Our Top 5 CIS Controls blog series rolls on with #3 Continuous Vulnerability Management. If you missed parts #1 and #2, you can catch them here:
- Intro to CIS Controls (Cybersecurity Best Practices): #2 Inventory and Control of Software Assets
- Intro to CIS Controls (Cyber Security Best Practices): #1 Hardware Inventory
CIS Control 3: Continuous Vulnerability Management
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
This control says you should constantly check your endpoints for vulnerabilities, and then fix them as you find them.
CIS Sub-Control 3.1 (Detect): Run Automated Vulnerability Scanning Tools
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems.
Many vendors offer tools for scanning endpoints for known vulnerabilities. Various OS features and community tools can assist with the process as well. However, this sub-control very specific: use a SCAP-compliant tool. That means use a tool that checks for vulnerabilities stored in a SCAP repository.
SCAP is maintained by the National Institute of Standards and Technology (NIST). Here’s a quick overview:
- SCAP is a standard format for storing and sharing of cybersecurity information
- SCAP was created to automate compliance checking, vulnerability management, and security measurement
- Community participation is what makes SCAP so current and complete
- New entries are added to public SCAP repositories constantly
CIS Sub-Control 3.2 (Detect): Perform Authenticated Vulnerability Scanning
Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.
To check your systems thoroughly, the scanning agent must have access to protected parts of the systems. This means it must either run locally, or if it’s a remote scanner then it needs to run with elevated privileges.
CIS Sub-Control 3.3 (Protect): Protect Dedicated Assessment Accounts
Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses.
When you need to provide elevated privileges for solutions that are scanning systems for vulnerabilities, use dedicated assessment accounts. This way, the account can have only the privileges needed for scanning, and nothing more. Also, if the account is compromised, it’s easy to lock it down without impacting other activities.
CIS Sub-Control 3.4 (Protect): Deploy Automated Operating System Patch Management Tools
Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
Whatever OS you are using, it needs to be patched as soon as possible after security updates are released. Scores of new vulnerabilities are discovered daily. It’s unsafe to leave systems vulnerable by failing to apply fixes you know are available.
CIS Sub-Control 3.5 (Protect): Deploy Automated Software Patch Management Tools
Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
Bad actors have been exploiting vulnerabilities in third-party software since the early days of computing. In today’s fast-moving threatscape where cyberattackers are looking for any and every way into a company, the risk of app exploits has never been greater.
When app security updates are released, administrators need to apply them as quickly as possible. To ensure that patching is done quickly and at scale, IT departments should use automated tools for third-party patching.
CIS Sub-Control 3.6 (Respond): Compare Back-to-Back Vulnerability Scans
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have been remediated in a timely manner.
The purpose of this sub-control is to verify that found vulnerabilities have been remediated. Suppose that a scan on May 1 finds three vulnerabilities on a system. A subsequent scan on May 15 should show that none of those vulnerabilities are present because they have been remediated.
By running regular back-to-back scans and comparing them, you measure the effectiveness of your remediation strategy.
CIS Sub-Control 3.7 (Respond): Utilize a Risk-Rating Process
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Cybersecurity professionals can’t possibly remediate all vulnerabilities on all endpoints in a timely manner. For that reason, it’s imperative to prioritize which vulnerabilities pose the greatest risk so they can be remediated first. A risk-rating system can make this fairly straightforward.
The NIST oversees the Common Vulnerability Scoring System (CVSS), an open framework for rating the risk of threats in the National Vulnerability Database (NVD). It is based primarily on the ease and impact of exploit.
Those managing Microsoft-based systems may want to consider the Microsoft Exploitability Index. It rates risk of vulnerabilities in the NVD based on how likely they are to be exploited.
Third-party vendors also offer a variety of solutions that help prioritizing vulnerabilities.