What steps should I take after I get my vulnerability scanner results? Should I consider all vulnerabilities critical?...
Do you have to solve everything?
Vulnerability management is a critical element of any organization's security policy, and it should cover every application and service running on a network, not just machine operating systems. Your application security strategy should include regular assessments and audits. Most modern vulnerability scanners produce reports that not only include details about any failed tests, but also suggest corrective measures, including references to various information sources that can help fix the problem.
Discovered vulnerabilities are normally classified by their level of seriousness. The reports produced by Microsoft's free Baseline Security Analyzer (MBSA), for example, show severity ratings in accordance with Microsoft's security recommendations, as well as specific remediation guidance.
Each highlighted vulnerability also includes the relevant Common Vulnerabilities and Exposures (CVE) ID. CVEs are standardized names for vulnerabilities and other information security exposures. They make it easier to share data across different vulnerability and security tools, creating a common reference language for security professionals. If your particular vulnerability scanner doesn't provide some sort of indication about a vulnerability's severity, or you want a second opinion, you can use the comprehensive vulnerability database maintained by Secunia. You can also search for vulnerabilities relating to a specific product or vendor, if you are concerned about a particular aspect of your system.
So in which order should you tackle any reported vulnerabilities? You need to secure your most critical assets first, which means you must classify your network resources in order of importance. To prioritize your assets, it's vital that you view your vulnerabilities as an attacker would. For example, a vulnerability exploitable only from inside your network probably doesn't take precedence over one exploitable from the Internet. I would start by patching vulnerabilities in key resources, installing all missing patches that have been highlighted as critical or important. Then, I would roll out fixes to other assets based on their priority level. Finally, run the scan again to create a new baseline and to ensure that all patches have been installed successfully.
You don't necessarily need to fix every problem. Certain vulnerabilities will not be applicable or may present a very low-risk to your particular system. Even if you did get to the point where your scanner doesn't report any vulnerabilities, it wouldn't mean that your system is perfectly secure. Although you should scan critical systems every 5 to 10 days, scanners can only check for certain known vulnerabilities, and your system will still be susceptible to unknown or emerging ones. This is why it is important to watch out for vendor security alerts and to have a process in place for testing and deploying new patches within an acceptable timeframe.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.