IT managers have their horror stories by the dozen:
- Installing the latest operating system and software patches throughout your network only to find that they created new security vulnerabilities;
- Spending all weekend implementing security countermeasures only to discover that the "risk" was a hoax;
- Having to justify to a major customer, shareholder or the legal department why the latest headlined threat won't impact your operation.
These are just a few of the everyday problems in attempting to keep enterprises and e-business applications secure from hackers and malicious code. But staying abreast of potential security breaches for every operating system, browser, e-mail utility, firewall, VPN solution, antivirus protection software package, etc. can be a monumental task for disparate networks spread across the country and even around the world. And that doesn't include evaluating the validity of threats and the effectiveness of patches and fixes.
It's for these reasons that companies are turning to vulnerability assessment tools for answers. However, John Giubileo, vice president of Managed Services and Technology for eSecurityOnline.com cautions that if these solutions have not been validated, the "cure" may make things even worse.
"A lot of security scares that come out in the media, on the Web, and through mailing lists aren't true vulnerabilities," Giubileo said. "For example, recently there was a firewall alert that didn't come from a good source and it turned out to be false. If you act on unsupported claims and start loading un-validated patches on 10,000 NT servers, for example, you can waste a lot of time or do more harm than good."
Guibileo says that companies need to make sure they are using trusted sources to perform vulnerability assessments and make recommendations for effective patches and fixes. To ensure that their ASP customers are correctly informed, for example, eSecurityOnline.com's Research and Development Team maintains validated databases on 2,400 vulnerabilities and fixes for 50-plus operating systems, 450-plus applications, and 50 devices - a task that far exceeds the capabilities and resources most IT departments can support.
"In addition, we watch continuously for vulnerabilities specific to each client's network and alert administrators immediately of any new and dangerous threats," Giubileo said.
ASP-based security assessment is an emerging technology that shows great promise for helping IT departments offload as well as upgrade the management of network security vulnerabilities.
About the author
Linda Gail Christie is a contributing editor, based out of Tulsa, Okla.