Companies are struggling to get to grips with the basics of vulnerability management.
Chris Schwartzbauer, vice president of development and customer operations at Shavlik Technologies claimed that companies and organisations are working in the dark when it comes to enforcing IT security policy and compliance with external regulations, such as PCI or ISO 27002.
Schwartzbauer said: “You can't secure what you don't know about and unfortunately the unknowns are many. IT administrators are often unaware of all of the servers live on their network; let alone their relevance or desired configuration, mobile computers are missed during scheduled vulnerability checks, old or unauthorised account privileges persist, and virtualisation has made it all too easy for users to ‘create' more machines that must be protected.”
Speaking at the recent PCI Europe conference in Brussels, Schwartzbauer confirmed that security administrators are recognising the need to develop a meaningful overview of what machines are on and connecting to their network.
However he claimed that they are challenged by the complexity of their heterogeneous networks, an overwhelming amount of log data that is too time consuming to interpret, and a reticence to automate where manual processes are no longer adequate.
Schwartzbauer said: “Decision makers, the CIO, Security and risk managers assume the basics are resolved because the investment has been made in sophisticated security strategy and technologies, but it is in the mundane processes, the policy and configuration management where the vulnerability gaps are left wide open.
“Attention must be paid to equipping the administrator with the ability to discover and evaluate all of the systems on and connecting to the network. Companies must work with a solid understanding of whether a given box is relevant and configured for its task, whether users downloaded anything, whether it's all patched - there can be hundreds of checks that administrators will want to and should verify.
“Until these basics are effectively managed, there will always be a risk to company security and any effort at compliance with security policy or external regulation.”