By Bill Minahan | January 26, 2021 | 0 Comments
The CIS controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.
CIS Control 3 focuses on the need to continuously acquire, assess, and act on new information in order to identify new vulnerabilities, remediate, and minimize the opportunity for attackers.
Organizations operate in a constant stream of new security information: evolving threats, software updates, patches, security advisories, etc.
Essentially, CIS Control 3 calls for you to continuously understand and manage vulnerabilities.
The control consists of 8 different sections relating to vulnerability awareness and management.
The CIS Controls are based on actionable guidance from today’s biggest threats, formed by the consensus of the world’s leading experts across a variety of sectors.
Understanding and managing vulnerabilities at a constant rate requires time, attention, and resources. In most cases, attackers have access to the same information and can take advantage of gaps between the appearance of new knowledge and remediation.
For instance, researchers reporting on new vulnerabilities can cause a race between multiple parties: attackers (trying to weaponize and exploit the vulnerability, vendors (trying to deploy patches and updates to protect users), and defenders (trying to assess risk and protect their systems.)
Organizations that do not scan for vulnerabilities or proactively address discovered vulnerabilities increase the likelihood of exploits and attacks.
Sub-Control | Asset Type | Security Function | Control Title | Control Descriptions |
3.1 | Applications | Detect | Run Automated Vulnerability Scanning Tools |
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems. |
3.2 | Applications | Detect | Perform Authenticated Vulnerability Scanning |
Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested. |
3.3 | Applications | Protect | Protect Dedicated Assessment Accounts |
Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses. |
3.4 | Applications | Protect | Deploy Automated Operating System Patch Management Tools |
Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. |
3.5 | Applications | Protect | Deploy Automated Software Patch Management Tools |
Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. |
3.6 | Applications | Respond | Compare Back-to-Back Vulnerability Scans |
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have been remediated in a timely manner. |
3.7 | Applications | Respond | Utilize a Risk-Rating Process |
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities. |
If your team is struggling to implement CIS Control 3 and could use the assistance of a third-party security provider, aNetworks is here to help. Our team of experts can assist with whatever level of service you require from consulting to complete implementation.
If you are interested, then please contact us below.
If you are looking for more resources, then please check out our resource center.
Finally, you can always find us on Twitter, LinkedIn, and Facebook.