Vulnerability Scanning and Patch Management

Vulnerability scanning is an essential foundational security control and vital for every organization. Cyber-attacks such as WannaCry and Petya, left many asking the question: How can we stay safely ahead of the next threat?

As new vulnerabilities are discovered, it’s a race against time to derive effective defense strategies.

In most cases, this requires fixes for the software or platform affected, delivered in the form of a patch. In other cases it may require mitigation of the threat via secure configuration settings – see System Hardening and Vulnerability Management.

Vulnerability Scanning and Patch Management FAQs

How do I know when patches are available and whether I need them?

The process by which patches are identified as available and needed has been revolutionized by contemporary vulnerability scanning technology. A vulnerability scanner typically works on a ‘point and shoot’ basis – attach it to your network and press ‘Go’ then wait for results.

Once a new vulnerability has been found, the developer behind the affected product will work to produce a patch. As soon as the fix is available, this information is appended to the CVE documentation on the NVD website (each new vulnerability is given a CVE identifier by the National Vulnerability Database (NVD) – see the "When is a Vulnerability Not a Vulnerability" white paper).

A good scanner will always be updated with the latest knowledge of vulnerabilities, delivered via a live internet-based feed for convenience. However, in between scans, organizations are left blind to changes that could increase their attack surface, such as software installations and configuration drift. Similarly, vulnerability scanners offer no breach detection capability.

» Learn more about Breach Detection and File Integrity Monitoring here

How does vulnerability scanning work?

The scanner is equipped with ‘White Hat’ hacking capabilities, to poke around in your network, thinking and acting like a hacker to actively identify and test exploitable vulnerabilities on your systems. The scanner is continually updated with new active test routines in order to sniff out all vulnerabilities. New and updated tests share the same feed as used to deliver CVE updates.

» Check out NNT Vulnerability Tracker stats here

Are all vulnerabilities fixed using a patch?

No! Some need to be mitigated, suspended rather than eliminated, via secure, hardened configuration settings. In some instance all that is left is to provide mitigation via a Workaround, some other measure that counteracts the vulnerability, for example firewalling to prevent the access required to exploit the vulnerability.

» See more about System and Configuration hardening here.

BUYERS GUIDE
Vulnerability Management - 8 Critical Consideration

Download

Additional Vulnerability Scanning and Patch Management Resources

Vulnerability Scanning Blog

Vulnerability Scanning White Papers

The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Next Steps

Are you ready to get started in securing your IT environment with
industry-approved foundational controls, intelligent change control and automation?