05
16 min read · 5 briefings

Hardening & Vulnerability Management

The cheapest attack to stop is the one you patched last month. Shrink the surface, close the doors.

01 Asset inventory: the foundation of everything

Before you can harden or patch anything, you must know it exists. Asset inventory — a complete, current record of the hardware, software, services, and cloud resources you own — is the unglamorous foundation the entire defensive program rests on. It is no accident that it sits at the top of both the NIST CSF (Identify) and the CIS Controls (Controls 1 and 2 are inventory of enterprise assets and software).

You cannot protect, patch, or monitor an asset you do not know you have. The server nobody remembers is the one the attacker owns.

The recurring failure mode is shadow IT and forgotten systems: the test box that went to production, the dev's cloud instance spun up on a personal card, the legacy app no one dares reboot. These unmanaged assets do not get patched, monitored, or hardened, so they become the soft entry point.

Watch out Inventory is not a one-time spreadsheet — it is a living process. Cloud environments spin resources up and down by the minute, so inventory must be automated and continuous (discovery scans, cloud APIs, agent check-ins) or it is stale the moment it is written.

02 Secure configuration and CIS Benchmarks

Software ships configured for compatibility and convenience, not security. Hardening is the process of tightening that configuration to a secure baseline: disabling unused services and default accounts, enforcing strong authentication, closing unnecessary ports, and turning on security features the vendor left off.

The gold standard for how to do this is the CIS Benchmarks — consensus-developed, prescriptive configuration guides published by the Center for Internet Security for hundreds of technologies (Windows, Linux distros, AWS, Kubernetes, browsers, databases, and more). Each benchmark provides specific, testable settings, often with two profile levels: Level 1 (practical hardening with minimal disruption) and Level 2 (defense-in-depth for high-security environments, potentially at some usability cost).

Related tooling makes this measurable. SCAP (Security Content Automation Protocol) and formats like OVAL let you automatically audit systems against a benchmark and score compliance. CIS also publishes pre-hardened CIS Hardened Images for cloud marketplaces.

Pro tip Apply hardening from the start via infrastructure-as-code and golden images, not by manually tweaking live boxes. A hardened base image means every new server is born compliant and drift can be detected and re-flattened automatically.

03 Attack surface reduction

Attack surface is the sum of all the points where an attacker could try to enter or extract data — every open port, running service, exposed API, user account, installed application, and trust relationship. Attack surface reduction is the deliberate work of shrinking that set. The logic is elegant: functionality you remove is functionality that can never be exploited.

Concrete moves include:

  • Uninstalling software and disabling features you do not use (every package is potential vulnerability surface).
  • Closing unused network ports and restricting which services listen externally.
  • Removing default and dormant accounts, and enforcing least privilege.
  • Application allow-listing — permitting only approved executables to run.
  • Segmenting networks so fewer systems are reachable from any given foothold.

Microsoft even ships a specific set of Windows Attack Surface Reduction (ASR) rules that block common malware behaviors, like Office applications spawning child processes. The mindset generalizes far beyond one vendor: default to denying and enable only what the business genuinely needs, rather than defaulting to allowing and blocking what you happen to notice.

04 The patch management lifecycle and CVSS

Unpatched vulnerabilities are among the most common breach causes, so patch management is a core defensive discipline — a repeatable lifecycle, not a scramble: inventoryidentify missing patches (via scanning and vendor feeds) → assess/prioritize by risk → test in a staging environment → deploy in controlled waves → verify and report.

You cannot patch everything instantly, so prioritization is essential. Vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures, coordinated by MITRE) and scored with CVSS (Common Vulnerability Scoring System, maintained by FIRST; v3.1 is widely used and v4.0 arrived in late 2023). The Base score (0.0–10.0) rates intrinsic severity from metrics like attack vector, complexity, privileges required, and impact to confidentiality/integrity/availability:

CVSS v3.1 BaseSeverity
0.0None
0.1–3.9Low
4.0–6.9Medium
7.0–8.9High
9.0–10.0Critical
Insight A high CVSS score is not the same as high risk to you. Smart teams weight the base score with context: is the vulnerable asset internet-facing? Is there a known exploit in the wild? CISA's KEV (Known Exploited Vulnerabilities) catalog and threat-based models like EPSS help focus effort on what is actually being attacked, not just what scores a 9.8.

05 Vuln scan vs. penetration test

Two assessment types are constantly confused, and the distinction matters for what you are actually buying. A vulnerability scan is automated, broad, and shallow: a tool (Nessus, Qualys, OpenVAS, and the like) checks systems against a database of known vulnerabilities and misconfigurations, producing a prioritized list. It is fast, cheap, repeatable, and ideal for continuous coverage — but it reports potential issues and generates false positives.

A penetration test is manual, focused, and deep: a skilled human tries to actually exploit weaknesses, chain them together, and demonstrate real impact — reaching sensitive data or achieving domain admin. It finds business-logic flaws and creative attack paths that no scanner can, and it proves what an attacker could truly accomplish.

DimensionVulnerability scanPenetration test
MethodAutomated toolingHuman-driven, manual
Breadth vs depthBroad, shallowNarrow, deep
OutputList of potential vulnsProven exploit paths and impact
CadenceContinuous / frequentPeriodic (e.g. annual)
Watch out A pentest is a point-in-time snapshot, not continuous assurance, and a clean scan is not proof of safety — it only means you have no known issues today. Neither replaces the other; a healthy program runs frequent scans and periodic pentests, and treats both as inputs to the same vulnerability-management process.

Field Glossary

Asset inventory
A complete, continuously maintained record of hardware, software, and cloud resources; the foundation that patching, monitoring, and hardening depend on.
Hardening
Tightening a system's configuration to a secure baseline by disabling unused services, closing ports, and enabling security features.
CIS Benchmarks
Consensus-based, prescriptive secure-configuration guides from the Center for Internet Security, with Level 1 and Level 2 profiles for many technologies.
Attack surface
The total set of points where an attacker could attempt entry or data extraction; reducing it removes exploitable functionality.
CVE
Common Vulnerabilities and Exposures; a unique identifier for a publicly known vulnerability, coordinated by MITRE.
CVSS
Common Vulnerability Scoring System (maintained by FIRST); rates vulnerability severity 0.0–10.0 via Base, Temporal, and Environmental metrics.
Penetration test
A manual, human-driven assessment that actively exploits and chains weaknesses to demonstrate real-world impact, going deeper than an automated scan.

Knowledge Check

Field Assessment

0 / 3

01 Why is asset inventory considered the foundation of vulnerability management?

02 What is the key difference between a vulnerability scan and a penetration test?

03 A vulnerability has a CVSS base score of 9.8. Why might a defender still deprioritize patching it?

ESC
↑↓ navigate jack in