Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Are You Vulnerable?: Page 10 of 13

Speaking of tools, they say that any sufficiently advanced technology is indistinguishable from magic. Unfortunately, while we wish vulnerability-assessment scanners could turn the average security pro into a Houdini-like network defender, our tests of 11 VA products revealed this is not the case (see "VA Scanners Pinpoint Your Weak Spots," page 51). Although scanners from BindView Corp., Beyond Security, eEye Digital Security, Foundstone, Harris Corp., nCircle, Qualys, Rapid 7, SAINT, Tenable and Vigilante.com helped shore up our horribly insecure test network, none made us bulletproof. Still, don't discount a good VA scanner--our Editor's Choice, Foundstone Enterprise, identified a respectable number of vulnerabilities while providing detailed reporting and good management, and many of its rivals offered interesting features and unique protection models.

• Set a patching policy. Although many organizations have robust policies, most policy frameworks don't require system administrators to keep up with current patches. Make patching mandatory, and define a timeframe within which critical patches must be deployed.

• Implement a patch-management system. Without automation, small organizations struggle with patching efforts, while large enterprises have little hope of staying current. Patch-automation tools and desktop-management systems are crucial elements in reducing risk.

• Implement a vulnerability-assessment effort. VA is necessary not only to identify existing vulnerabilities, but also to serve as the compliance-monitoring arm. Systems should be monitored to ensure that policies have been followed and timely patching has been performed.

• Keep abreast of threats. Subscribing to alert services, such as Network Computing's Security Alert Consensus newsletter at portal.sans.org/nwc), will help you understand and manage operating vulnerabilities.

• Integrate security into design and purchasing cycles. Smart organizations will be proactive in deploying secure products. Do
this right the first time and you will spend less time dealing with future security shortcomings, which will translate directly into cost savings.

Application and operating system vulnerabilities pose obvious threats, but an often-overlooked problem is "pilot error"--mistakes made by technical staff during general day-to-day operations. Examples of pilot error include botched firewall entries, forgotten steps in router configurations and the inadvertent addition of a user to a privileged group. These mistakes are typically accidental, but the occasional intentional "internal bypass" is not all that uncommon.