Once testing is finished, a common pitfall is to look over the test results and assume that everything has to be fixed now. That's simply not true. Sure, in an ideal world you'd want to eliminate all of your security holes. In reality, you've got to focus on what's urgent (i.e., a missing critical patch) and important (i.e., a Windows server hosting a database). Ask yourself which flaws on your most critical systems can be exploited with serious consequences right now.
Security assessments and five mistakes to avoid
Step 1: Relying on audit checklists and automated tools
Step 2: Not considering the side effects of your tests
Step 3: Not looking at the whole picture
Step 4: Spending too much time trying to fix everything
Step 5: Assuming testing once is enough
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well asThe Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheelsaudiobook series. You can reach Kevin at firstname.lastname@example.org>.