Cheap Scanning Comes at a Price

Computerworld - Vulnerability assessments are a crucial aspect of our overall information security program. We use Nessus, a port scanner that's available free on the Internet, to conduct assessments of our infrastructure. To ensure that we have full coverage, we've installed what we call "scan engines" at various locations throughout our organization in the U.S., Europe and Asia.
Each scan engine consists of a PC with our hardened installation of Linux and Nessus loaded on it, and each is responsible for scanning ports across its respective geographical area. My team and I just beefed up the scan-engine PCs with additional memory. We've also written scripts, which we configured within Nessus by selecting various plug-ins, to continuously scan our infrastructure for certain types of vulnerabilities.
Since we're scanning huge amounts of address space, a full scan using all available plug-ins would take many days, use a lot of resources and create lots of data to review. Instead, we try to strike a balance by selecting only those sets of plug-ins that represent the most serious risks.
The downside is that by not running all available plug-ins, we risk missing a potential vulnerability. For now, however, the ability to very quickly scan our entire environment is more important. We still do periodic scans with a more comprehensive list of plug-ins, but not on a daily basis.
One plug-in we enable is for the remote procedure call Distributed Component Object Model vulnerability, which is responsible for allowing worms such as MS Blaster to propagate through the network. By scanning in an expedited manner, we can quickly identify vulnerable workstations and servers.
We try our best to keep servers and workstations patched, but every now and then a resource gets installed in a location that isn't under our control, such as the engineering labs, and malicious code sneaks into our production environment.
In my company, the engineering labs aren't controlled. Servers and workstations are built up and torn down regularly, without much thought given to secure installation practices. We're working on a plan to segregate the labs from the rest of the corporate network, but until we get executive buy-in and funding for this project, we will continue to have this risk.
Virtual private networks and dial-up connections are other points of entry for malicious code. As much as we'd like to think that employees are following policy and not using their home PCs to access our corporate network, it's clear that they're doing exactly that. Since home PCs aren't patched and configured to our standards, malicious