Many IT administrators, if asked, are likely to say that their systems are safe from electronic intrusion — and many might be at a loss to offer evidence to back up their claim. In fact, a common feature of many high-profile security breaches is that both IT and business leadership believed that their systems were secure when, obviously, they were not.
Building a robust vulnerability management program removes such subjectivity from security assessments and gives an organization’s leadership quantitative insight into the effectiveness of security controls. A robust program combines scanning technology with management practices designed to prioritize and remediate high-risk vulnerabilities before they are exploited by an attacker.
System and network vulnerability management reduces the likelihood that attackers will be able to gain access to critical business systems. The process goes a long way toward protecting the confidentiality, integrity and availability of an organization’s information assets. Quite simply, identifying and patching vulnerabilities closes the holes that hackers might use to enter the network.
In addition to risk reduction, the use of external vulnerability scans will certify compliance to customers and others interested in the security of the organization’s business systems. For example, many online retailers display “secure site” logos provided by reputable vulnerability scanning firms. Customers who see such logos know that the site has successfully passed a vulnerability scan, and they can have confidence in the systems processing and storing their personal information.
Many organizations also adopt vulnerability management programs to meet compliance requirements. The Payment Card Industry Data Security Standard (PCI DSS), for example, requires that all organizations that process, store or transmit credit card information perform vulnerability scans regularly. Specifically, PCI DSS requirement 11.2 requires organizations to “run internal and external network vulnerability scans at least quarterly and after any significant change in the network.”
Once an organization has decided that it needs a vulnerability management program, it must choose the appropriate mix of scans for its environment. There are three areas to consider.
Clearly, there’s no one-size-fits-all approach to vulnerability scanning. The mix of techniques that’s best for any organization will depend on its IT environment and business requirements.
Technology can help manage system and network vulnerabilities, but it’s not a panacea. A successful vulnerability management program must combine a solid technology approach with strong business practices designed to keep systems secure. Many organizations follow a four-stage vulnerability management program:
The bottom line is simple: Vulnerability management programs allow IT admins and business leaders to sleep well at night. It’s important to remember that the same security tools available to the organization are also available to attackers. Isn’t it better to detect and remediate problems before a hacker detects and exploits them?