How to Make Vulnerability Scans Pay Off

Vulnerability scans are nice, but they aren't much use if you don't take action on the results

4:10 PM -- A link to a video by Eric Cole titled “Five Axioms of Vulnerability Scanning” made its way to my inbox this morning. Since I’ve had the pleasure of being in a class taught by Dr. Cole, I took a quick look, and I was glad I did.

The video is just over three minutes long and covers some good takeaways for IT shops that are looking to start regular vulnerability scanning, or at least do annual scans to please the auditors.

Cole's first point is that we, as security professionals, cannot control threats. Whether they are malware, malicious insiders, or natural disasters, the threats will be there. Our job is to take proper measures to protect our networks and systems from those threats.

Midway through the video, Cole says that "vulnerability scans without remediation are of little value." On the surface, that seems like a no-brainer, but how often has your organization conducted a vulnerability scan -- or hired a consultant to do it -- and failed to follow up? Many companies don’t do anything for almost a year -- until they realize an audit is coming up again. And at that point, they scramble to start fixing problems, only to find there are more now than when the first scan was completed.

I think those scenarios would occur less frequently if IT shops listened to Cole and prioritized the action items indicated by the scan results. He recommends identifying the five or 10 most critical servers, fixing any issues they may have, and then moving on to the next group. It’s the same concept many productivity authors preach, where you take a large, daunting task and break it up into more manageable chunks. There’s a feeling of accomplishment as each task is completed, and your company’s network will be safer.

As with many IT tasks, automation is important. Automate the scans to detect any new vulnerabilities that may come up as new systems are introduced into the network. Just because the vulnerabilities identified in the initial scan are fixed, there’s no guarantee that new ones won’t be discovered as environments change and attackers uncover them.

Take a look at the video and let me know what you think.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading