entry for that vendor's products
CVSS Calculator (in NVD)NIST / FIRSTCompute scores for newly disclosed vulnerabilities before official scoring is published
Table 4 — Vulnerability Classification by Scan Type
Scan TypeTarget EnvironmentCommon FindingsRemediation Routing
Application scanDesktop software, mobile appsOutdated libraries with CVEs, insecure default configurations, weak cryptographic implementations, insecure data storage (mobile)IT operations team; software vendor update cycle; mobile app security team
Web application scanWeb servers, web-based softwareSQL injection, cross-site scripting (XSS), authentication flaws, insecure session management, misconfigured access controlsDevelopment team; immediate priority because internet-facing
Network scanInfrastructure devices, communication pathsOpen ports with vulnerable services, misconfigured firewalls, unpatched routers/switches/VPN concentrators, unauthorized devicesNetwork operations team; infrastructure security team
Scan effectiveness for all three types depends on signature currency — a scanner without current signatures will miss vulnerabilities regardless of scan type.
Table 5 — Exposure Factor Examples
Exposure FactorBusiness MeaningExample Vulnerability ScenarioSLE Calculation Example
100%Total loss of asset or serviceBuffer overflow that completely disables the system or destroys all data; ransomware that encrypts and renders all files inaccessibleAsset value $500,000 × 100% = SLE $500,000
50%Partial loss of service capacity or valueDDoS vulnerability that throttles but does not eliminate a service; degraded availability affecting half of usersAsset value $500,000 × 50% = SLE $250,000
10%Minor loss affecting small subset of functionalityVulnerability affecting a rarely-used feature or a small segment of the user baseAsset value $500,000 × 10% = SLE $50,000
SLE formula: Single Loss Expectancy = Asset Value × Exposure Factor  |  Higher exposure factor = more business harm per exploitation event = higher remediation priority even when CVSS scores are similar
Table 6 — Environmental Variable Prioritization Matrix
Environmental VariableHigher Priority ConditionLower Priority ConditionWhy It Matters
Network exposureInternet-facing; directly reachable by external attackersInternal-only; isolated test lab; air-gappedAttackers can only exploit what they can reach; internet-facing systems face the entire threat landscape
User baseExternal customers; large number of users affectedInternal employees only; small number of usersLarger user base = greater breach impact; external users = reputational and legal risk
Revenue dependencySystem downtime has direct, measurable financial consequencesSupporting system; downtime inconvenient but no direct revenue impactRevenue impact translates vulnerability risk directly to financial risk for the organization
ExploitabilityPublic exploit code exists and is actively used in the wildTheoretical weakness; no public exploit; requires sophisticated attack chainAvailability of exploit code dramatically lowers attacker skill threshold
Organizational typeHealthcare, utilities, financial services, government (critical infrastructure)General IT; software company; non-critical operationsCritical infrastructure faces both elevated consequences and heightened regulatory requirements