The Importance of Vulnerability Assessment
This control finds known software vulnerabilities and some misconfigurations in computers and networking devices. It can also detect unauthorized computers on the network.
Limitations of Vulnerability Assessment
Vulnerability scanners simply probe services for configuration and version banners,
which they cross reference with their database - they do not test the vulnerabilties. Therefore, they produce many false positives.
Vulnerability assessments only find known vulnerabilities.
In addition, agentless scans can put a heavy load on computers and networking infrastructure. As a result, agentless scans are typically run monthly. This provides a large window of opportunity for malicious users between scans.
Vulnerabilities found on production servers may not get fixed for fear of disrupting the service.
Vidder's Vulnerability Assessment Recommendations
Vidder recommends installing agents in all computers supported by your chosen vulnerability assessment vendor and performing daily scans. Agents provide more information and use far less computer resources than agentless scans. For computers and networking devices that do not support agents, Vidder recommends credentialed scanning, where possible, and performing daily scans. If credentialed scanning is not possible, Vidder recommends scans every two weeks with an agentless scanner.
In addition, Vidder recommends deployment of automated patch management tools and software update tools for operating systems and all third-party software.
Sysadmins should compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed either by patching, implementing a compensating control, or documenting it as a reasonable business risk.