Overview

It is essential to conduct vulnerability assessments in any organization to identify and address the
vulnerabilities in the organization’s network. In this memorandum, the vulnerability management
(VM) process is defined. This includes the definition of the different elements of the process. A
report conducted using the OpenVAS tool is analyzed and evaluated in the memorandum. A
recommendation concerning the OpenVAS tool is provided after considering the provision of
essential information to a cybersecurity analyst and the management of the organization. The
memorandum also includes the definition of the impact that a distributed denial-of-service attack
might have on Mercury USA and the transport sector’s functionalities. The proposed VM process
is applied to prevent the occurrence of the DDoS attack. Additionally, the memorandum includes
an analysis of the OpenVAS tool’s application to address the occurrence of DDoS attacks in the
organization.
Part 1: Vulnerability Management (VM) Process Recommendation
Vulnerability management involves the identification of the different vulnerabilities in an
organization’s security that can be exploited to execute attacks in the organization. One of the
core elements of vulnerability management includes the identification of the different
vulnerabilities that can affect the assets of Mercury USA and even the transportation sector.
Identifying the vulnerabilities in the organization begins with identifying the assets that can be
compromised before using a scanner to conduct the vulnerability scans that aid in identifying the
vulnerabilities in the organization. Another VM element includes the prioritization of the
identified vulnerabilities based on the severity scores provided by the vulnerability scan report.
The VM process also includes the definition and implementation of security measures to address
the noted vulnerabilities. 
The VM process begins with the identification of the assets that are involved in the process. Mell
et al. (2005) note that the initial process of the VM process includes the creation of a system
inventory. The system inventory includes the various hardware components and software
components such as operating systems that Mercury USA and the transportation sector use. The
definition of the scope of the VM process is also included in the system inventory. To scan for
vulnerabilities in the identified assets, the use of a vulnerability scanner is recommended. One of

VULNERABILITY MANAGEMENT PROCESS MEMO | closing
the scanning tools that can be used to conduct vulnerability scanning includes Nessus (Coffey et
al., 2018). To aid in identifying vulnerabilities in the system used by Mercury USA, conducting
vulnerability scans every month and after the implementation of a new component in the system
is recommended. A summarized report of the vulnerability scan report that includes proposed
solutions to address the identified vulnerabilities should be prepared after each scan.
Part 2: Vulnerability Scanning Tool Evaluation and Recommendations
The report conducted on April 7, 2020, was conducted using the open-source Open Vulnerability
Assessment Scanner (OpenVAS). Despite being open-source software, OpenVAS is an industry-
standard tool. It identifies the vulnerabilities in the system, ranks the vulnerabilities, provides the
possible impact of an attack following exploitation of the vulnerability, and even provides a
solution to address the identified vulnerability. The OpenVAS scanner also includes a very high
vulnerability coverage, including the different types of vulnerabilities detected by OpenVAS and
the inclusion of a risk assessment in the scan report (Kritikos et al., 2019). In the report produced
by the OpenVAS scanner, the inclusion of the different information concerning the identified
vulnerabilities makes it easier for a security analyst to identify the vulnerability and identify the
recommended solution to address the vulnerability. The identified vulnerabilities in the report are
ranked in either high, medium, or low ranks. This allows for the identification of the threat levels
of the noted vulnerabilities.
An example is two vulnerabilities are ranked as high threat level while the other two
vulnerabilities identified in the host are ranked as medium and low each. However, the scanner
does not adequately provide solutions to address the noted vulnerabilities. An example is seen in
the recommendation of “mitigation” to address the identified vulnerability rather than the
inclusion of the solution to mitigate the identified vulnerability. Most of the report includes
technical information that might not help the management team since the management team
might lack the technical skills to understand the information. Therefore, creating a summary of
the report before redistribution is recommended. A recommendation for Mercury USA is to use
another scanner that produces a report that the management team can understand. However,
Mercury USA should also use the OpenVAS tool since it provides more information to a
cybersecurity analyst.
Part 3: Business Case Example
In an organization such as Mercury USA, the availability of the organization’s data and resources
is essential. Therefore, the organization should consider security measures that prevent the loss
of data availability in the network. One of the attacks at Mercury USA is distributed denial of
service (DDoS) attacks. DDoS attacks are conducted to prevent the authorized users from
accessing the data and resources in the organization’s system (Mahjabin et al., 2017). The
occurrence of a distributed denial-of-service attack at Mercury USA would result in the
organization being unable to conduct the organization’s various functionalities due to lack of
access to essential data and resources in the system. A solution to prevent the occurrence of a
DDoS attack in the organization includes conducting a vulnerability scan. A VM scan allows for
identifying the vulnerabilities that attackers can exploit to conduct the distributed denial-of-

VULNERABILITY MANAGEMENT PROCESS MEMO | closing
service attack. Therefore, following the identification of the vulnerability, security measures can
be implemented in the organization, which addresses the issue of distributed denial-of-service
attacks. The use of the OpenVAS scanner to identify the vulnerabilities that can lead to DDoS
attacks. This is because the OpenVAS scanner provides technical information that can be used to
implement a solution preventing the occurrence of the DDoS attack.
Closing
A vulnerability assessment process includes identifying the organization’s assets, identifying the
vulnerabilities that affect the assets, and implementing the recommended solutions to address the
vulnerabilities. One of the vulnerability scanners that can be used to conduct the scans is the
OpenVAS tool. A disadvantage of using the OpenVAS tool is that it produces scan reports that
are complex and, therefore, limit the management team’s capabilities in understanding some of
the information in the reports. However, the tool is essential for cybersecurity analysts since they
can understand the information in the reports. The use of an OpenVAS tool can prevent Mercury
USA and the transportation sector from suffering distributed denial-of-service attacks by
identifying the vulnerabilities that contribute to the occurrence of DDoS attacks.

<Closing Salutation>
<Your Name>
Cybersecurity Threat Analyst
Mercury USA

VULNERABILITY MANAGEMENT PROCESS MEMO | closing
References

Coffey, K., Smith, R., Maglaras, L., & Janicke, H. (2018). Vulnerability analysis of network
scanning on SCADA systems. Security and Communication Networks, 2018.
Kritikos, K., Magoutis, K., Papoutsakis, M., & Ioannidis, S. (2019). A survey on vulnerability
assessment tools and databases for cloud-based web applications. Array, 3, 100011.
Mahjabin, T., Xiao, Y., Sun, G., & Jiang, W. (2017). A survey of distributed denial-of-service
attack, prevention, and mitigation techniques. International Journal of Distributed Sensor
Networks, 13(12), 1550147717741463.
Mell, P., Bergeron, T., & Henning, D. (2005). Creating a patch and vulnerability management
program. NIST Special Publication, 800, 40.