The next control in the series Breaking Down The Critical Security Controls is control number 4, Continuous Vulnerability Assessment and Remediation. These controls are listed in an order of importance as agreed upon by the CIS. If you have followed and worked on controls one through three you have a good inventory of hardware and software with consistent configurations laid out.
After you get situated it’s time for you to monitor and assess your environment for vulnerabilities. Where most companies struggle with this control is the continuous part. Scanning your environment once or twice a year is no longer sufficient, especially for those systems that have connectivity to the Internet. Almost daily new vulnerabilities are released from software bugs to zero day critical issues. Only through a continuous vulnerability program can you stay on top of the holes in your environment.
Here’s what the control says –
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
This control is not easy to manage. Your vulnerability program will require additional investments in software tools, personnel, perhaps external services and time. Lots and lots of time. Scanning and reading the report is not sufficient. Companies have teams of people that are 100% dedicated to vulnerability management and remediation. A part-time focus will result in part-time results.
The first steps toward creating a vulnerability management program is to assess and create an internal capability matrix. What can you do? Where are your skills at? What tools do you have and what do they look at? Like with any security policy or program, never create one unless you can remediate and actually do what your policies and procedures say.
Cross department cooperation will also be necessary because chances are the team responsible to identify, classify and validate vulnerabilities will not be the ones that will implement the security improvements. The impact areas will vary from workstations to databases and servers. Those administrators will putting in patches, re-configuring settings or changing the network. The security team needs to provide that guidance and governance to those teams, create a risk rating system, identify high sensitive areas and strive to scan as often as possible.
However, in order to be efficient in this control there needs to be a continuous process to scan as often as you can using the most current information available. You may be able to get away with doing scans monthly but I also know companies that are almost daily. The frequency is determined by the ability of your team to do the scan, remediate it and repeat that process. The point of putting a high focus on vulnerability scanning is that once a year is no longer sufficient.
How It Could Be Exploited
Vulnerability exploitation is one of the primary if not the primary process to spread malware, infiltrate systems and steal data. Millions of bots exist out on the Internet that only scan for known vulnerabilities. If one is found payloads are delivered or hacking attempts begin to take over a system. This is why as a security team leader regular visibility in to the current state of the environment, knowing what’s in it, what’s running in it and being consistent in how those are configured is vital to ensure that all the known vulnerabilities are identified and remediate in a timely manner.
The vulnerability may not be a security bug or something that can be patched either. It can be as simple as using the default username and password for administrator accounts for commonly used systems like JBOSS, Apache, networking devices, etc… An oversight in configurations, see CSC 3, can make your environment vulnerable.
With the vast diversity of systems, software, configurations and scale this CSC cannot be done with out the right tools and/or services with those tools to thoroughly scan everything properly. That’s the cost of doing business and having an effective information security program.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.