What steps should I take after I get my vulnerability scanner results? Should I consider all vulnerabilities critical?...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Do you have to solve everything?
Vulnerability management is a critical element of any organization's security policy, and it should cover every application and service running on a network, not just machine operating systems. Your application security strategy should include regular assessments and audits. Most modern vulnerability scanners produce reports that not only include details about any failed tests, but also suggest corrective measures, including references to various information sources that can help fix the problem.
Discovered vulnerabilities are normally classified by their level of seriousness. The reports produced by Microsoft's free Baseline Security Analyzer (MBSA), for example, show severity ratings in accordance with Microsoft's security recommendations, as well as specific remediation guidance.
Each highlighted vulnerability also includes the relevant Common Vulnerabilities and Exposures (CVE) ID. CVEs are standardized names for vulnerabilities and other information security exposures. They make it easier to share data across different vulnerability and security tools, creating a common reference language for security professionals. If your particular vulnerability scanner doesn't provide some sort of indication about a vulnerability's severity, or you want a second opinion, you can use the comprehensive vulnerability database maintained by Secunia. You can also search for vulnerabilities relating to a specific product or vendor, if you are concerned about a particular aspect of your system.
So in which order should you tackle any reported vulnerabilities? You need to secure your most critical assets first, which means you must classify your network resources in order of importance. To prioritize your assets, it's vital that you view your vulnerabilities as an attacker would. For example, a vulnerability exploitable only from inside your network probably doesn't take precedence over one exploitable from the Internet. I would start by patching vulnerabilities in key resources, installing all missing patches that have been highlighted as critical or important. Then, I would roll out fixes to other assets based on their priority level. Finally, run the scan again to create a new baseline and to ensure that all patches have been installed successfully.
You don't necessarily need to fix every problem. Certain vulnerabilities will not be applicable or may present a very low-risk to your particular system. Even if you did get to the point where your scanner doesn't report any vulnerabilities, it wouldn't mean that your system is perfectly secure. Although you should scan critical systems every 5 to 10 days, scanners can only check for certain known vulnerabilities, and your system will still be susceptible to unknown or emerging ones. This is why it is important to watch out for vendor security alerts and to have a process in place for testing and deploying new patches within an acceptable timeframe.
Dig Deeper on Vulnerability Risk Assessment
Related Q&A from Michael Cobb
What is BGP hijacking or IP hijacking and how do cybercriminals pull off the attacks? Expert Michael Cobb explains how enterprises can mitigate these...continue reading
Is the Dell eDellRoot security threat a serious problem and, if so, can it be prevented with self-signed root certificate authorities? Expert Michael...continue reading
What does FIPS 140-2 Level 2 certification for devices cover? Expert Michael Cobb explains the FIPS 140-2 security standard and how vendors use it in...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.