Computerworld - Vulnerability management is viewed by some as an esoteric security management activity. Others see it as a simple process that needs to be done with Microsoft Corp.'s monthly patch update. Yet another group considers it a marketing buzzword made up by vendors.
This article will look at common mistakes that organizations make on the path to achieving vulnerability management perfection, both in process and technology areas.
No. 1: Scanning but failing to act
The first mistake is scanning for vulnerabilities, but then not acting on the results. Vulnerability scanners have become a staple at many organizations. Scanning technology has matured in recent years, and the tools' accuracy, speed and safety have improved dramatically.
However, modern commercial and open-source scanners still suffer from the same disease that troubled early intrusion-detection systems (IDS): They are too noisy, since they produce too many alerts, for various reasons. In addition, they don't tell you what you should do about those vulnerability notices, just as most IDSs don't tell you whether you should care about a particular alert.
Thus, vulnerability management is not scanning; it includes it, but what happens after the scan is even more important. This includes asset inventory, prioritizing and researching the remediation activities as well as the actual act of patching, hardening or reconfiguration. A detailed explanation of all the important activities goes beyond the scope of this article.
No. 2. Thinking that patching is the same as vulnerability management
It's true that patching is the way to repair many widespread vulnerabilities. Even some industry experts proclaim that vulnerability management is simple: Just patch all those pesky problems, and you're done.
However, many vulnerabilities can't be fixed by simply updating to the latest product version. They require tweaking and reconfiguring various system parameters. Indeed, vulnerability management was born out of a need to intelligently prioritize and fix discovered vulnerabilities, whether by patching or other means.
So if you are busy every second Tuesday but not doing anything to eliminate a broad range of enterprise vulnerabilities during the other 29 days in a month, you are not managing your vulnerabilities.
No. 3. Believing that vulnerability management is only a technical problem
If you think that vulnerability management is only a technical problem, then you're in for a surprise. To be effective, it also involves attention to policy and process improvements. In fact, focusing on process and the "softer" side of the vulnerability conundrum will often bring more benefits than a high-tech patch management system. There are many glaring weaknesses in IT policies and infrastructures. Let's not forget that policy weaknesses are vulnerabilities, too.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!