Discovering Security Gaps with Vulnerability Management Controls
By Sean Atkinson, Chief Information Security Officer
Asking the question, “Where are my gaps and have I been tested?”
The process of managing an infrastructure and its security posture will require an approach that focuses on what hardware and software exist within my environment and ensures that it is authorized. CIS Control 1 and CIS Control 2 focus on creating and maintaining an inventory of approved hardware and software, so you’ll want to revisit those recommendations if you’re just starting a security program.
Patching
It is at this point that we want to make sure that the approved and authorized infrastructure (including desktop computers, printers, routers/switches, and mobile devices) is secure. Over time software and firmware versions become outdated and require patching as new vulnerabilities are identified. “Patching” simply means applying updates to software or firmware, typically to remediate security flaws.
Patching is a cyclical process and must be done consistently – if not, the organization’s exposure factor increases along with the risk of potential exploitation.
CIS CyberSecurity Minute: Positive Effects of Patching
Applying CIS Control 3
To manage the risks presented by application vulnerabilities, implement CIS Control 3: Continuous Vulnerability Assessment and Remediation. Here are some helpful tips:
- Implement automated vulnerability scanning. Make sure to cover your entire infrastructure and use authenticated scanning where possible.
- When selecting a vulnerability scanner, require a SCAP validated software that assesses security configurations. For more on vulnerability scanners, check out Common Configuration Enumeration CCE. Find an updated list of code vulnerabilities here: Common Vulnerabilities and Exposures CVE.
- Don’t simply scan; take action when the assessment results are presented from the scan and remediate any vulnerabilities discovered. Remember, these are not just reports, they are actionable intelligence for improving your security posture.
- Ensure your vulnerability scanner stays up-to-date: in order to provide the most accurate results, it too will need updating to make sure it has the latest vulnerabilities.
- Compare your results over time: Develop a security baseline of assessment results to show that identified vulnerabilities are being remediated over time. This will ensure your business risk is understood, reported and accepted by the appropriate risk owner.
Is this all I have to do to be secure?
Unfortunately, there is no silver bullet for cybersecurity. CIS Control 3 helps organizations define, enumerate, and remediate known vulnerabilities. Each of the CIS Controls will require time to implement and focused attention in order to have a greater chance of thwarting exposure, exploit, and compromise of your systems.
Download the CIS Controls
Learn more about SCAP in our blog post, Secure Configurations and the Power of SCAP.
Be sure to take advantage of tools and resources, such as CIS-CAT Pro (a SCAP-validated configuration assessment tool) to help your organization monitor its systems and network.