Manage vulnerability to assess risk

News by Dan Raywood

Companies should practise IT vulnerability management to avoid attacks and minimise security costs.

Companies should practise IT vulnerability management to avoid attacks and minimise security costs.


According to a report by the Aberdeen Group, companies should prioritise their patch management strategies for operating systems, applications and network security frameworks.


Derek Brink, author of the study and vice president and of Aberdeen Group claimed that ignoring the issues will not work and his report showed that 70 per cent of respondents have consistent policies for managing patches and vulnerabilities. Meanwhile 67 percent said that they monitor external sources for vulnerabilities, threats and remediation tactics. Lastly, 93 percent of those polled maintained an inventory of all IT assets, along with conducting regular patch scans.


Brink said: “Unfortunately, each week brings a new wave of threats and vulnerabilities to be managed. Ignoring or deferring patches for known vulnerabilities is not a responsible strategy, nor is it reasonable for most companies to disconnect their business from the Internet. So managing vulnerabilities simply has to be done.”


The report, titled ‘Vulnerability Management: Assess, Prioritize, Remediate, Repeat', describes what some respondents are doing to foster an effective vulnerability management program. It suggests four essential steps to implementing a vulnerability management program that pays off.


The first step is to understand the computer processing environment and how it works, what IT assets are essential and what threats pose the greatest risk to the organisation. Secondly IT pros should maintain a constant inventory of all IT assets, along with a database of known vulnerabilities and fixes and run an initial risk assessment.


Thirdly, it recommends testing fixes, patches and repairs after installing software upgrades while the last step is to repeat steps one through three and then monitor the results.


Brink said: “It's a task which is consuming far too high a percentage of limited IT resources. The fact that leading vendors are calling for collaborative, industry-wide frameworks to address threats and vulnerabilities is strong evidence of the level of pain being expressed by their top customers in this area.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews