“Enterprises that implement a vulnerability management process will experience 90% fewer successful attacks...” Gartner, Predictions for IT Security Directors
While it’s no secret that identifying and correcting network security holes is critical to protecting any business from harmful attacks, the process of vulnerability assessment and remediation often gets overlooked as a critical component of sound security practices. Because it is an ongoing process, many companies avoid proper vulnerability auditing until disaster strikes and they are forced to react. Even then, some businesses fail to learn the lesson of proactive vulnerability assessment and remediation. The following are some common misconceptions about vulnerability assessment and its role in properly secure computing environments:
Reality: Despite all the attention that firewalls, anti-virus applications and Intrusion Detection System (IDS) receive, security vulnerabilities still plague organizations. The implementation of these tools often lead administrators into believing that their networks are safe from intruders. Unfortunately, this is not the case. In today’s complex threat environment of malware, spyware, disgruntled employees and aggressive international hackers, developing and enforcing a strict and regular network security policy that incorporates on-going vulnerability assessment is critical to maintaining business continuity. Firewalls and IDS are independent layers of security. Firewalls merely examine network packets to determine whether or not to forward them on to their end destination. Firewalls screen data based on domain names or IP addresses and can screen for low-level attacks. They are not designed to protect networks from vulnerabilities and improper system configurations. Nor can they protect from malicious internal activity or rogue assets inside the firewall.
Similarly, an IDS inspects all inbound and outbound network activity and identifies suspicious patterns. IDS can be either passive or reactive in design, but either way they rely on signature files of known attacks to prevent intrusion. Most sophisticated attacks can easily trick IDS and penetrate networks. Likewise, an IDS will not protect against vulnerabilities that may be exploited by remotely executed code. A vulnerability assessment system, on the other hand, will look at the network and pinpoint the weaknesses that need to be fixed/patched – before they ever get breached. With over 80 new vulnerabilities announced each week, a company’s network is only as secure as its latest vulnerability assessment. An ongoing vulnerability assessment process, in combination with proper remediation, will help ensure that the network is fortified to withstand the latest attacks.
Reality: If you look at recent history you will see that not all attacks are targeted. Code Red, Blaster, Sasser, Bagel, etc. attacked enterprises and systems at random, based on specific vulnerabilities. On the other hand, it is not just large enterprises that need to be concerned about targeted attacks. Any organization can become the target of a disgruntled employee, customer or contractor. So, it is important to move beyond the “it can’t happen to me” feeling of security and look at the hard facts.