CIS Control 3: Continuous Vulnerability Management
This article breaks down CIS Control 3: Continuous Vulnerability Management and the seven sub controls associated with the third basic security control.
Organizations are constantly faced with new information. From software updates to patches and threat bulletins, understanding and properly managing vulnerabilities requires a significant amount of attention and resources. Attackers and their victims have access to the same information. By not proactively scanning for vulnerabilities and remediating security flaws, the likelihood of an attacker compromising an organization’s system is very high.
Implementing a vulnerability management tool can help you spot any holes in your environment that could potentially be exploited by an attacker before a breach occurs.
Let’s dive right into CIS Control 3 and the seven sub control requirements.
3.1: Run Automated Vulnerability Scanning Tools
- Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems.
In this sub control, organizations are advised to conduct automated scans to stay up to date on any new vulnerabilities that have been introduced and any changes that have been made across the network. Weekly scans are suggested for less-critical systems, but do keep in mind – the more frequently you scan, the quicker issues can be addressed. By automating these scans your organization will known that status of all scanned systems and be able to prioritize the vulnerabilities that are posing the most harm to your security posture. Using NNT Vulnerability Tracker will allow your organization to detect and identify these vulnerable protocols. Any vulnerabilities identified are reported with full background and remediation guidance.
3.2: Perform Authenticated Vulnerability Scanning
- Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.
This sub control emphasizes the importance of performing authenticated vulnerability scans as these scans gather information from both the outside of the end as well as the inside. Both kinds of information are important, but the data gathered through authenticated scans allows the scanning solution to draw better conclusions of the end point’s vulnerability state.
NNT Vulnerability Tracker exposes any vulnerabilities that are identified in this scan with a detailed background on the vulnerability and remediation guidance included.
3.3: Protect Dedicated Assessment Accounts
- Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses.
This sub control recommends using a dedicated account for authenticated vulnerability scans with no privilege access required for scanning. This will help curb the risk of credential theft. NNT recommends our Vulnerability Tracker solution which will alert you and report on all account and machine activity in real-time.
3.4: Deploy Automated Operating System Patch Management Tools
- Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
3.5: Deploy Automated Software Patch Management Tools
- Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
Sub controls 4 and 5 of CIS Control 3 advise organizations to deploy automated operating system and software patch management tools. Using these tools will ensure that critical security flaws are patched as soon as a fix is made available to the public. This allows for more consistency and less reliance on users to manually update software tools and operating systems. With that being said, there are still updates that will need to be done manually, so relying completely on these solutions would be a poor patch management practice.
3.6: Compare Back-to-Back Vulnerability Scans
- Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner
The most effective vulnerability scanning solutions compare results from the current scan with previous ones to determine how the vulnerabilities have changed over time. With NNT’ Vulnerability Tracker, you can compare back-to-back scanning results to verify that all critical vulnerabilities are addressed, by either patching or by documenting an exception.
3.7: Utilize a Risk-Rating Process
- Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Figure 1: CIS Control 3 – System Entity Relationship Diagram
The goal of CIS Control 3 is to identify and remove any technical weaknesses that exist within your information systems. To reduce your risk, organizations are advised to implement patch management systems that cover operating systems and third-party application vulnerabilities. Organizations are also encouraged to implement a commercial vulnerability management system to allow them to detect and remediate exploitable software weaknesses.
NNT Vulnerability Tracker continuously scans operating systems, network devices and web applications to assign risk rankings for any identified vulnerabilities, with detailed remediation guidance provided. Vulnerability Tracker provides you with a ‘live feed’ of any new vulnerabilities identified and relevant tests to expose the existence within the network. Any vulnerabilities identified are reported with full background and remediation guidance.
You can even address most of these requirements for free by downloading the Greenbone Security Manager Community Edition.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises