Chapter 86 · Concepts

Vulnerability Remediation — Concept Tables

Six reference tables covering patching types, segmentation methods, compensating controls, cybersecurity insurance, validation methods, and reporting metrics.

Table 1 — Patching Types: Scheduled vs. Unscheduled
PropertyScheduled PatchUnscheduled (Emergency) Patch
TriggerVendor's planned release cycle (monthly, quarterly)Zero-day vulnerability; active exploitation in the wild
UrgencyPredictable; plan testing and maintenance windows in advanceUrgent; compressed timeline; may require immediate action
Testing windowStandard test cycle in staging before production deploymentCompressed or accelerated; must balance operational risk vs. exposure window
CommunicationPre-announced; coordinated with stakeholders on the calendarEmergency notification; may interrupt normal change management process
ExampleMicrosoft Patch Tuesday monthly updatesEmergency patch for an actively exploited kernel vulnerability
Table 2 — Segmentation Methods Comparison
MethodHow It WorksInter-Segment CommunicationBest For
Physical segmentationSeparate physical switches, cabling, and infrastructure for each zoneRequires dedicated physical interconnect devices; no shared hardwareMaximum isolation; classified environments; OT/ICS separation from IT
VLAN (logical segmentation)Ports on a shared switch assigned to different virtual broadcast domainsRequires Layer 3 device (router or Layer 3 switch) to route between VLANsEnterprise networks; cost-effective isolation on shared hardware
Air gapSystem disconnected from all network interfaces; no remote communication possibleNone; physically isolatedUnpatched high-risk systems; classified systems; OT critical control systems
NGFW enforcementApplication-aware firewall placed between segments; monitors and controls inter-segment trafficAllowed selectively by policy; anomalous traffic blocked and loggedEnforcing and monitoring inter-segment communication policies
Table 3 — Compensating Controls When Patching Is Not Possible
Compensating ControlHow It Reduces RiskTrade-off
Disable the vulnerable serviceService is not running; vulnerability cannot be exploited remotelyService is completely unavailable to all users
Revoke application accessNo users can reach the application; attack surface through that vector is eliminatedLegitimate users lose access to the application
Restrict external access (edge firewall)Blocks inbound connections from the internet to the vulnerable serviceDoes not protect against internal attackers or those already inside the network
Router ACLs / host-based firewallRestricts which internal sources can reach the vulnerable service at the network layerRequires configuration management; may not catch all attack vectors
Segmentation / isolationMoves vulnerable system to isolated segment, limiting lateral reach from exploitationMay limit legitimate connectivity that depended on being in the same segment
Table 4 — Cybersecurity Insurance: What Is and Is Not Covered
Typically CoveredTypically Excluded
Lost revenue from service outages caused by cyberattackIntentional acts by insured parties (insider sabotage, deliberate destruction)
Data recovery costs (forensics, restoration, reconstruction)Unauthorized fund transfers initiated by the organization (business email compromise losses may have limits)
Financial losses from phishing attacks (where employees were deceived)Certain acts of negligence (failure to maintain required security baselines)
Privacy lawsuit costs (legal defense, settlements from data breach lawsuits)Pre-existing vulnerabilities known and unaddressed before policy inception
Ransomware recovery costs (increasingly common coverage)War / nation-state attacks (some policies; actively contested)
Insurance is risk transfer, not risk elimination. It is a backstop, not a replacement for technical controls. Insurers increasingly require proof of MFA, EDR, and backup controls as coverage conditions.
Table 5 — Validation of Remediation: Three Methods
MethodWhat It DoesPrimary Use CaseLimitation
RescanningRun a vulnerability scan after patching; confirm the finding no longer appears; identify missed systemsAll patching events; confirms patch is effective and deployment was completeScanner signatures must be current; rescan must cover all systems in scope
AuditingReview deployment records, patch management logs, and system configurations to verify patch was appliedCompliance documentation; identifying silent deployment failuresConfirms patch was deployed, not necessarily that it is effective
VerificationManual confirmation: log in to system, check patch version, or attempt to reproduce the exploitCritical systems; complex vulnerabilities where automated scanning is insufficientTime-intensive; not scalable across large environments
Table 6 — Continuous Reporting Metrics
MetricWhat It MeasuresWhy It Matters
Total vulnerabilities identifiedCount of open findings across all systems in the environmentOverall exposure picture; tracks whether the backlog is growing or shrinking
Patched vs. unpatched systemsPercentage of affected systems with the patch deployed vs. still awaiting remediationRemediation progress; identifies lagging systems before SLA deadlines are missed
New threat notificationsNewly published CVEs that match software installed in the environmentSurfaces new risk before the next scheduled scan; drives proactive response
Patch errorsDeployments that failed, were rolled back, or reported errorsIdentifies systems that appear patched in the deployment tool but are not actually patched
Exceptions and exemptionsVulnerabilities formally accepted rather than remediatedGovernance visibility; ensures exceptions are tracked and reviewed, not forgotten