Do you know where the security flaws in your enterprise are? If you're like most IT and security professionals, then you're probably not sure. And that's why the emerging discipline of vulnerability management is increasingly becoming a key plank in many enterprises' security platforms.
These days, vulnerabilities can be found almost anywhere in the enterprise. On the client side of the ledger, the top vulnerability locations are Web browsers, office software (including word processors, spreadsheets and presentation packages), e-mail clients, and media players. Each of these has been found subject to a host of vulnerabilities and, because of their near ubiquity, are frequent targets of attacks that seek to exploit known and newly discovered vulnerabilities.
Things aren't much better on the server side, where the list of problem spots is even longer: Web applications, Windows services, Unix and Mac OS services, backup software, antivirus software, management servers, and database software are the most frequent vulnerability locations, and the frequent exposure of servers to the Internet makes attack even more likely.
How hard is it for attackers to exploit these flaws? The answer depends on the nature of the vulnerability exploited and the individual or group doing the exploiting. But system and application flaws can lead to disaster: Just take a look at the list kept by PrivacyRights.org, which keeps track of publicly disclosed breaches of customer and corporate data.
The list shows that in the relatively short period between Aug. 1 and Oct. 2 of this year, more than 8 million records were exposed by breaches of various sorts. Given the risk of data loss -- not to mention civil action and regulatory penalties -- the potential for financial damage to the organization is immense.
What can you do to limit this risk? There are many steps in the vulnerability management process, but the first is obvious: You must establish a clear security policy and plan that identifies what data you want to protect and what systems it runs on.
Next, develop a baseline assessment of the environment: Simply put, what is the organization's security status right now? Do vulnerabilities exist in products (infrastructure, application, or OS), or have they been introduced because of deployment configurations? This is where vulnerability assessments and penetration testing can help.
Once you've identified your flaws, you'll need to prioritize them. IT staff should prioritize vulnerabilities based on severity, location, potential exploitation, and ease of remediation. Only once you've done the prioritization can you begin the process of remediation, which may include replacing vulnerable services, changing vulnerable configurations, or updating applications and OSes to remove or replace vulnerable code.
After the flaws are fixed, you must continue to monitor them. Computer and network systems are constantly changing and evolving, as are the tools used to exploit vulnerabilities in them. For this reason, vulnerability management is an ongoing process rather than a one-time event.
To read more about the process of implementing vulnerability management -- and the tools and techniques that may be useful in that process -- download the full report here.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.