Today, I will be going over Control 3 from version 7 of the top 20 CIS Controls – Continuous Vulnerability Management. I will go through the seven requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 3

• Takeaway 1. A robust, vulnerability management program powered by the correct tools will empower your organization to take control of its own security and manage risks presented by both internal and external threats.
• Takeaway 2. Utilizing remote and credentialed scans gives you a holistic view of your network that allows you to better understand threats before they become a problem. When you review and compare your results, you will quickly know what has changed and what risks those changes introduce.
• Takeaway 3. Vulnerability management programs, when properly implemented, expose a plethora of faults and flaws in even the most secure enterprises networks. Don’t be alarmed; simply apply risk-ratings and break the work into smaller, more manageable portions.

Requirement Listing for Control 3

1. Run Automated Vulnerability Scanning Tools

Description: Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems.

Notes: Regular automated scanning is important to keep informed of new vulnerabilities and changes being introduced across networks. Weekly scans are adequate for less critical systems, but the more frequent the scans, the sooner issues can be noticed and resolved. Automated scans give valuable insight into the current status of all scanned systems to help prioritize which vulnerabilities are most compromising the security of the network.

2. Perform Authenticated Vulnerability Scanning

Description: Perform authenticated vulnerability scanning with agents running local on each system or with remote scanners that are configured with elevated rights on the system (Read more...)