Recently, Microsoft released security updates for a total of 23 vulnerabilities for Microsoft products. While this may seem like a lot, these situations do occur. This points to the speed at which new exploits are created and the fact that vendors must rush to patch these vulnerabilities. Some of the most common vulnerabilities businesses face today are unpatched systems and applications. This is one of the primary reasons why vulnerability assessment tools have become so important. These tools can find and identify needed patches, insecure settings, buffer overflows, and a whole host of other security issues. Luckily, there are many vulnerability assessment tools that can be used to find these problems and fix them before they are exploited.
Believe it or not, vulnerability assessment was not created until the mid 1990s. One of the first was Security Administrator Tool for Analyzing Networks. Dan Farmer and Wietse Venema developed it and since then, there have been many vulnerability assessment tools developed. Some examples include:
- LAN Guard
- Open VAS
What all of these tools have in common is that they assess an organization’s applications, computers, and networks to identify technical vulnerabilities before an attacker can exploit them. Generally, vulnerability assessment tools fall into three basic categories: source code scanners, application scanners, and system scanners.
System scanners are one of the most widely used as they probe networks, systems, and their components rather than individual applications. They are also used to test the effectiveness of layered security measures. Most users tend to run these tools on a periodic basis such as weekly or bi-weekly. Most of these tools will list discovered vulnerabilities as: critical, high, medium, or low. Once identified, these tools will point you to a means to mitigate the problem, typically through the installation of a patch. The discovered problems are identified by means of a CVE. The CVE or Common Vulnerabilities and Exposures, is simply a system designed to provide a reference-method for publicly known information-security vulnerabilities and exposures. If you’ve never looked at the list of CVEs, you will want to check out http://cve.mitre.org.
My personal tip is that even if your company cannot afford a commercial vulnerability assessment tool start with a free one such as Open VAS. Running a vulnerability scanner on a periodic basis is one of the most effective things a business can do to avoid common vulnerabilities. Also, keep in mind that you may not be able to fix all identified vulnerabilities. Start with what is identified as critical. These issues should be your first priority then work on items identified as high, medium, and low. Once you get the vulnerability system up and running then you can start using it long term to measure, monitor, and report on information security progress. The best time to start using one of these tools is now, don’t wait until you have a security breach!