When it comes to network vulnerability, it's not what you know, but when you find something out, that determines whether your network is secure.
That's what security experts said this week upon the release of a research report, "Best Practices for Vulnerability Management" by the Boston-based research firm, the Yankee Group.
The report recommends four best practices: Creating an inventory of network assets; quickly reducing vulnerability exposure with a vulnerability management system; integrating vulnerability management with patch management and other software; and auditing security policies.
All of the recommended practices rely on the implementation of vulnerability management software. "Vulnerability management bolsters the effectiveness of patch management, configuration control, and early warning services," the report said.
Information security experts have been preaching this message to their clients for some time. Vulnerability management systems, such as those provided by companies like Symantec, Foundstone and Qualys, can be highly effective at providing actionable, comprehensive intelligence on network assets, they said. However, they also said that some businesses continue to resist the software and services the Yankee Group referred to in its advisory.
"Some very Windows-centric shops are getting by on generic Microsoft patch management software," said Evan Carter, chief security officer at Los Angeles-based Setec Security Technologies Inc., which creates information security plans for medium-size companies. "It may work for some of them, but I wouldn't be doing it that way."
Businesses can only hope to stay ahead of threats with comprehensive vulnerability management systems, said Yankee Group analyst Phebe Waterfield. "Patch or no patch, you can still get nailed," she said.
Companies relying solely on patch management software to upgrade their PCs are constantly exposed to malicious code and Internet hacker attacks, said Alan Paller, director of research at the Bethesda, Md.-based SANS Institute.
"No organization that claims to be protecting its users is doing so if it doesn't have a vulnerability management system," said Paller. There are always servers and systems, and networked devices, that no one is monitoring, he said.