NETWORK ADMINISTRATORS ARE CLEARLY SERIOUS ABOUT PROTECTING THEIR SYSTEMS FROM OUTSIDE ATTACKS. The anti-virus software is in place; the firewall is up and running; the antispam software is keeping the offers of “cheap Canadian Viagra” away from the employees’ inboxes; and the content filtering software is keeping the staff on the straight and narrow with their Web surfing. Everything is fine … or is it?

McChord Air Force Base in Washington state took protecting their systems extremely seriously. Its staff tried different products including some homegrown solutions, but the lack of a reporting feature to see if patches had been properly applied continued to be a problem. They then implemented an automated vulnerability remediation solution, which provided McChord with the accurate reporting they needed along with a library of more than 20,000 vulnerability remedies — improving their overall vulnerability management by remediating unsecured accounts, unnecessary services, backdoors, misconfigurations and software defects.

Before this tool was implemented, McChord was 60 to 70 percent effective in finding and patching vulnerabilities; now it is 96 percent effective. When your system is used to help save lives, that’s a big difference. McChord’s success demonstrates the importance and value of a comprehensive solution. The truth is, vulnerability management must be comprehensive to really provide the level of security and protection organizations need today — especially in the government, where protection of data is not only mission-critical but often life-critical.

In most organizations, only some of the vulnerabilities plaguing networks are being addressed, and it is impossible for a typical staff to manually stay on top of all the problems that crop up on the network. But there is a solution that actually works: automated vulnerability remediation (AVR). Demands on IT Security Virus software and firewalls are necessary, but they can’t completely protect a network, because there is always the chance of them being compromised. At the same time, manually trying to rid the network of vulnerabilities is impossible. Not only will administrators spend their time fighting fires as they occur instead of preventing intrusions, they’ll never have enough time to properly remedy the systems. Add to this the challenges of operating IT systems within the federal government:

Systems have to be secure enough to prevent attacks from cyberterrorists and hackers, yet also open to the government’s users inside the agency, from other agencies and often U.S. citizens. Demands for more functionality are coupled with the reality of IT outsourcing, shrinking staff and increasing compliance mandates. With all these restrictions, it’s easy for vulnerability remediation to be dismissed as a cumbersome, resourceintensive process. Administrators may believe that is just too tough to implement, but vulnerability remediation doesn’t have to be an impossible task.

According to studies done by SANS/FBI, Carnegie Mellon and others, more than 90 percent of all cyber attacks took advantage of a known, fixable vulnerability that had not been remedied.

Fixing software vulnerabilities through patch management is an option, but only 20 to 30 percent of all vulnerabilities can be fixed through a patch management tool. The other types of vulnerabilities are:

• Unsecured Accounts: This includes accounts with no password, no password expiration or no known vendor supplied password
• Unnecessary Services: Peer-to-peer services, such as Telnet and KaZaa, are the most common. These programs usually install with a default installation that is the most flexible and useable, but also the most vulnerable
• Backdoors: MyDoom.A, W32.Beagle.I@mm and NETBUS are just a few programs that will allow remote access and control of a computer
• Misconfigurations: NetBIOS shares and anonymous FTPs are two common misconfigurations that can offer unrestricted access to your network
• Software Defects: Buffer overruns, RPC-DCOM and SQL Injection are some of the software defects that can be fixed by patches or upgrades issued through the vendor. Before the patches are issued, the defect will need to be fixed by a workaround

All these challenges can seem overwhelming — there’s no way a network administrator or staff can manually handle all the vulnerabilities that are constantly cropping up. It’s been estimated that it takes approximately one hour to fix just one vulnerability, or 100 hours to fix one computer. Some form of AVR becomes the only feasible solution in both human hours and cost.

AVR allows the network administrator control over how vulnerability remediation is defined and how it will be implemented, while eliminating the chore of manually remedying a vulnerability each time it pops up. Using AVR, combined with establishing a comprehensive policy using the following five steps, government organizations can go from simply fixing vulnerabilities to truly managing and remediating them.