Everything starts with a policy

Policy management is critical. Enterprise policies start at the top of an organisation and require executive oversight. Policies determine the nature of controls used to ensure security, such as standard configurations for all security devices and applications including antivirus, firewall and intrusion prevention. Policies and controls also should include servers, network services, applications and ens-user PCs. In the past, policy management was a manual, cumbersome process. New software tools can automate some aspects of policy management and enforce configurations on endpoint devices. Automation saves time, improves accuracy and lowers total cost of ownership.

It is only possible to secure what you know you have. You need to find vulnerabilities before you can fix them. Creating and maintaining a current database of all IP devices attached to the network is an absolute must. It is also useful to categorise assets by business value to prioritise vulnerability remediation. An accurate inventory ensures that you select and apply the correct patches during the remediation phase. Discovering devices, software and services and tracking this inventory can be done manually. However, it is possible to automate the entire discovery and tracking inventory process with automated scanning software tools.

Vulnerability Scanning

A vulnerability scan tests the effectiveness of security policy and controls by examining the network infrastructure for vulnerabilities. The scanning process will systematically test and analyse IP devices, services and applications against known security holes. There are many software tools available that will perform vulnerability scanning. Some are open-source and freely downloadable, such as the Nessus public domain scanner. Other commercial solutions such as the Qualysguard web-based solution does the scans for you over the Internet and provides more comprehensive reporting functionality that you would expect from a commercial vendor. Another advantage to a commercial service is being always up-to-date with the most recent vulnerabilities. Similar to anti-virus technology, you are only as good as the most recent database.


Classify the Risk. It is practically impossible to fix everything at once. Most scanners will rank vulnerabilities helping you to determine what to fix first. Microsoft, for example, publishes four categories of risk: Critical, Important, Moderate and Low with corresponding rates of remediation.

Software always has and always will have bugs, so it is prudent to pre-test patches before applying them to live systems. Some faulty patches have crashed business processes. Most problems with patches are due to third-party applications or modifications to default configuration settings. It is also important to verify cryptographic checksums, Pretty Good Privacy signatures and digital certificate to confirm patch authenticity.