Monthly newsletter Weekly news roundup Breaking news notification      

Yankee Group defines best practices in vulnerability management

Get free weekly news by e-mailThe Yankee Group has announced the development of ‘Dynamic best practices in vulnerability management’ to help organisations better manage network resources to identify and eliminate security weaknesses in a timely manner. The guidelines and metrics developed by the Yankee Group were derived from ‘The laws of vulnerabilities,’ research authored by Gerhard Eschelbeck, CTO of Qualys. ‘Dynamic best practices in vulnerability management’ is a custom consulting report contracted by Qualys from the Yankee Group.

"Performing regular security audits is a vital step companies must take to keep up with the changing security landscape," said Eric Ogren, senior analyst at the Yankee Group. "With each new breed of attack, it is clear that best practices in IT security must be achieved for organisations to effectively protect critical
network assets."

The ‘Dynamic best practices in vulnerability management’ apply vulnerability management as the one solution IT can count on to measure and manage the effectiveness of a network defence program. The ‘Laws of vulnerabilities’ are derived from the industry's largest vulnerability dataset and reveal vulnerability half-life, prevalence, persistence, and exploitation trends. These trends were drawn from statistical analysis of vulnerabilities collected by more than three million scans during a two-year period.

Based on these laws, the Yankee Group defines four dynamic best practices for vulnerability management as:
1. Classify: Enterprises should identify and categorise all network resources. They should classify these resources into categories and tier a hierarchy of assets by value to the business. Critical assets should be audited every 5 to 10 days to identify vulnerabilities and protect against exploits. Based on hierarchical priority, lower category assets can be scanned less frequently as the work plans to patch will also be less frequent.

2. Integrate: To improve effectiveness of various security technologies such as server and desktop discovery systems, patch management systems, and upgrade services, enterprises must integrate with vulnerability management technologies. Best practice organisations should also report on operational progress against vulnerability goals to raise the level of awareness for security within the executive management team.

3. Measure: Enterprises need to measure their networks against the half-life curve and persistence curves of vulnerabilities. Graphically track the percentage of vulnerabilities mitigated within each 30-day cycle and the number of vulnerabilities that extend past 180 days. Chart the security team's performance to make sure the end result is risk reduction, especially to

4. Audit: Security officers should utilise the results of vulnerability scans to understand a corporation's network security posture. Use the metrics to evaluate successes and failures of different policies to improve security performance. Use audit metrics to communicate security status to senior management.

To access the entire research report, visit the Qualys website at: http://www.qualys.com/yankee

Qualys’ ‘Laws of vulnerabilities’ are:
1. Half-life: The half-life of critical vulnerabilities is 30 days and doubles with lowering degrees of severity. In other words, for even the most dangerous vulnerabilities, it still takes organisations 30 days to patch half of their vulnerable systems, leaving the balance exposed for a significant period of time.

2. Prevalence: 50 percent of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis. The continuous discovery of the most dangerous and widespread vulnerabilities produces an ever-changing window of exposure for computers and networks.

3. Persistence: The lifespan of some vulnerabilities is unlimited. Old risks recur partly due to new deployments of PCs and servers with faulty, unpatched software.

4. Exploitation: 80 percent of vulnerability exploits are available within 60 days after the vulnerability release. Such rapid availability of exploits creates a significant exposure for organisations until they patch all vulnerable systems.

Date: 24th March 2004 •Region: N.America/World •Type: Article •Topic: ISM
Rate this article or make a comment - click here


Copyright 2004 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help