Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Are You Vulnerable?: Page 4 of 13

Although the host-based VA model does require agents, the advantage is that agents typically can probe systems and services that aren't usually available to a network scanner. The obvious disadvantage is that it's another agent, and another set of licenses, to manage. Host-based products also create problems for distributed administration teams, which often don't have access to systems outside their zones of control.

Application-assessment suites, like Cenzic's Hailstorm (see "Arming Your Top Security Guns"), @Stake's WebProxy and Sanctum's AppScan, are a little different from conventional host or network VA tools in that they are designed to evaluate both commercial and home-grown applications. These apps can arm skilled professionals with better tools to do their jobs, but operators need to be security savvy.

Once vulnerabilities are identified, patch-management tools and software-deployment systems can help with the response effort (see "PatchLink Helps Keep Windows Closed"). But sometimes even these systems aren't enough, as pesky users can muck up the patching works by reinstalling vulnerable applications, uninstalling patches and continually deploying potentially harmful software. Smart organizations will work to patch systems and keep them patched. Products that check for latest patch levels, antivirus images and general system health should be considered wherever possible (for examples, see "Got Discipline?").

The Business Case

One of the most common sources of vulnerabilities are design and implementation flaws in off-the-shelf hardware and software. Last year, SAC (Security Alert Consensus, www.sans.org/newsletters/sac) reported about 1,000 new OS and application vulnerabilities--that's 83 new security vulnerabilities per month--probably a conservative estimate because SAC tends to focus on large threats to corporate and government computing environments. And SAC tells only part of the story. At the time of this writing, SecurityFocus had 7,679 entries in its vulnerability database (www.securityfocus.com), the National Institute of Standards and Technology's ICAT metabase (icat.nist.gov/icat.cfm) had 5,712 vulnerabilities listed, and the CVE (Common Vulnerabilities and Exposures, cve.mitre.org) effort had ratified 2,573 entries (see "Don't Panic, Plan", for more details on what lurks beyond your borders).