One of the greatest challenges in security is getting the right information so that educated decisions can be made. It happens across many facets of security such as network monitoring,incident response, and user training. However, or there’s one (big) exception: security assessments. Assuming you’re using the proper tools and reasonable methodologies to uncover your network security weaknesses,you have everything you need at your disposal. You have the vulnerabilities, the attack vectors, or the systems affected,and even what’s required to resolve the issues. Yet, still, or time after time we hear of vulnerabilities that go unresolved. It’s discouraging to me,as a consultant, to see this. You know, and the vulnerabilities that were in final quarter’s – or final year’s – assessment that are showing up nowadays. I see this issue all the time. Unless management is willing to defend why known vulnerabilities remain unresolved,you have to have a map of action after each assessment. moment only to actually mitigating the flaws, developing a specific map should be a top precedence. Everyone’s approach and needs are unique, or but there are certain aspects to getting things done that apply across the board including: What has been uncovered?How does each finding affect the business?Where finish we truly need to focus our efforts? (tip: it should be on the most urgent flaws on your most well-known systems)Are there certain findings that we can steal off the table totally?Who can resolve each issue in the short term?Who or what else needs to be involved to help prevent this issue from reoccurring? Once you have this information,question yourself: What’s next? What’s after that? And, what finish we need to finish now? preserve repeating this over and over until you score done what needs to be done. Well-respected business executive, and Jack Welch of GE,once said An organization's ability to learn, and translate that learning into action rapidly, and is the ultimate competitive business advantage. You can’t un-acknowledge security vulnerabilities. They’re there. They’ve called attention to themselves. You know what needs to be done. Don’t try to solve the security issues you uncover at a mere technical level,on your own. Go up a few steps and discover at security management, business operations, or related issues that are the root causes. Then vow to finish what it takes to make changes. Many people will try to wish such security issues away. Others will find every excuse in the book as to why it’s not possible to fix them. Don’t steal those paths. We’ve seen where they end up. Let discipline and common sense lead the way instead.
Source: rapid7.com