- Ensure a secure baseline: Most vulnerability scanners will notify the administrator when things change but this is only effective if you're sure that what you have now is properly configured and secure.
- Ensure good test environments: Fixing vulnerabilities involves changing your network and without proper testing the fixing process itself can cause the downtime you’re trying to avoid. Use your vulnerability scanner to map your network and determine what software and hardware your test environment should have. The closer your test environment is to the live network the better testing you can do.
- Ensure your vulnerability scanner is monitoring your network periodically: Most vulnerability scanners will allow you to configure them to automatically scan your network for issues on a schedule. This is a good idea as doing this manually involves risks such as skipping the process in favour of other urgent tasks.
- Prioritize your patch management: Patch management is a challenging process. The longer you take to complete it the higher the risk that someone might exploit an un-patched vulnerability. The ideal patch management scenario involves extensive testing but that will take time. For this reason you should prioritize – your servers take precedence over workstations. Furthermore, patches themselves need to also be prioritized based on their criticality. That way you can plan out your testing schedule to achieve the best testing and the fastest deployment possible.
- Be mindful of the hardware on your network: Generally when we think of network vulnerability management most people would not consider hardware and peripherals. An employee hooking up a wireless network card can be as insidious if not worse than any un-patched vulnerability. For this reason it is essential to ensure your vulnerability scanner is constantly monitoring the hardware that is added or removed to your network.
- Do proper Change management: Networks tend to change often, be it because new software is installed, configurations change or new machines connected to the network. These can all pose a security risk.
This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging need. Learn more on what to look out for when choosing a vulnerability scanner. All product and company names herein may be trademarks of their respective owners.