The Emotional Rollercoaster of a Vulnerability Scan
Where else in life would you ask for a list of perceived flaws in excruciating detail?
But that's precisely what a vulnerability scan is designed to do.
“Let's get a vulnerability scan...” Sounds simple, but wait for the emotions.
This is what you'll feel.
“That's not right. I'm sure that's wrong.”
If your IT systems have been running for some time, there will be vulnerabilities.
There's certainly a chance of false positives - a scanner trying to guess what software you're using. Being a “bit too clever” and guessing wrong...
But unless you've been obsessing over every software update - your first scan will certainly highlight something.
“Don't show it to anyone. No one must see this.”
The fact that there's a security gap or an unpatched system is not personal. It's just one of those things.
A perfectly secure system today can be critically vulnerable tomorrow. And almost certainly will be in a year or two.
Every administrator and IT manager faces this. The important thing is to meet the challenge - and that's easier with a team and buy-in.
“Argh! Do I have to fix all of these?”
It's easy to overlook, but security is about managing risk. That means you can reduce the risk, transfer it ...and accept the risk.
It never makes business sense to 'fix' all possible vulnerabilities.
It all comes down to your company's risk appetite and the context you work in.
Remember - you don't have to fix all vulnerabilities.
“There's still too much to do.”
Trying to keep a system secure can seem overwhelming and futile.
Maybe this drives a request for a bigger team or more expensive tools. But the reality is that improving security doesn't happen overnight.
It's an incremental. Just like a diet, going to the gym, or learning a musical instrument.
It's about incremental improvement.
“Ok. So how do I sort this out.”
Start with small steps and address the most significant risks. The ones that can't be accepted.
And think about how to remove yourself from having to do this again.
Automatic updates? An installation image for laptops? Configuration scripts?
Putting processes in place reduces the amount of time that future-you needs to spend on cybersecurity.
That's a good thing. There's more to life than cybersecurity.
Your second scan won't be anything like the first...
“Hmm... what's new?”
“Huh - Apache is getting targeted again...”
"I've found nothing in life is worthwhile unless you take risks. Nothing."
- Denzel Washington (U.Penn - 2011)