Fresh Thoughts #14: The Emotional Rollercoaster of a Vulnerability Scan

    Newsletter
going up on a rollercoaster

The Emotional Rollercoaster of a Vulnerability Scan

Where else in life would you ask for a list of perceived flaws in excruciating detail?

But that's precisely what a vulnerability scan is designed to do.

“Let's get a vulnerability scan...” Sounds simple, but wait for the emotions.

This is what you'll feel.

(It's normal.)

“That's not right. I'm sure that's wrong.”

If your IT systems have been running for some time, there will be vulnerabilities.

There's certainly a chance of false positives - a scanner trying to guess what software you're using. Being a “bit too clever” and guessing wrong...

But unless you've been obsessing over every software update - your first scan will certainly highlight something.

That's ok.

“Don't show it to anyone. No one must see this.”

The fact that there's a security gap or an unpatched system is not personal. It's just one of those things.

A perfectly secure system today can be critically vulnerable tomorrow. And almost certainly will be in a year or two.

Every administrator and IT manager faces this. The important thing is to meet the challenge - and that's easier with a team and buy-in.

“Argh! Do I have to fix all of these?”

No!

It's easy to overlook, but security is about managing risk. That means you can reduce the risk, transfer it ...and accept the risk.

It never makes business sense to 'fix' all possible vulnerabilities.
It all comes down to your company's risk appetite and the context you work in.

Remember - you don't have to fix all vulnerabilities.

“There's still too much to do.”

Trying to keep a system secure can seem overwhelming and futile.

Maybe this drives a request for a bigger team or more expensive tools. But the reality is that improving security doesn't happen overnight.

It's an incremental. Just like a diet, going to the gym, or learning a musical instrument.

It's about incremental improvement.

“Ok. So how do I sort this out.”

Start with small steps and address the most significant risks. The ones that can't be accepted.

And think about how to remove yourself from having to do this again.
Automatic updates? An installation image for laptops? Configuration scripts?

Putting processes in place reduces the amount of time that future-you needs to spend on cybersecurity.

That's a good thing. There's more to life than cybersecurity.

Your second scan won't be anything like the first...

“Hmm... what's new?”

“Huh - Apache is getting targeted again...”

“Java... ouch!”

Worthwhile Risks

"I've found nothing in life is worthwhile unless you take risks. Nothing."

- Denzel Washington (U.Penn - 2011)

May 10, 2022
2 Minutes Read

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Related Reads

spreadsheet of numbers

Fresh Thoughts #12: Lies. Statistics. Risk Transfer & Cyber Insurance.

Are you a hacker - by mistake? And watching an insurance underwriter decide if they will take on risk reminded me recently of being a new manager...

fulham football stadium

Fresh Thoughts #13: Communicating With Certifications & Fingerprinting Vulnerabilities

Some servers are like football supporters on a Saturday afternoon... And security certificates communicate information... quickly.

dropped ice cream

Fresh Thoughts #11: Risk Assessment Mistakes & Do You Need More Security?

The biggest mistake I made on my first risk assessment? It was too detailed. I documented every possible way...

Freshsec Logo

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.

Resources

Fresh Security Support

Your Questions

Blog

Legal Bits

Your Privacy

Our Terms

Cookies

Fresh Sec Limited

Call: +44 (0)203 9255868