Cybersecurity Internship - Task 3: Vulnerability Scan Report

Executive Summary

• Tool Used: Nessus Essentials v10.11.2
• Target: 192.168.1.46 (Local Windows PC)
• Scan Date: February 16, 2026
• Status: ✅ Completed Successfully
• Total Findings: 2 (Both Informational - No Critical/High/Medium/Low vulnerabilities)

Vulnerability Findings

Finding 1: Ping the Remote Host

• Severity: Info (Blue)
• Plugin ID: 10180
• CVSS Score: N/A (Informational)
• Type: Remote
• Family: Port Scanners
• Description: Host discovery mechanism using ARP, ICMP, TCP, and UDP pings
• Result: Host is up and responsive at 192.168.1.46
• Remediation: ✅ No action required

Finding 2: Nessus Scan Information

• Severity: Info (Blue)
• Plugin ID: 19506
• CVSS Score: N/A (Informational)
• Type: Summary
• Family: Settings
• Description: Scan metadata, including Nessus version, build, scanner type, and configuration
• Details: Nessus v10.11.2, Build 20042, Windows Scanner, Plugin Feed 20260117165
• Remediation: ✅ No action required

Key Concepts Learned

1. What is Vulnerability Scanning? An automated process that systematically searches for known security weaknesses, misconfigurations, and potential security issues on computer systems. It's passive and non-exploitative.

2. CVSS (Common Vulnerability Scoring System) Standard methodology for rating vulnerability severity:

• 0.0: None
• 0.1-3.9: Low
• 4.0-6.9: Medium
• 7.0-8.9: High
• 9.0-10.0: Critical

3. Vulnerability Scanning vs Penetration Testing Aspect | Vulnerability Scanning | Penetration Testing Method | Passive identification | Active exploitation Risk | Very low Higher (authorized only) Time | Minutes to hours | Days to weeks Tools | Automated scanners | Expert testers Purpose | Baseline assessment | Deep validation

4. How Scanners Detect Vulnerabilities

5. Signature-based detection: Compare against CVE databases

6. Port scanning: Identify open ports and services

7. Service version detection: Determine software versions

8. Configuration analysis: Check for misconfigurations

9. Patch level analysis: Identify missing updates

10. Default credential testing: Attempt default passwords

11. Compliance checks: Validate against security standards

12. Common PC Vulnerabilities

• Unpatched operating system or software

• Outdated or end-of-life software

• Weak or default passwords

• Unnecessary open ports and services

• Missing firewall protection

• Outdated antivirus/malware protection

• Browser vulnerabilities

• Unencrypted sensitive data

  6. Vulnerability Prioritization Framework Priority order:

1. CVSS Score (highest first)

2. Exploitability (how easy is it to exploit?)

3. Impact (what could an attacker do?)

4. Asset Importance (how critical is the system?)

5. Threat Intelligence (is it actively being exploited?)

6. False Positives Occurs when the scanner reports a vulnerability that doesn't actually exist:

• Incorrect software version detection

• Outdated vulnerability database

• Scanner misinterpretation

• Environment-specific differences

  8. Recommended Scan Frequency

• Critical Assets: Weekly or continuous

• Important Systems: Monthly

• Standard Workstations: Quarterly

• Non-critical Systems: Semi-annually

Interview Question Answers

Q1: What is vulnerability scanning? A: Vulnerability scanning is an automated, non-exploitative process that systematically identifies known security weaknesses, misconfigurations, and potential security issues in computer systems.

Q2: What is the difference between vulnerability scanning and penetration testing? A: Vulnerability scanning is passive identification using automated tools, while penetration testing actively attempts to exploit vulnerabilities. Scanning is faster and lower-risk; pen testing is more thorough but requires expert testers and authorization.

Q3: What are some common vulnerabilities in personal computers? A: Unpatched software/OS, outdated drivers, weak passwords, unnecessary open ports, missing security updates, default credentials, weak firewall rules, outdated antivirus, browser vulnerabilities, and unencrypted data.

Q4: How do scanners detect vulnerabilities? A: Through signature-based detection (CVE comparison), port scanning, service version identification, configuration analysis, patch level checking, default credential testing, and policy compliance validation.

Q5: What is CVSS? A: CVSS (Common Vulnerability Scoring System) is a standardized methodology for rating the severity of security vulnerabilities on a scale of 0-10.

Q6: How often should vulnerability scans be performed? A: Weekly for critical assets, monthly for important systems, quarterly for standard workstations, and semi-annually for non-critical systems.

Q7: What is a false positive in vulnerability scanning? A: A false positive is when the scanner incorrectly reports a vulnerability that doesn't actually exist, due to version detection errors, outdated databases, or environment-specific differences.

Q8: How do you prioritize vulnerabilities? A: By CVSS score (highest first), exploitability level, potential impact, importance of the affected asset, and current threat intelligence indicating active exploitation.

Scan Configuration Details

Scanner Information:

• Scanner Type: Nessus Home Edition
• Scanner OS: Windows (win-x86-64)
• Nessus Version: 10.11.2
• Build: 20042
• Plugin Feed Version: 20260117165
• Severity Base: CVSS v3.0

Scan Details:

• Scan Type: Host Discovery

• Target: 192.168.1.46

• Start Time: 9:19 PM

• End Time: 9:20 PM

• Duration: ~1 minute

• Status: Completed

  Observations & Analysis

  Positive Findings ✅ No Critical or High-Severity Vulnerabilities: The scan found no exploitable vulnerabilities. ✅ Host is Reachable: Confirmed the machine is alive and responsive. ✅ Clean Report: Two informational findings are standard metadata, not security issues.

  Key Takeaways

1. This was a quick host discovery scan, not a comprehensive assessment (full scan takes 30-60 minutes)
2. Local scanner limits network-based vulnerability detection
3. For better security posture, consider:
   • Running full comprehensive scans
   • Checking application-level vulnerabilities
   • Reviewing installed software versions
   • Ensuring Windows updates are current
   • Verifying security software status
   • Reviewing firewall rules

Key Learnings Summary Table Learning Area | What You Learned | Your Finding Tool Usage | How to use Nessus Essentials | Successfully completed scan Assessment Process | Automated vulnerability identification | 2 informational findings only Severity Understanding | CVSS levels and risk factors | 0 Critical/High/Medium/Low Report Interpretation | How to read scan results | Clean report with no threats Risk Assessment | System security posture evaluation | Good security baseline Practical Skills | Real-world security tool operation | Hands-on experience gained

References

• [CVSS v3.1 Specification] (https://www.first.org/cvss/v3.1/specification-document)
• [Nessus Official Documentation] (https://docs.tenable.com/nessus)
• [OWASP Top 10] (https://owasp.org/www-project-top-ten/)
• [CIS Controls] (https://www.cisecurity.org/controls)
• [NIST Vulnerability Management] (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf)

Document Version: 1.0 Last Updated: February 16, 2026 Author: Cybersecurity Intern Status: ✅ Complete