Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS

Send to a friend Feedback

Containing vulnerabilities

New-style vulnerability-management offerings point out which security flare-ups most threaten your network, and help you stomp them out quickly.

By Bob Violino
Network World, 10/21/02

Your vulnerability-assessment software is working great, churning out loads of information on your security soft spots. The problem is, it's working a little too well. You've got so much data from network scans, you can't figure out which security concerns are the most pressing, let alone how to address those quickly and effectively.

Enter the emerging field of vulnerability management. Vulnerability-assessment and other security vendors, such as Foundstone, Qualys, Symantec and Vigilinx, offer new products, feature upgrades or services that help you figure out what to do after the scan. These offerings typically identify which vulnerabilities can affect your network and which need immediate attention.

The ability to manage vulnerabilities, not just scan for them, comes none too soon. The number of vulnerabilities is skyrocketing, according to CERT. It reports the number of computer vulnerabilities for the first half of this year at 2,148 compared to 2,437 for all of 2001.

"Companies need to prioritize the application of security fixes based on the risk to the business," says Michael Rasmussen, a research director at Giga Information Group.

Services, software combo

State Employees Credit Union, a Lansing, Mich., provider of financial services, has found the coupling of an outsourced service with vulnerability-management software an effective way to manage increasing network threats. Because it has extended its network in recent years with wireless automated teller machines and Web-based home banking applications, the credit union has watched potential vulnerabilities rise.

Worried that conventional vulnerability-assessment tools couldn't keep up with new threats, and knowing that he couldn't afford to devote a staff member to full-time vulnerability scanning, Alan Darbe, vice president of IS at the credit union, says he decided to try Digital Defense's Frontline service and vulnerability-management tool. With Digital Defense's help, Darbe quickly evaluates reported vulnerabilities to determine the financial and operational risk to the firm. Then, using the vulnerability-management software, he and his team immediately address high-risk threats. The software also updates the fixes as needed.

A managed service and reporting tool is helping the network team at State Employees Credit Union keep vulnerabilities under control, says Alan Darbe, vice president of IS.  

Previously, the credit union had "no formal way of assessing vulnerabilities" to stop attacks, Darbe says. "Now we're taking a more proactive approach."

For example, a Digital Defense scan showed that an intruder could get access to internal passwords. Needless to say, the credit union fixed that problem.

The credit union spends about $50,000 per year for the vulnerability-management service, which Darbe says has greatly eased and speeded up the process of tracking and fixing security soft spots.

The money on vulnerability management is well spent, he adds, because information security is a priority for the firm, which holds hundreds of millions of dollars of members' savings.

Making the impossible, possible

If you're looking for a stand-alone vulnerability-management tool, expect to spend in the tens-of-thousands of dollars range. Base prices range anywhere from $10,000 to $50,000, with additional charges per IP address, or device, to be scanned (see chart).

The reporting capabilities are worth the investment in vulnerability-management tools, some users say. At Lancaster General Hospital in Pennsylvania, IS Security Manager Terry Grogan relies on PentaSafe Security Technologies' VigilEnt Security Manager vulnerability-management tool to guard against attacks to its mixed network of Unix and Windows NT servers.

Keep an up-to-date inventory of hardware, operating systems and applications, so you can identify which specific vulnerabilities could affect your company.
Prioritize vulnerabilities based on the potential risk to the business, and address those with the highest level of risk first.
Develop procedures for quickly applying fixes to particular vulnerabilities.
Keep track of who is responsible for specific vulnerabilities and whether the correct fixes were successfully applied.

The software continuously audits networks and systems for vulnerabilities, recommends corrective action and generates detailed reports nightly across computing platforms.

The hospital uses the product mostly for its reporting capabilities, Grogan says. "It lets me know user activity levels and alerts me to any significant security events, weak passwords or other concerns. In the past I had to read 110 network logs a day to see if there was any suspicious activity. It was an impossible chore. I looked at only our most critical servers because l didn't have the time to look at anything else," she explains.

At Motorola, security managers had relied on sporadic reports from division-level operations staff for its vulnerability assessments. "In some cases, they did a really good job; in others they were not as diligent. So we had wide disparities in our degree of visibility," says Bill Boni, chief information security officer at the Schaumburg, Ill., company. Now Motorola uses Foundstone's FoundScan software to centralize vulnerability scanning on its global network, which operates in 47 countries and connects 200,000 devices, and to assess the risk of found vulnerabilities, he says.

