Vulnerability Management Mistakes

2008-10-01

Anton Chuvakin, ComputerWorld, posted a list of the five most common mistakes made by organizations 'on the path to achieving vulnerability management perfection.'

Chuvakin believes that organizations make mistakes in scanning for vulnerabilities and not acting on the results, believing that patching is the way to manage vulnerabilities, thinking that vulnerability management is a technical problem, missing the whole picture, and being unprepared for zero-day exploits.

With each item on his list, he explains why each item has become a popular mistake and how to understand the problem better. Of vulnerability scanning, Chuvakin states "Vulnerability management is not scanning; it includes it, but what happens after the scan is even more important. This includes asset inventory, prioritising and researching the remediation activities as well as the actual act of patching, hardening or reconfiguration."

While most organizations follow Microsoft's Patch Tuesday religiously, Chuvakin says that patching does not fix everything. He writes, "If you are busy every second Tuesday, but not doing anything to eliminate a broad range of enterprise vulnerabilities during the other 29 days in a month, you are not managing your vulnerabilities."

Chuvakin also goes on to explain how to really 'see the big picture' using risk formulas, how vulnerability management is more than just a 'technical problem', and how to prepare for the unknown - zero day exploits. You can read the entire article and see the list of the 5 most common mistakes, here.