Four VM best practices could help secure your networks

Mark Baard, Contributing Writer

When it comes to network vulnerability, it's not what you know, but when you find something out, that determines whether your network is secure.

That's what security experts said this week upon the release of a research report, "Best Practices for Vulnerability Management" by the Boston-based research firm, the Yankee Group.

    Requires Free Membership to View

No organization that claims to be protecting its users is doing so if it doesn't have a vulnerability management system.
Alan Paller
director of researchSANS Institute

The report recommends four best practices: Creating an inventory of network assets; quickly reducing vulnerability exposure with a vulnerability management system; integrating vulnerability management with patch management and other software; and auditing security policies.

All of the recommended practices rely on the implementation of vulnerability management software. "Vulnerability management bolsters the effectiveness of patch management, configuration control, and early warning services," the report said.

Information security experts have been preaching this message to their clients for some time. Vulnerability management systems, such as those provided by companies like Symantec, Foundstone and Qualys, can be highly effective at providing actionable, comprehensive intelligence on network assets, they said. However, they also said that some businesses continue to resist the software and services the Yankee Group referred to in its advisory.

"Some very Windows-centric shops are getting by on generic Microsoft patch management software," said Evan Carter, chief security officer at Los Angeles-based Setec Security Technologies Inc., which creates information security plans for medium-size companies. "It may work for some of them, but I wouldn't be doing it that way."

Businesses can only hope to stay ahead of threats with comprehensive vulnerability management systems, said Yankee Group analyst Phebe Waterfield. "Patch or no patch, you can still get nailed," she said.

Companies relying solely on patch management software to upgrade their PCs are constantly exposed to malicious code and Internet hacker attacks, said Alan Paller, director of research at the Bethesda, Md.-based SANS Institute.

"No organization that claims to be protecting its users is doing so if it doesn't have a vulnerability management system," said Paller. There are always servers and systems, and networked devices, that no one is monitoring, he said.

Related Topics: Client security, VIEW ALL TOPICS

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: