Scanning for vulnerabilities is only one step in an overall security assessment. A security assessment is more involved that conducting a vulnerability scan and provide the scanner’s generic report as the deliverable. You have not assessed the network. You have assessed the hosts’ vulnerabilities. An assessment requires understanding system relationships and dependencies. A solid remediation can then be built to reduce actual threats to a system protect over threats to the individual hosts. For example, a patch update on a remote access protocol might have a lower CVSS score than a higher scoring vulnerability on an APC power supply. Assessments should use scanning data as supporting data in an assessment.
In large-scale systems with huge infrastructures, the challenge is to effectively cover everything from everywhere. It would be a near impossible task without building a network topology that includes associated vulnerabilities and data flows between systems. Technical and non-technical decision-makers must visualize where the more critical threats are in the infrastructure and allocate resources accordingly.
Duffy Compliance Services, LLC (DCS) is an independent 3rd party resource that can help you discover the effectiveness of your security efforts. By assessing the infrastructure using tools and subject expertise, DCS can provide a more precise view of the real threats that exist and provide a proper remediation plan that directly prioritizes those threats.