CIS Control 7: Continuous Vulnerability Management

The Center for Internet Security (CIS) provides Critical Security Controls to help organizations improve cybersecurity. Control 7 addresses continuous vulnerability management (this topic was previously covered under CIS Control 3).

Continuous vulnerability management is the process of identifying, prioritizing, documenting and remediating weak points in an IT environment. Vulnerability management must be continual because sensitive data is growing at an unprecedented rate and attacks are increasing in both frequency and sophistication.

This control outlines 7 best practices that can help organizations minimize risks to their critical IT resources.

7.1. Establish and maintain a vulnerability management process.

The first protection measure recommends that organizations create a continuous vulnerability management process and revise it annually or "when significant enterprise changes occur that could impact this Safeguard."

A continuous vulnerability management process should consist of 4 components:

• Identification. Organizations need to identify all their proprietary code, third-party applications, sensitive data, open source components and other digital assets, and then identify their weaknesses. Assessment tools and scanners can help with this process, which should be repeated as seldom as once a week or as often as multiple times per day, depending on the organization's risk tolerance, the complexity of the IT environment and other factors.
• Evaluation. All vulnerabilities discovered should be evaluated and prioritized. Common metrics for continuous vulnerability assessment include NIST's Common Vulnerability Severity Score (CVSS), ease of exploitation by a threat actor, difficulty of resolution, financial impact of exploitation, and related regulatory requirements or industry standards.
• Remediation. Next, the organization needs to patch or otherwise address the weaknesses according to their priority. Remediation is often managed through a combination of automatic updates from vendors, patch management solutions and manual techniques.
• Reporting. It's important to document all vulnerabilities that are identified, the results of the evaluation, and progress toward remediation, along with any costs involved. Proper reporting will streamline future remediation efforts, simplify presentations to executives and facilitate compliance.

7.2. Establish and maintain a remediation process.

Once a vulnerability management process has been put in place, a remediation process must be established to specify the organization's response when they identify a need to address. Sub-control 7.2 is designed to help organizations prioritize and sequence their IT processes, with the CIS describing its purpose as being to:

"Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews."

Remediation process incorporates a suite of tools to resolve vulnerabilities once they have been targeted. The most-used remediation tactics include automated or manual patches. A company's remediation process may also include risk-based vulnerability management (RBVM) software to help companies triage the potential threats they face, as well as advanced data science algorithms and predictive analytics software to stop threats before they are exposed.

7.3. Perform automated operating system patch management.

Operating systems are foundational software, and vendors frequently release patches that address important vulnerabilities. To ensure that critical updates are applied in a timely manner, organizations should implement an automated system that applies them at least monthly.

More broadly, a comprehensive patch management framework is required to have the following capabilities:

• Information gathering. By periodically scanning devices, organizations can identify which ones need an update and can deploy their patches sooner. Some automated patch management software also collects hardware and user details to provide a clearer picture of endpoint status.
• Patch download. Downloading a patch is a relatively straightforward process. The difficulty comes in when a large number of devices need different updates or the organization relies on many different operating systems. Automated patch management software should be able to handle both of these situations smoothly.
• Package creation. A package consists of all the components needed to apply a patch. Automated patch management software should be able to create packages of different levels of complexity and with many different kinds of components.
• Patch distribution. To avoid frustrating users and disrupting business processes, patch management software should be able to be programmed to launch at certain times and run in the background.
• Once a patch has been applied, organizations should gather intel on which devices have been upgraded and which updates were used. Automated patch management software should generate automatic reports so that IT teams can plan which steps to take next.

7.4. Perform automated application patch management.

Like operating systems, many applications and platforms need to be kept up to date on patches, which should be applied at least monthly. Often the same solution can be used to implement patching for both operating systems and applications.

7.5. Perform automated vulnerability scans of internal enterprise assets.

Organizations should scan their IT assets for vulnerabilities at least quarterly. CIS recommends automating the process using a SCAP-compliant vulnerability scanning tool. (SCAP provides standards for scanners and vulnerability remediation tools.)

Types of scans include:

• Network-based scans, which identify vulnerabilities in wired or wireless networks. This is done by locating unauthorized devices and servers, and by examining connections to business partners to ensure their systems and services are secure.
• Host-based scans, which evaluate endpoints like hosts, servers and workstations. These scans also examine system configurations and recent patch history to find vulnerabilities.
• Application scans, which ensure that software tools are correctly configured and up to date.
• Wireless scans, which identify rogue access points and ensure proper configuration.
• Database scans, which evaluate databases.

Vulnerability scans can be either authenticated and unauthenticated. Authenticated scans enable testers to log in and look for weaknesses as authorized users. Unauthenticated scans let testers pose as intruders attempting to breach their own network, helping them discover vulnerabilities that an attacker would find. Both are useful and should be implemented as part of a continuous vulnerability management strategy.

7.6. Perform automated vulnerability scans of externally-exposed enterprise assets.

Organizations should pay particular attention to finding vulnerabilities in sensitive data and other assets that are exposed to external users, such as through the internet. CIS recommends scanning for vulnerabilities in externally exposed assets at least monthly (as opposed to quarterly for internal assets). However, in both cases, a SCAP-compliant, automated vulnerability scanning tool should be used.

Some organizations have more externally exposed digital assets than they are aware of. Be sure your scans cover all of the following:

• Devices
• Trade secrets
• Security codes
• IoT sensors
• Remote operating equipment
• Presentations
• Client information
• Remote work routers

7.7. Remediate detected vulnerabilities.

Control 7.2 details how to establish and maintain a process for remediating vulnerabilities. It recommends performing remediation at least monthly.

How Netwrix can help

Implementing a continuous vulnerability assessment and remediation process can be a challenge. Organizations often discover a huge number of vulnerabilities and struggle to remediate them in a timely manner.

Netwrix Change Tracker can help. It can:

• Help you harden your critical systems with customizable build templates from multiple standards bodies, including CIS, DISA STIG and SCAP/OVAL.
• Verify that your critical system files are authentic by tracking all modifications to them and making it easy to review a complete history of all changes.
• Monitor for changes to system configuration and immediately alert you to any unplanned modifications.
• Reduce the time and effort spent on compliance reporting with 250+ CIS certified reports covering NIST, PCI DSS, CMMC, STIG and NERC CIP.

FAQ

What is continuous vulnerability scanning?

It is the process of constantly looking for classifying security weaknesses in systems and software, including known flaws, coding bugs and misconfigurations that could be exploited by attackers.

What does the vulnerability management process involve?

A continuous vulnerability management process should consist of four components:

• Identify all IT assets and scan them for vulnerabilities.
• Prioritize discovered vulnerabilities based on factors such as the likelihood and cost of exploitation.
• Patch or fix the detected weaknesses.
• Document the vulnerabilities you identify, the evaluation results and the progress toward remediation, as well as any costs involved.