Tactical Advice

Building a Vulnerability Management Program

The more your organization knows, the better prepared it’ll be for hacks and threats.
Building a Vulnerability Management Program

Many IT administrators, if asked, are likely to say that their systems are safe from electronic intrusion — and many might be at a loss to offer evidence to back up their claim. In fact, a common feature of many high-profile security breaches is that both IT and business leadership believed that their systems were secure when, obviously, they were not.

Building a robust vulnerability management program removes such subjectivity from security assessments and gives an organization’s leadership quantitative insight into the effectiveness of security controls. A robust program combines scanning technology with management practices designed to prioritize and remediate high-risk vulnerabilities before they are exploited by an attacker.

Why Manage Vulnerabilities?

System and network vulnerability management reduces the likelihood that attackers will be able to gain access to critical business systems. The process goes a long way toward protecting the confidentiality, integrity and availability of an organization’s information assets. Quite simply, identifying and patching vulnerabilities closes the holes that hackers might use to enter the network.

In addition to risk reduction, the use of external vulnerability scans will certify compliance to customers and others interested in the security of the organization’s business systems. For example, many online retailers display “secure site” logos provided by reputable vulnerability scanning firms. Customers who see such logos know that the site has successfully passed a vulnerability scan, and they can have confidence in the systems processing and storing their personal information.

Many organizations also adopt vulnerability management programs to meet compliance requirements. The Payment Card Industry Data Security Standard (PCI DSS), for example, requires that all organizations that process, store or transmit credit card information perform vulnerability scans regularly. Specifically, PCI DSS requirement 11.2 requires organizations to “run internal and external network vulnerability scans at least quarterly and after any significant change in the network.”

Developing a Robust Scanning Approach

Once an organization has decided that it needs a vulnerability management program, it must choose the appropriate mix of scans for its environment. There are three areas to consider.

  • Internal or external scans: Internal scans take place on the organization’s network, with the scanner located behind the firewall. This provides the scanner with a greater degree of access to network systems and is more likely to uncover vulnerabilities. External scans, on the other hand, take place from outside the firewall and show vulnerabilities from the outsider’s perspective. Most organizations choose to combine both internal and external scans to provide a more complete view of their security. In fact, organizations subject to PCI DSS are required to use both types of scans.
  • Network or agent-based scans: Network scans are easy to implement. Typically, a scanning appliance is dropped on the network and is quickly up and running. However, such scans can’t see deeply into monitored systems. Agent-based scans, on the other hand, use software installed on every system on the network, which allows them to collect more detailed information. This results in more accurate scans, but requires a greater degree of management.
  • Authenticated or unauthenticated scans: The distinction here is whether or not the scan will have access to an administrative password. This is similar to the network-versus-agent question, in that an authenticated scan is able to gather additional information but involves intrusive access into network systems.

Clearly, there’s no one-size-fits-all approach to vulnerability scanning. The mix of techniques that’s best for any organization will depend on its IT environment and business requirements.

Vulnerability Management

Technology can help manage system and network vulnerabilities, but it’s not a panacea. A successful vulnerability management program must combine a solid technology approach with strong business practices designed to keep systems secure. Many organizations follow a four-stage vulnerability management program:

  1. Detect: During the detection stage, security professionals and system administrators work together to execute the organization’s vulnerability scanning strategy. Using a mix of internal and external scans, they identify missing patches, insecure configuration settings, weak passwords and other vulnerabilities that threaten the security of systems and networks. This list provides the inventory required for the next stage.
  2. Prioritize: With a complete list of vulnerabilities in hand, administrators must prioritize. The sheer number of vulnerabilities can be overwhelming, especially if scans are being run for the first time. To rank vulnerabilities by severity, administrators must take into account the importance of the system and the sensitivity of the data that might be compromised in a breach.
  3. Remediate: Once priorities are set, the real work begins. Administrators now apply patches, correct configuration settings and take other measures to lock down systems. This remediation process is designed to close vulnerabilities and secure the network.
  4. Validate: After vulnerabilities have been identified and corrected, administrators should perform an immediate validation scan of any affected systems. This is important for two reasons: First, it verifies that the vulnerability was indeed fixed. Second, it ensures that the fix didn’t accidentally open a different vulnerability in the system.

The bottom line is simple: Vulnerability management programs allow IT admins and business leaders to sleep well at night. It’s important to remember that the same security tools available to the organization are also available to attackers. Isn’t it better to detect and remediate problems before a hacker detects and exploits them?

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.