Understanding CIS Control 4

This week, we’re focusing on CIS Control 4: Continuous Vulnerability Assessment and Remediation. More specifically: “Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.” 1

Cybercriminals routinely leverage vulnerabilities and misconfigurations in software, servers, printers, and devices to gain access to systems. According to the HP 2016 Cyber Risk Report, vulnerability exploits are one of the main vectors of attack. The number of vulnerabilities in the National Institute for Standards and Technology (NIST) vulnerability database currently numbers over 79,000. And unfortunately attackers have the same information about vulnerabilities as defenders, enabling them the ability to quickly develop exploits based on known flaws. The size and complexity of today’s networks make vulnerability scanning challenging but essential.

“Vendors continue to produce security remediations, it does little good if they are not installed by the end user.”

Achieving Control 4

How can your organization successfully apply CIS Control 4? Here are the key steps:

  • Implement automated scanning tools against all systems on a weekly basis
  • Deploy automated patch management and software update tools
  • Routinely monitor event logs

There are many automated scanning tools and corporate services available on the market today to assist organizations with vulnerability management (including CIS-CAT Pro). Control 4 is essential, as organizations that don’t perform regular vulnerability scanning are much more likely to experience an attack. Some security standards, such as the Payment Card Industry Data Security Standard (PCI DSS) requires organizations processing financial transactions to perform regular vulnerability scanning. Although no one solution will prevent all attacks, vulnerability assessment is a matter of foundational security practice.

Once you’ve identified any vulnerabilities or misconfigurations, patches (or updates) must be applied to all affected systems and devices. Where possible, automate patch management. Patching is often considered annoying – it can certainly be monotonous and unglamorous – but it’s one of the basic preventive hygiene practices that will significantly enhance your security posture.

Last but not least, you’ll want to routinely check system logs to verify that vulnerabilities have been addressed and identify any scanning problems that might arise. By comparing logs over time, you can see look for patterns and ensure that any scanning activity taking place is done so by authorized users. Since automated patching tools may not detect or install all patches, you can compare system logs against patches listed on vendor websites to ensure you’ve got the latest security updates.

Ready to get started? Check out these resources:

Previous posts from this series:

[1] CIS Critical Security Controls for Effective Cyber Defense, Version 6.1