Meet Experts of The Compass at the Following Events:

2009 Calendar of Events

03|07 WIB Annual Bank Presidents, Senior Officers & Directors Conference, Koloa, HI

05|03 PCBB Executive Management Conference, San Francisco, CA

05|13 TBA Annual Convention & Exposition, San Antonio, TX

05|31 WIB Annual CFO, Investments & Operational Risk Conference, San Francisco, CA

06|21 FMS Finance & Accounting Forum, Keystone, CO

Download a printable PDF to share with colleagues or access The Compass archives:

» The Compass, October 2008 - Download (PDF)

» The Compass - Archives

We are constantly working to improve The Compass and appreciate your feedback! Send your comments to: education@compushare.com

Vulnerability Management - Your Best Weapon in the Fight to Keep Your Infrastructure Secure
by Jeff Porn
Information Security Consultant, Risk and Compliance Group
Compushare, Inc.

The idea of controlling or eliminating vulnerabilities is nothing new to anyone who has the responsibility of managing an IT infrastructure. This individual knows that having the right tools in their toolbox is one of the most important steps towards successfully securing their network environment.  However, merely possessing the tools themselves is not a solution in and of itself.

While ongoing scans are key in knowing exactly what vulnerabilities threaten your environment, acting on those vulnerabilities are a must.  What good is having a Vulnerability Management (VM) solution if the only thing being accomplished is utilizing precious drive space with unreviewed reports?  In addition to the scans and reports, the professional services that are offered with these outsourced solutions are among the most valuable features of the offering. These services can range from monthly reviews conducted by subject matter experts who can advise and guide your IT staff on how best to address vulnerabilities, to Financial Systems Engineers working hands on with your IT staff in vulnerability remediation.  In both scenarios, the common goal is to reduce the overall number of vulnerabilities threatening your network environment.

Allow me to illustrate the results that are possible by taking advantage of all the features offered with an outsourced Vulnerability Management solution.  Following are two real world client examples: One takes full advantage of the monthly reviews and guidance from Compushare’s VM consultants in order to assist their own IT staff in remediation efforts, and the other utilizes both the monthly reviews and on-site engineers offered by Compushare to address and eliminate vulnerabilities.

In the first example, the client has been using monthly Vulnerability Management scans for nearly two years.  In that time, they have effectively reduced their overall number of addressable vulnerabilities from 152 to one.  The remaining vulnerability requires a simple hardware upgrade that will take place before the year’s end.  This drastic improvement was easily accomplished by regular monthly report reviews between their IT staff and the Compushare VM consultant, who was able to provide expert guidance to their staff on steps to effectively address each vulnerability.

The second example provided is of a client who has been utilizing monthly Vulnerability Management scans for just over two years and has been able to reduce their overall number of addressable vulnerabilities from 155 to 11.  This was accomplished by taking advantage of the monthly reviews by Compushare VM consultants combined with the benefit of on-site Financial Systems Engineers to assist in the actual remediation of identified vulnerabilities.  

In both circumstances a plan was created, and each vulnerability was individually addressed and eliminated.  At times, the approach can be a challenging and time consuming process, but the end result, as demonstrated in both examples, speaks for itself.  These clients have achieved greater confidence that their networks are secure and, more importantly, the information and data residing on their networks remain safe and sound as required by the institution and regulators alike.

Once these levels of assurance are reached, the work is by no means considered ”complete.” Both clients continue to follow the same review and remediation steps every month, and by doing so have been able to maintain a high level of safety even as new vulnerabilities are introduced weekly.  Both these institutions know that network and information security is not an event in a single point in time, but a continuous process, and they further seek to optimize the value of the services they engage their third party VM provider to perform.

You may be saying to yourself, my environment is more complex or larger than most.  In both case studies, the clients represent the typical size and network complexity of the majority of community banks and credit unions in the United States.  Even if your environment is more complex or larger than average, distinct and rewarding results are absolutely achievable by taking full advantage of all that is offered with a Vulnerability Management solution and taking an active role in ensuring the security of your environment.  You and your institution can rest easier knowing that you are taking the required steps to keep your network and information safe.