resource center
  See your link here
|
Subscribe to Computerworld Computerworld -
Vulnerability management is viewed by some as an esoteric security management activity. Others see it as a simple process that needs to be done with Microsoft Corp.'s monthly patch update. Yet another group considers it a marketing buzzword made up by vendors.
This article will look at common mistakes that organizations make on the path to achieving vulnerability management perfection, both in process and technology areas.
No. 1: Scanning but failing to act
The first mistake is scanning for vulnerabilities, but then not acting on the results. Vulnerability scanners have become a staple at many organizations. Scanning technology has matured in recent years, and the tools' accuracy, speed and safety have improved dramatically.
However, modern commercial and open-source scanners still suffer from the same disease that troubled early intrusion-detection systems (IDS): They are too noisy, since they produce too many alerts, for various reasons. In addition, they don't tell you what you should do about those vulnerability notices, just as most IDSs don't tell you whether you should care about a particular alert.
Thus, vulnerability management is not scanning; it includes it, but what happens after the scan is even more important. This includes asset inventory, prioritizing and researching the remediation activities as well as the actual act of patching, hardening or reconfiguration. A detailed explanation of all the important activities goes beyond the scope of this article.
No. 2. Thinking that patching is the same as vulnerability management
It's true that patching is the way to repair many widespread vulnerabilities. Even some industry experts proclaim that vulnerability management is simple: Just patch all those pesky problems, and you're done.
However, many vulnerabilities can't be fixed by simply updating to the latest product version. They require tweaking and reconfiguring various system parameters. Indeed, vulnerability management was born out of a need to intelligently prioritize and fix discovered vulnerabilities, whether by patching or other means.
So if you are busy every second Tuesday but not doing anything to eliminate a broad range of enterprise vulnerabilities during the other 29 days in a month, you are not managing your vulnerabilities.
No. 3. Believing that vulnerability management is only a technical problem
If you think that vulnerability management is only a technical problem, then you're in for a surprise. To be effective, it also involves attention to policy and process improvements. In fact, focusing on process and the "softer" side of the vulnerability conundrum will often bring more benefits than a high-tech patch management system. There are many glaring weaknesses in IT policies
Centralized Data Backup and Your WAN
Is your organization prepared to tackle the massive challenge of protecting your data in a cost effective and timely manner? With a growing...
Why Compliance Pays
This OnDemand webcast explores the relationship that firms with best compliance records have higher revenue, greater customer retention, lower financial losses from data...
An All-in-One Approach to Web Security
Granting web access to employees poses challenges to IT administrators and introduces unique security risks. Even as companies have perfected their security techniques...
Best Practices for Managing Business Risks from the Use of IT
(Source: Symantec) Based on exhaustive benchmarks conducted by the IT Policy Compliance, this session highlights the relationship between business risks and use of...
The Hidden Dangers of Spam
Beyond the well-understood productivity drain that spam inflicts on businesses, threats posed by illicit email circulating through a network are causing many security...
Managing And Protecting Your Ever Increasing Mobile Assets
(Source: Absolute Software) Your users are becoming more mobile each day. This is great for productivity - yet challenging for IT control. Natalie...
Open Source Security Myths Dispelled
(Source: Astaro) Open Source Software is computer software whose source code is available to the general public. This openly viewable nature...
Sun OpenSSO Enterprise Webinar
(Source: Sun) This webinar replay discusses Sun OpenSSO Enterprise innovation--the single, open-source solution that helps your business solve the challenges around internal access...
Best Practices for Backing Up VMware® with Veritas NetBackup™
VMware® is used by enterprises large and small to increase the efficiency and cost-effectiveness of their IT operations. With this in mind, Symantec...
Agile Enterprise Content Management (ECM) for Rapid ROI
(Source: IBM) Content rich business processes are a core feature of daily operations at just about any organization today. Very often these essential...
Sign up to receive updates on the latest Security resources
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDC
IDG
IDG Connect
IDG Knowledge Hub
IDG TechNetwork
IDG Ventures
IDG.net
InfoWorld
ITwhitepapers
ITworld
JavaWorld
LinuxWorld
Macworld
Network World
PC World
The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission ofComputerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc. |
