By Matthew Hines
eWEEK Security Watch
March 15, 2009
Vulnerability management may be the next big thing in terms of IT
security strategy, but deriving the maximum value out of your efforts
requires hard work and a comprehensive plan, industry insiders
Speaking at the SOURCE Boston conference this week, scanner maker
Tenable Security's Carole Fennelly outlined some of the best practices
that organizations should observe as they attempt to identify and
remediate security weaknesses that exist throughout their IT systems and
While vulnerability scanners such as Tenable's Nessus can provide
organizations with loads of valuable data about potential weak points
throughout their IT ecosystems, if companies don't have the right road
map in place to respond to and act on the results provided by the
assessment tools, they won't realize as many benefits of the
vulnerability management process, Fennelly said.
The expert outlined a series of steps that organizations should follow
to help optimize their efforts, which start with prioritizing exactly
which assets have to be managed most aggressively. That might sound like
obvious advice, but many companies put the carriage in front of the
horse in terms of getting involved with vulnerability management without
first understanding what they need to address, she said.
"Organizations need to create asset lists that define their critical
business systems to help prioritize their efforts; they need to have the
support of different internal groups to create these lists that will
help them mitigate their most critical problems," said Fennelly,
Tenable's director of content. "For instance, if you can classify your
data and know what area of your network certain data is supposed to be
on, then you can tune your scanners to monitor your network
appropriately. But admittedly, trying to get business people to come up
with this type of classification is often the tough part."
Best Selling Security Books and More!