One critical but often overlooked area is the management of known application and operating-system vulnerabilities--vulnerabilities that have been publicized and, frequently, have fixes yet remain unmitigated. Stay on top of patch management and vulnerability-assessment scanning. Vulnerability-assessment tools help protect system and infrastructure assets and complement just about every other security technology. An effective vulnerability-assessment/patch-management effort will reduce operational risks for everyone.
Many vulnerabilities have bitten organizations multiple times in the form of both manual and automated attacks. For example, two of 2001's most vicious worms, Code Red and Nimbda, leveraged known vulnerabilities that had patches available. If more organizations had fixed these vulnerabilities in a timely manner, neither outbreak would have been as severe.
Known holes are also one of the top attack routes. According to the PricewaterhouseCoopers/InformationWeek 2002 Global Information Security Survey, "Exploited Known OS Vulnerability" tops the charts as a method of attack with 41 percent (that's up 10 percentage points from 2001; see chart below). In the cases where the cause of the compromise can be determined, more than 99 percent of those are from known types of attacks where countermeasures are available, according to Jeff Carpenter, manager of the CERT Coordination Center, part of the Software Engineering Institute.
Shrinking Toolbox
Much to our surprise, given this reality, many popular scanning tools in this market have been neglected or discontinued. In 2002 both Cisco Systems and Network Associates dropped their vulnerability-assessment solutions (NetSonar and CyberCop Scanner), and Internet Security Systems gave Internet Scanner its first major revision in years. Considering that Internet Security Systems and Network Associates were market-share leaders, and that the vulnerability-assessment market is growing, it should come as no surprise that newcomers have entered the breach. Next-generation scanning solutions like Qualys' QualysGuard, Foundstone's FoundScan, nCircle Network Security's IP360 and Tenable Network Security's Lightning are looking to fill the void.
Some of these vendors started off with a perimeter-centric view of the world, but they are now shipping products aimed at enterprise-level internal vulnerability assessments. Consider speed, depth of coverage and signature checks, reporting, trending and scalability when choosing your vulnerability-assessment products.
Once vulnerabilities are identified, administrators need to snap into action with patches and hot fixes. Patch-management solutions from PatchLink Corp., BigFix, St. Bernard Software and others offer an efficient way to address mitigation tasks (see "PatchLink Helps Keep Windows Closed"). While large organizations will always need plain-vanilla vulnerability-assessment scanners for their audit teams, we hope to see tighter integration between vulnerability-assessment and patch-management solutions in 2003.
One caveat: Neither of these product types helps with security flaws in custom applications. Some tools, such as Cenzic's HailStorm and @Stake's WebProxy, can help highly technical auditors look for programming and design mistakes, but there's no simple solution for vulnerabilities in custom applications. Think about it--over the years Microsoft has come under siege for code flaws that created nightmarish security problems. If there were an automated way to detect these bugs, wouldn't the world's largest software company use it? Until application-development practices evolve and security enters the design life cycle, we'll have problems in this area.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
REPORTS
ANALYTICS
Follow 