Using the software, Motorola scans its internal network for vulnerabilities every month and its network perimeter every other week, Boni says. The Foundstone software identifies what threats are the biggest risks, he adds. Motorola used to scan the network only several times each year; it was prohibitively costly to scan more often because of the network's vast size, he notes.

With vulnerabilities identified and prioritized, you will also need firm procedures for applying needed fixes quickly (see story, "Practical patch management"). The team approach works for some. Cincinnati Children's Hospital in Ohio has a 10-person incident response team, with individuals specializing in areas such as virus protection, Internet security, intrusion detection, firewalls and various operating systems. Team members are notified whenever a vulnerability is found, and gather when an exploited vulnerability would have high impact on the company.

"Our policy is if there's any kind of vulnerability — whether it comes in from the help desk or anywhere else — it goes to the [security] team," says Mike Belmont, associate director of IS security at the hospital.

No doubt, as the number of security threats rises, vulnerability management will become a standard part of corporate security strategy.

Getting a fix on vulnerabilities
This sample of tools and services fall into the emerging vulnerability- management field.
Vendor Product Pricing Description
BindView bv-Control Pricing not available Uses vulnerability assessment to find security holes and configuration management to close security holes, enforce security policies and configure systems to best practices. It helps managers audit critical systems, report vulnerabilities, enforce policies and establish security standards.
Configuresoft Enterprise Configuration Manager 4.0 software Starts at $995 per server and $30 per workstation. Provides an enterprise view of security settings for every Windows NT or higher server and desktop in a network; lets administrators assess systems for vulnerabilities and compliance with security policies; can centrally change configurations on any machine or group of machines to correct problems discovered by vulnerability scanners.
Digital Defense DDI Frontline 2.0 service and software Based on the number of IP addresses assessed and network size and complexity Provides recurring external and internal vulnerability scanning and penetration testing; tool lets managers track the resolution of vulnerabilities.
Foundstone FoundScan software and service Starts at about $30,000, based on the number of scanned devices and IP addresses. It is also available as a managed service. Software measures and resolves security vulnerability risks in traditional networks, wireless access points and Web applications; provides network mapping, integrated remediation management, a continually updated vulnerability database, short- and long-term trend analysis and Web-based reports.
nCircle Network Security IP360 Network Exposure Management System Pricing not available Provides network monitoring, alerts, reporting and vulnerability responses. One feature automatically blocks traffic to network devices with newly discovered security flaws.
Mazu Networks Mazu Enforcer software      Starts at $32,000, based on configuration options. Lets companies monitor network traffic for vulnerabilities; includes reporting tools.
PentaSafe Security Technologies VigilEnt Security Manager 3.1 software $10,000 base; agents are priced per platform ($1,100 for a Windows NT agent, for example). Continuously audits networks and systems for security vulnerabilities; lets managers identify vulnerabilities, take corrective action, and generate detailed reports across multiple platforms.
Predictive Systems Information Sharing and Analysis Centers (ISAC) services Starts at $50,000 per year for 25 users. Based on ISACs, a shared database of security threats, vulnerabilities, incidents and solutions. “Vulnerability matching module” lets managers know if a particular vulnerability matches a piece of equipment, operating system or application within their company, and determine how critical the threat is.
Qualys QualysGuard Ranges from $995 for one IP address to $59,995 for 256 IP addresses. Identifies and eliminates network vulnerabilities through a Web-based architecture; sends IT managers fixes and patches based on the severity of the vulnerabilities.
Symantec Enterprise Security Manager 5.5 host-based application Pricing not available Host-based application provides security policy compliance management, including the discovery of policy deviations and vulnerabilities. It identifies systems that are vulnerable to a specific threat, and helps managers prioritize fixes.
Vigilinx IntelliShield service $40,000 to $100,000 yearly fee, depending on number of users Continually monitors a database of threats and vulnerabilities, lets managers track vulnerabilities on more than 5,500 IT products.
Source: Network World

Violino is a freelance writer covering business and technology. He can be reached at bviolino@optonline.net.

Related Links

Buyer's Guide: Vulnerability-assessment tools
Vulnerability-assessment tools edge toward usefulness in large networks.
Network World, 02/04/02

Defending the extended enterprise
Are firewalls enough? Should you invest in a bundled security product? What type of security planning should you undertake? We explore what it takes to secure your changing enterprise in this special report.
Network World, 07/29/02

Security research center
Get the latest news, alerts, opinions, reviews and more.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.

To top

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.