The unfortunate thing is that the easiest targets are rarely aligned with risk. A risk-based approach dictates that the vulnerabilities that pose the highest risk to the organization are addressed first.
To go about this it is necessary to build a prioritized list of vulnerabilities. SANS created a “Top 20” list for just this reason. For most organizations, this is a great place to start.
SANS sponsors the consensus top twenty vulnerability list. The list is available free from the web at http://www.sans.org/top-cyber-security-risks/. Just securing the network against the 20 exploits in this list will provide your organization with a greater level of security than most organizations. A list of ports that should be blocked is also available. Start with the organization’s perimeter security. Address the top vulnerabilities first. Next move down to the next riskiest level of vulnerabilities. The exercise may never end, but security has never been a point in time exercise.
In thinking about what to include in a vulnerability mitigation list consider the following:
- Historical exploits,
- Current exploits, and
- Trojan programs and other malware.