CIS Control 3: Continuous Vulnerability Control Management

Home  »  Blog  »  Cyber Security  »  CIS Control...

By Bill Minahan   |   January 26, 2021   |   0 Comments

CIS Control 6

CIS Control 3: Continuous Vulnerability Control Management

What is CIS Control 3?

The CIS controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.

CIS Control 3 focuses on the need to continuously acquire, assess, and act on new information in order to identify new vulnerabilities, remediate, and minimize the opportunity for attackers.

Organizations operate in a constant stream of new security information: evolving threats, software updates, patches, security advisories, etc.

Essentially, CIS Control 3 calls for you to continuously understand and manage vulnerabilities.

The control consists of 8 different sections relating to vulnerability awareness and management.

Why is this CIS Control Critical?

The CIS Controls are based on actionable guidance from today’s biggest threats, formed by the consensus of the world’s leading experts across a variety of sectors.

Understanding and managing vulnerabilities at a constant rate requires time, attention, and resources. In most cases, attackers have access to the same information and can take advantage of gaps between the appearance of new knowledge and remediation.

For instance, researchers reporting on new vulnerabilities can cause a race between multiple parties: attackers (trying to weaponize and exploit the vulnerability, vendors (trying to deploy patches and updates to protect users), and defenders (trying to assess risk and protect their systems.)

Organizations that do not scan for vulnerabilities or proactively address discovered vulnerabilities increase the likelihood of exploits and attacks.

How to Implement CIS Control 3

Sub-Control Asset Type Security Function Control Title Control Descriptions
3.1 Applications Detect Run Automated Vulnerability Scanning Tools  

Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems.

3.2 Applications Detect Perform Authenticated Vulnerability Scanning  

Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.

3.3 Applications Protect Protect Dedicated Assessment Accounts  

Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses.

3.4 Applications Protect Deploy Automated Operating System Patch Management Tools  

Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.

3.5 Applications Protect Deploy Automated Software Patch Management Tools  

Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

3.6 Applications Respond Compare Back-to-Back Vulnerability Scans  

Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have been remediated in a timely manner.

3.7 Applications Respond Utilize a Risk-Rating Process  

Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.


Implementing CIS Controls

If your team is struggling to implement CIS Control 3 and could use the assistance of a third-party security provider, aNetworks is here to help. Our team of experts can assist with whatever level of service you require from consulting to complete implementation.

If you are interested, then please contact us below.

Contact Us

If you are looking for more resources, then please check out our resource center.

Finally, you can always find us on TwitterLinkedIn, and Facebook.

Category: Cyber Security