Do you know what vulnerabilities exist on your systems?  There is only one way to truly know, and simply running a vulnerability scanner is not enough.

Running a vulnerability scanner, such as Nessus, is a good way to find known vulnerabilities, but will not tell you about unknown vulnerabilities.  That does not mean you should not run a vulnerability scan though.  Your advisories are running vulnerability scanners against your network, and so should you.

 Once you know the vulnerabilities, you can then determine which ones to patch or other ways to mitigate the risks.  Of course you can then determine the effectiveness of the controls put in place to mitigate the risk and scan again to see what other vulnerabilities are present.

Simply running the vulnerability scan is not enough though.  You should do periodic walk-through's of your environment to ensure physical vulnerabilities do not exist.  You should also talk to your users to get their help in determining any other vulnerabilities.  Then, of course, there are the unknown vulnerabilities.  How can you manage those?

You can run penetration tests against your own network, or hire a consultant team to do this for you.  But perhaps the best way to limit the vulnerabilities is to remove all unneeded services and applications.  Shrinking the attack surface is the most effective way to minimize your vulnerabilities, and it will make maintaining your systems much simpler.

Popular Posts