Click here to receive your FREE subscription to Campus Technology
News
Vulnerability Management Needed for Security, Study Says
8/22/2008
|
|
Organizations can avoid attacks and minimize security cost overruns by practicing IT vulnerability management, according to a July study published by the Aberdeen Group. The study presents solutions for IT pros, helping them prioritize their patch management strategies for operating systems, applications, and network security frameworks.
Ignoring the issues won't work, according to Derek Brink, author of the study and vice president and research fellow for IT security at the Boston-based Aberdeen Group.
"Unfortunately, each week brings a new wave of threats and vulnerabilities to be managed," Brink said. "Ignoring or deferring patches for known vulnerabilities is not a responsible strategy, nor is it reasonable for most companies to disconnect their business from the Internet. So managing vulnerabilities simply has to be done."
Aberdeen's study--titled "Vulnerability Management: Assess, Prioritize, Remediate, Repeat"--describes what some respondents are doing to foster an effective vulnerability management program.
The "best-in-class" firms described in the study shared several common characteristics. For example, 70 percent of respondents in this category have consistent policies for managing patches and vulnerabilities. Moreover, 67 percent say they monitor external sources for vulnerabilities, threats and remediation tactics. Lastly, 93 percent of those polled maintained an inventory of all IT assets, along with conducting regular patch scans.
For every dollar invested in vulnerability management programs, companies can avoid $1.91 in vulnerability fix-related costs, for a marginal return on investment of 91 percent, according to the report.
The report suggests four essential steps to implementing a vulnerability management program that pays off.
The first step is to understand the computer processing environment--how it works, what IT assets are essential and what threats pose the greatest risk to the organization.
Second, prioritization is important. IT pros should maintain a constant inventory of all IT assets, along with a database of known vulnerabilities and fixes. Run an initial risk assessment. As with Patch Tuesday hotfixes, know what requires the greatest attention and what's critical versus important.
Recommended Reading
- Georgia Tech Helps Develop Web-based Tool To Improve Blood Supply
The Georgia Tech College of Computing, working in partnership with the Centers for Disease Control and Prevention, has developed a Web-based tool for tracking blood safety. The program is expected to help developing countries improve the adequacy and safety of their national blood supplies through better monitoring and evaluation.
- Mississippi State Implements Reflex Virtual Management Center
Mississippi State University has implemented Reflex VMC (Virtual Management Center) from Reflex Systems. The application allows IT administrators to monitor a virtual infrastructure and enforce business and IT policies.
- Stanford Law School Launches IP Litigation Clearinghouse
The Law, Science & Technology Program at Stanford Law School has launched the Intellectual Property Litigation Clearinghouse (IPLC), an online database that offers comprehensive information about intellectual property (IP) disputes within the United States.
- Texas A&M Health Science Center Adopts Banner Administrative Management
The Texas A&M Health Science Center has selected the Banner Unified Digital Campus (UDC) from Sungard Higher Education to help unify its geographically-dispersed community and to enhance and expand services and communications to its growing student enrollment.
- NCCC: Data Cleansing Key To Managing Growth
Community colleges are in a good spot in some ways during the economic downturn, as tight family budgets drive up the appeal of the community college option. But along with the rest of higher education, most community colleges also face shrinking IT budgets and tighter resources. That makes it that much harder to handle the growing enrollment numbers that some community colleges are seeing.
- Finjan: Layoffs Could Drive IT People To Become Cyber-Criminals
Security vendor Finjan predicts that the current economic downturn could herald a sharp rise in cybercrime during 2009--driven by the rise in the number of IT people being laid off. According to a report from the company's Malicious Code Research Center (MCRC), more unemployed IT personnel will be tempted to seek "new and easy income by purchasing and using crimeware toolkits that are sold by professional hackers."
