CIS Controls v8 Overview — Control 07

Our review of the CIS Controls v8 continues with a review of Control 07.

CIS Control 07: Continuous Vulnerability Management — Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

Why is this Control Important?

Attackers are constantly testing an organization’s infrastructure to seek vulnerabilities that will allow them to gain unauthorized access. To defend against this, an organization must have access to threat information for software updates, patches, security advisories, and threat bulletins. With this information, organizations must review their infrastructure regularly to identify vulnerabilities that may exist before the attackers do. Remember- attackers may have access to the same information.

There is no guarantee that an organization will identify every vulnerability. In addition, attackers might be aware of a vulnerability prior to the security community being aware of it. When an attacker exploits it, it is called a “zero-day” exploit. There are also vulnerabilities that have no remediation so organizations need to use other controls to mitigate.

And its Safeguards?

The control has seven (7) Safeguards that cover the key actions to establish and maintain secure configurations. The Safeguards include establishing and maintaining a vulnerability management process along with a supporting remediation process, patch management for OS and Apps, internal and external vulnerability scans, and remediating detected vulnerabilities.

How is this Control implemented?

Organizations implement a vulnerability scanning tool to evaluate the security configuration of their infrastructure. These tools typically map vulnerabilities to industry-recognized vulnerability, configuration and platform classification schemes and languages such as Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), and others.

How often should a scan be done? Scans should be scheduled on a recurring basis, which is typically monthly; however, as an organization’s assets continue to increase, their scan frequency may need to be done more often, such as bi-weekly or weekly. Advanced-level vulnerability scan tools can also be configured with user credentials to perform “authenticated scans” which are more comprehensive.

After an organization performs a scan, they should track vulnerabilities found and supporting solutions as part of a remediation process. This tracking is typically done in a ticketing system to retain details for future reference. The ticketing system should capture details on remediation steps and provide key metrics such as time to resolution.

Best practices for vulnerability management include prioritizing patches based on potential impact or identifying the vulnerabilities that are most likely to be exploited first. Scoring systems like NIST’s Common Vulnerability Scoring System (CVSS) are often used by organizations. Organizations should be fully aware that prioritization to remediate a vulnerability one day may be at a different level on another day based on outside influences.

Lastly, organizations should put a validation process in place to confirm patches or configuration updates are correctly implemented across the organization. One unprotected asset can affect the entire organization by allowing an attacker unauthorized access.

Key Reminder
Understanding and managing vulnerabilities is a continuous activity, requiring focus of time, attention, and resources. Organizations should compare their current vulnerability scan with previous scans (typically monthly) to determine how the vulnerabilities in the environment have been remediated over periods of time.

In the next post, we will look at Control 08: Audit Log Management. If you enjoyed this post, please 𝙇𝙞𝙠𝙚 and 𝙎𝙝𝙖𝙧𝙚!

Contact Temples Consulting, a CIS SecureSuite Partner, to schedule a no cost consultation to see how your organization can best manage Vulnerability Management to be in compliance with the CIS Controls.

#cybersecurity #security #infosec #informationsecurity #riskmanagement #ciscontrols #cissecuresuite #safeguards #ciscontrolsv8 #templesconsultinggroup #security #clarity #delivery #riskassessment #riskremediation #risk2remediation #software #cyber #governance #GRC #implementations #dataprotection #datasecurity #auditlogs