Picking holes before someone else does is the sensible first step every company must take when preparing itself for the onslaught of the Internet GARTNER RESEARCH observes that until 2008, 90% of successful hacker attacks will exploit well-known software vulnerabilities - which begs the question - why didn`t someone protect against it?

We all know the only risk-free computer is the one that`s not connected to the Internet. Browsing and electronic communications leave systems open to intrusion from viruses, hackers and spyware, all ways in which malicious code can attack data. But in reality connectivity is the only way forward.

The only answer is to implement an effective vulnerability management (and assessment) process. To prevent attacks, organisations must identify and remedy computer vulnerabilities before they are be used to compromise critical systems.

A comprehensive vulnerability assessment conducted by a dedicated team, either from within the company or contracted to it, is about assessing the overall security `posture` across all devices within the company.

Critical questions to be asked during a vulnerability assessment include: how good is your existing security? What sort of exposure do you have to the Internet? How often do you update your virus protection? Do your system administrators proactively address patch and configuration (system settings) issues to remedy potential vulnerability and protect critical systems?

"Importantly, how high-profile is the company? No company wants to risk losing or having its data corrupted, but for high-profile organisations like banks and insurance companies, such intrusion would spell disaster," says Rogan Dawes, senior consultant at Deloittes Enterprise Security Services Group.

"It`s crucial for CIOs to know the entire range of the company`s data - storing assets and the environment to which they are exposed. The assets can then be categorised into levels of risk potential. For example, servers would be more critical than laptops or desktops."

One of the best sources of information about vulnerabilities is the SANS (SysAdmin Audit Network Security) Institute.

Recognised as the largest source for information security training and certification in the world, it operates the Internet`s early warning system on the latest common vulnerabilities. The SANS Institute also develops, maintains and disseminates research documents about various aspects of information security.

DON`T OVERESTIMATE VULNERABILITY

"A vulnerability can be as simple as a weak password, an irregular or incomplete backup procedure or a poorly configured firewall," says Chris Runte, technical director at Biodata IT South Africa.

An automated patch management (APM) system, he says, is the most reliable way to secure a network. This system should:

Vulnerability assessments essentially identify system misconfigurations and design flaws in software that can impact business-critical systems and the remedying thereof.

The assessment process covers several steps:

ONGOING TASK

"The efficacy of vulnerability assessment is reduced if conducted as a once-off occurrence.

To effectively manage the organisation`s security posture the process needs to be ongoing," says Karel Rode, business technologist at Computer Associates Africa.

Rode says it is important for CIOs to know what IT assets are on the organisation`s network, what technologies - down to patch level - are running on them, the exposure of the assets, assess ing the risks of each, the actions needed to remedy threats, and to the status of the organisation`s asset security on an ongoing basis.

"Classification of assets according to business risk, to determine which are most critical, is essential," says Bruce Bean, business manager of enterprise and IT security at IDXOnline.

"The level of security can then be decided accordingly." But it gets more complex. Add to the mix the constant addition of computer assets to a company`s network, new software, changes to in-house system configuration policies and auditing requirements for regulatory compliance, and it gets hairy.

"Companies tend to want to throw technology at the problem," says Gary Middleton, GM of security practice at Dimension Data. "But technology on its own is never sufficient. The solution lies in the effective management of the organisation`s security programme and having a plan in place should an attack occur.

"Companies should appoint a dedicated chief security information officer to champion security. Without a person responsible for security and answerable to the board, the task will inevitably fall to an IT manager, and security metrics are likely to be less stringent."

Middleton also observes an increasing trend for security posture or maturity assessments within the enterprise. This involves the in-depth analysis of technology, people, processes and strategy via questionnaire, to assess the status quo, determine where it is in relation to international best practice and to provide clear recommendations on how to tighten measures. "The management of risk on an enterprise level is widely recognised as one of the most complex leadership challenges facing global executives," says Tanya Fisher, enterprise marketing specialist at Symantec Middle East & Africa.

"It is not only the quality of management decisions that is crucial for effective risk mitigation strategies, but also the ability to execute them. A major challenge to obtaining `actionable intelligence` for the decision-making process is the broad and complex sources of information across the different technical and business silos."

Fisher emphasises the need for a solution that allows decision-makers to drill down into a common set of information groups to understand what must be done to achieve security compliance.

To meet this challenge Symantec, in partnership with Flexeye, has developed the Information Assurance Dashboard, a customer specific methodology comprising best practice, rapid implementation and an advanced technology platform.

The solution is designed to graphically present risk metrics to enable company executives to track and predict the state of the organisation`s risk posture.