Ask the Expert

Should every flaw in a vulnerability scanner report be addressed?

What steps should I take after I get my vulnerability scanner results? Should I consider all vulnerabilities critical? Do you have to solve everything?

    Requires Free Membership to View

Vulnerability management is a critical element of any organization's security policy, and it should cover every application and service running on a network, not just machine operating systems. Your application security strategy should include regular assessments and audits. Most modern vulnerability scanners produce reports that not only include details about any failed tests, but also suggest corrective measures, including references to various information sources that can help fix the problem.

Discovered vulnerabilities are normally classified by their level of seriousness. The reports produced by Microsoft's free Baseline Security Analyzer (MBSA), for example, show severity ratings in accordance with Microsoft's security recommendations, as well as specific remediation guidance.

Each highlighted vulnerability also includes the relevant Common Vulnerabilities and Exposures (CVE) ID. CVEs are standardized names for vulnerabilities and other information security exposures. They make it easier to share data across different vulnerability and security tools, creating a common reference language for security professionals. If your particular vulnerability scanner doesn't provide some sort of indication about a vulnerability's severity, or you want a second opinion, you can use the comprehensive vulnerability database maintained by Secunia. You can also search for vulnerabilities relating to a specific product or vendor, if you are concerned about a particular aspect of your system.

So in which order should you tackle any reported vulnerabilities? You need to secure your most critical assets first, which means you must classify your network resources in order of importance. To prioritize your assets, it's vital that you view your vulnerabilities as an attacker would. For example, a vulnerability exploitable only from inside your network probably doesn't take precedence over one exploitable from the Internet. I would start by patching vulnerabilities in key resources, installing all missing patches that have been highlighted as critical or important. Then, I would roll out fixes to other assets based on their priority level. Finally, run the scan again to create a new baseline and to ensure that all patches have been installed successfully.

You don't necessarily need to fix every problem. Certain vulnerabilities will not be applicable or may present a very low-risk to your particular system. Even if you did get to the point where your scanner doesn't report any vulnerabilities, it wouldn't mean that your system is perfectly secure. Although you should scan critical systems every 5 to 10 days, scanners can only check for certain known vulnerabilities, and your system will still be susceptible to unknown or emerging ones. This is why it is important to watch out for vendor security alerts and to have a process in place for testing and deploying new patches within an acceptable timeframe.

More information:

  • Learn how to install and configure Nessus, a popular open source vulnerability scanner.
  • Put your vulnerability management data to good use.
  • This was first published in February 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: