Security and vulnerability assessment: 4 common mistakes

Uncovering problems and fixing security gaps can go awry with these oft-made blunders. Here are four examples of where vulnerabilities assessments typically go wrong

Atlanta —-If you're running a robust security program, you're regularly conducting security and vulnerability assessments of your both your network and physical environments. But in the quest to uncover security gaps and vulnerabilities, slip-ups are often made, too, that make these efforts less effective at having a positive impact.

At this month's CSO40 Security Confab and Awards event in Atlanta, attendees heard from two expert security veterans about best practices for vulnerability assessment.

Roger Johnston is the leader of the Vulnerability Assessment Team at Argonne National Laboratory. He and his team are often charged with finding the vulnerabilities with physical security systems. Jerry Walters is Director of Information Security with OhioHealth, a regional not-for-profit hospital network headquartered in Columbus, OH. Walters and his team are responsible for the overall information security program including risk management, vulnerability management, incident response, governance and compliance for the organization.

Both Johnston and Walters come at the topic of vulnerability assessment with different ideas and outline these four common mistakes that security teams make in the assessment process.

Lack of vision

When a team sets out to create a plan for vulnerability testing, no idea, even the most far-fetched, should be off the table, said Johnston.

"I think a big mistake people make is shutting down ideas too early," he said.

That means during brainstorming and planning sessions, even the wildest, far-fetched scenarios should be considered.

To continue reading this article register now

Microsoft's very bad year for security: A timeline