Vulnerability assessment best practices for enterprises

Measure Twice, Cut Once

Compliance and Life Cycles

VA has a never-ending life cycle of continual scans, reports, assessments, remediations, and evaluations and must be addressed in such a way to be truly effective. Daily, new attack signatures are developed, viruses and worms are written, buffer overflows are discovered, and changes in an organization's infrastructure and new technologies are developed that increase the susceptibility of an organization to vulnerabilities. Each of these actions affects the risk posture of the organization. Any one piece of the life cycle cannot be effective without the other.

Once the VA is complete, the reports have been presented, and the organization has been briefed, you need to give them the tools to stay protected against new vulnerabilities. No interconnected IT environment is 100% removed from potential attacks, but if you can impress upon the organization you are working with the importance of regularly scanning their systems, they will be better off than when you arrived, which is your ultimate goal.

Conclusion

A single piece of malware can cause widespread trauma to an organization and even significant injury to an entire region of the world. A good VA program can help prevent these problems from ever happening. A VA program can assist with reducing an organization's overall risk level and, in turn, allow an organization to perform effective due diligence in order to uncover the true vulnerabilities. By creating a comprehensive VA program, an organization can add another layer to its in-depth defense strategy. By identifying key vulnerabilities and providing future mitigation guidance to your organization, you will be strengthening your risk management program as well. A successful and comprehensive VA program can help any organization safeguard its critical information and systems.

The Author

Christopher Cowen is currently a Senior Cyber Security Analyst with the US Department of Defense (Contractor). Mr. Cowen has worked in Information Technology for more than 20 years within both the corporate and government spaces. He is currently focused on information security for nuclear facilities and critical infrastructure security. Chris is a Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacking professional (CEH), and a Certified Information Security Manager (CISM). He has been a featured speaker all over the world, including at conferences in Qatar, Kazakhstan, Estonia, Ukraine, United Kingdom, Kingdom of Jordan, China, and India. He has written articles in many publications, including Cyber Defense Magazine and Cyber Security: A Peer-Reviewed Journal. You can reach Chris at chrisjcowen@yahoo.com

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tested – Tenable Nessus v6
    To ensure your servers and workstations are well protected against attacks on your network, you need a professional security scanner. In version 6, Tenable has substantially expanded its Nessus vulnerability scanner. We pointed the software at a number of test computers.
  • Open Source Security Information and Event Management system
    Systems, network, and security professionals face a big problem managing disparate security data from a variety of sources. OSSIM gives IT security professionals the capacity to cut through the noise and gain wisdom and foresight in defending and managing their networks.
  • Security issues when dealing with Docker images
    Although developers appreciate Docker's ease of use and flexibility, many admins are worried about vulnerabilities. We look at various approaches to securing container images and the price to be paid.
  • Managing Port Scan Results with Dr. Portscan

    Regularly scanning the ports on your own network prevents intruders from sneaking in, but if you have dozens or hundreds of servers, you’ll need professional help: Dr. Portscan to the rescue.

  • BackTrack Linux: The Ultimate Hacker's Arsenal

    Penetration Testing and security auditing are now part of every system administrator's "other duties as assigned." BackTrack Linux is a custom distribution designed for security testing for all skill levels from novice to expert.

comments powered by Disqus