Re: Justifying the spend on a vulnerability scanner

["Pierre A. Cadieux" <hobbit () theshire com>]

I some respects it depends on the type of business/computer network you are 
protecting.  You can get low/no cost scanners (NMAP, etc.) that will tell 
you ports are open, and you can then do the leg work to verify that the 
services should be running, and are patched etc.

In large commercial environments, where there is regulatory requirements or 
specific security standards/goals, then the need for proactive scanning 
definitely exists as part of your audit strategy.  In general I have seen 
engineering companies, healthcare companies, insurance companies, and 
financial companies easily explain this cost since they are required to 
have this level of security.

Don't forget getting the scanner will be great, but you will need to agree 
on when it should be used (some scans MAY interfere with production 
services), how often you should scan, where to scan from, and the best part 
will be getting the people that maintain the boxes to react quickly to any 
critical exposures.

Without the proactive auditing that a vulnerability scanner provides you 
(depending on the size of your network) there could be a number of critical 
exposures or systems with intrusions that you don't know about.

I also would suggest some type of IDS strategy.. but that is another topic.

Regards,

->PIerre Cadieux

At 04:31 PM 3/10/2003 +0000, JM wrote:
> As the subject says, this is what I have got to do.
>
> I could dream up loads of examples of;
> if we dont detect a code read virus and we get it, then it
> will knock out our webservers and others until we fix it.
> if we have open null shares on the network, and unrestricted
> access to remote registries people can do what they
> want.......
>
> But does anyone have any thoughts to share, on how I can
> successfully convince my management that the spend on a
> vulnerability scanner is worthwhile.
>
> Thanks in advance
>
> JM