Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Are You Vulnerable?: Page 6 of 13

• Do we have tiered defenses?

• Do we keep up-to-date with patches? Do we have a patch-deployment system in place that can distribute updates in a timely manner?

• Do we use an automated VA tool to identify potentially vulnerable systems?

According to our reader survey and the obviously abysmal state of the industry at large, we'd venture to say that the majority will answer "No" to most of these questions. This not only means increased risk, but increased costs, and it's where the business case comes into play: Like it or not, vulnerabilities cost money. Clean-up costs money. Lost work costs money. And not having a vulnerability-management plan in place will ultimately--you guessed it--cost money.

An interesting paper was released late last year discussing some of the vulnerability-management efforts at NASA (see www.sans.org/top20/GISRA_NASA.pdf). According to the study, NASA determined that the vast majority of its security incidents were related to a specific subset of total vulnerabilities. The agency concluded that it could reduce its risk profile by addressing this subset of known vulnerabilities. The result was an organizationwide vulnerability assessment and mitigation war, launched by NASA's CIO, that involved a few key components: