Asset management is a fundamental IT discipline at the heart of risk management. Due to the variety of diverse...
devices that can connect to a network, however, vulnerability scanners have a ways to go before being truly integrated within an asset management system. Given that Nmap is considered to be the best network discovery tool available, you are not going to find anything more comprehensive. Nmap has been around for several years, won numerous awards, and is included with many operating systems. It has become the tool of choice for many network administrators who want to map their networks and test them for vulnerabilities. This versatile utility can determine what hosts are available on a network, what services those hosts are offering, and what type of packet filters and firewalls are in use. The open source tool also has the ability to remotely fingerprint a machine's operating system. You can output the results in XML format so that they can be easily imported into a database or converted into HTML for analysis. Since Nmap is free, it is obviously a better deal than any proprietary network-mapping software you might choose.
If you run a purely Windows-based network, you might want to consider Microsoft's Systems Management Server. This product can map the hardware base, including BIOS and chassis enclosure data, existing applications, version information and the current service pack and hotfix levels of devices on the network. Machines and users can also be specifically targeted with software updates and patches.
For whatever product you choose, you will need to create sustainable, systematic processes to achieve strong asset and vulnerability management. Start by regularly scanning your network to fully discover the devices present on it. These may include laptops and handheld devices that may not always be connected. Next, schedule regular vulnerability scanning for specific devices and ranges of IP addresses. It is most important to maintain a record of all these activities from asset discovery to fixes and patching. This information is critical for reporting results to managers and auditors; it demonstrates to outside regulatory agencies that the organization is managing the security risks within the business.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.