Many organizations struggle with identifying and patching all vulnerabilities.

Legacy systems that cannot be patched without impacting operations, a lack of tools to identify all vulnerabilities or deploy all third-party patches, and meeting remediation timelines associated with patching requirements are just a few reasons organizations struggle with vulnerability management.

If organizations do not comprehensively address all aspects of the vulnerability management tools, information systems are very likely to be impacted either by performance degradation or even system compromise. These managements are the focus of pitfall #50 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.

Vulnerability scans of all information systems, including all infrastructure devices, should be performed at least monthly. Scans should also be performed when new vulnerabilities with potentially immediate impact (e.g., “zero-day” vulnerabilities) are identified or reported. This does not mean all systems need to be scanned at the same time. In fact, scanning all assets at the same time could have a negative impact on the performance of your networks. Even though scanning is generally performed during non-business hours, it does require notable network bandwidth, as well as system resources of the devices being scanned.

Specific information to support the vulnerability management tools should include the software vendor, version number, current state of deployment (e.g., what software is installed on what systems). Personnel within your organization that are responsible for the software should also be defined.