Discovered vulnerabilities are normally classified by their level of seriousness. The reports produced by Microsoft's free Baseline Security Analyzer (MBSA), for example, show severity ratings in accordance with Microsoft's security recommendations, as well as specific remediation guidance.
Each highlighted vulnerability also includes the relevant Common Vulnerabilities and Exposures (CVE) ID. CVEs are standardized names for vulnerabilities and other information security exposures. They make it easier to share data across different vulnerability and security tools, creating a common reference language for security professionals. If your particular vulnerability scanner doesn't provide some sort of indication about a vulnerability's severity, or you want a second opinion, you can use the comprehensive vulnerability database maintained by Secunia. You can also search for vulnerabilities relating to a specific product or vendor, if you are concerned about a particular aspect of your system.
So in which order should you tackle any reported vulnerabilities? You need to secure your most critical assets first, which means you must classify your network resources in order of importance. To prioritize your assets, it's vital that you view your vulnerabilities as an attacker would. For example, a vulnerability exploitable only from inside your network probably doesn't take precedence over one exploitable from the Internet. I would start by patching vulnerabilities in key resources, installing all missing patches that have been highlighted as critical or important. Then, I would roll out fixes to other assets based on their priority level. Finally, run the scan again to create a new baseline and to ensure that all patches have been installed successfully.
You don't necessarily need to fix every problem. Certain vulnerabilities will not be applicable or may present a very low-risk to your particular system. Even if you did get to the point where your scanner doesn't report any vulnerabilities, it wouldn't mean that your system is perfectly secure. Although you should scan critical systems every 5 to 10 days, scanners can only check for certain known vulnerabilities, and your system will still be susceptible to unknown or emerging ones. This is why it is important to watch out for vendor security alerts and to have a process in place for testing and deploying new patches within an acceptable timeframe.
Dig deeper on Vulnerability Risk Assessment
Related Q&A from Michael Cobb
Do you know some of the best third-party patch deployment tools? See expert Michael Cobb's recommendations on which tools would work best for your ...continue reading
Users in the enterprise may unknowingly be exposed to 'Gchat' security risks. Expert Michael Cobb discusses Internet application security best ...continue reading
Today's powerful smartphones can sometimes spread viruses to the corporate network. Learn how it can happen and how to prevent it.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.