So how can an organization hope to stay safe, given such a wide range of potential attack vectors?

As with many information-security challenges, the solution lies partly with technology, partly with tactics and partly with strategy. Ratifying and enforcing policies that promote routine audits, timely patching, and implementing technologies that aid vulnerability assessment and configuration/patch management are starting points. But at the center of sound tactical vulnerability management are two basic concepts: identification and response. By leveraging tools and processes to identify vulnerabilities, and then responding with plans to manage the associated risks, an organization can reduce its overall exposure.

Organizations that want to address their vulnerability at a strategic level need to move security principles beyond the traditional walls of infosec: Security must play a role in purchasing, design and implementation decisions--a major shift for most companies.

Identify, Then Respond

Before you can fix a vulnerability, you have to find it. This is easier said than done, but the key to narrowing your search is to realize that most technical vulnerabilities exist in one of two areas: design failures or implementation failures.

Examples of design failures include accidentally bringing third-party network connections into a network without implementing a firewalling mechanism, not including proper access controls between tiers in e-commerce applications and failing to implement cryptography to protect critical data sets.

Implementation failures may include forgetting to enable the ACLs (access-control lists) on a router, not patching a new Web server or forgetting to scrub user data in a Web form. Any of these vulnerabilities could expose sensitive information, allow unauthorized access or, in the case of worms and viruses, wreak digital carnage.

Design problems typically are harder to identify than implementation errors because few tools can replicate the abilities of a professional. This is why including security teams in the design life cycle is so critical--experienced humans can identify potential design failures quickly, avoiding costly long-term mitigation efforts. Implementation problems can also be costly, of course, but fortunately there are more tools and technology solutions that can reduce these risks.

Regardless of the type of vulnerability, the tactical process remains the same--identify, then respond. However, there may be multiple approaches to the response phase, some more proactive than others. An organization might choose to fix the problem directly with a software patch, or it might deploy a device to reduce the chances of exploitation. Some might even decide to do nothing and assume the level of risk associated with that particular vulnerability. Let's apply this concept to a real-world example:

• Scenario: A critical flaw has been found in Microsoft's Internet Explorer Web browser (not much of a stretch). This flaw lets attackers execute arbitrary code on a victim's (now) vulnerable desktop.

• Evaluation Phase: Identify whether vulnerable versions of IE reside on your network, possibly using a desktop-management system, an asset-tracking system or a vulnerability-assessment tool (network- or host-based).

• Response Phase: After finding vulnerable versions of IE, use a patch-management system to push out patches to hundreds of desktops. You might deploy a proxy server or smart caching system (see "Surf's Up") to filter hostile patterns and malicious code. Or you might take a dual approach, using a proxy to buy some time while scampering to get patches deployed.

For most organizations the drill is familiar--we've been patching Microsoft Outlook, IE and dozens more OSs and applications for years. What might be unfamiliar are some of the tools, like vulnerability-assessment suites, patch managers and integrity checkers, that can greatly reduce the overhead. Without the automation that these tools provide, most organizations don't stand a chance against the growing threats.