Scanners: Software Tools Search For Vulnerabilities

July 16 was a bad day for information-security managers. That was the day Microsoft said there was a critical vulnerability in nearly all current versions of the Windows operating system, and Cisco Systems revealed a critical vulnerability in the operating system used by many of its network switches and routers. When two of the largest and most-important technology vendors warn of serious security problems, it means a frenzy of software patching to plug the holes.

Another day, another vulnerability, another round of patching. It's a routine that's become all too familiar to IT-security pros. The primary points of entry for hackers and viruses continue to be known operating system (41%) and application (26%) vulnerabilities, according to the 2003 InformationWeek Research U.S. Information Security Survey.

There's a tool being overlooked by many security managers that could offer a better way to fight the battle: vulnerability scanners. Raleigh Burns, former security administrator at St. Elizabeth Medical Center in Edgewood, Ky., who recently joined the security company Symantec Corp., says it used to take him six months to find and fix security problems on six servers and verify that the software patches he installed were working. "This is not an easy process," he says. "It's not something you hand off to an intern."

Burns now manages 20 servers running Windows 2000 and looks for problems using several vulnerability scanners, including Nessus, Internet Security Systems Internet Scanner, and e-Eye Digital Security's Retina Digital Security Scanner. But Burns needed help to manage, consolidate, prioritize, and fix problems the scanner uncovered. So he tried Hercules Automated Vulnerability Remediation software from Citadel Security Software Inc. The application helped Burns prioritize security flaws and gave him a list of steps needed to fix those flaws, and can often automatically repair security holes. Now he can fix a problem on 20 servers in 30 minutes.

Vulnerability scanners also are crucial for Barry Suskind, a security architect with the National Association of Security Dealers, which is the parent of the American Stock Exchange and manages over-the-counter securities trading. Suskind uses Qualys Inc.'s QualysGuard to ferret out NASD's security holes.

But few companies make use of vulnerability scanners and other tools, according to the survey. Only 23% say they use vulnerability-assessment tools, 37% plan to implement risk assessment or security testing, and only 28% say they'll implement penetration testing and security audits in the next year.

Return to main story, No Time To Relax

Illustration by Richard Downs