Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • CIS Control 07: Continuous Vulnerability Management
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CIS Control 07: Continuous Vulnerability Management

4 years ago Tyler Reguly
CIS Control 07: Continuous Vulnerability Management

When it comes to cybersecurity, vulnerability management is one of the older technologies that still play a critical role in securing our assets. It is often overlooked, disregarded, or considered only for checkbox compliance needs, but a proper vulnerability management program can play a critical role in avoiding a series data breach. CIS Control 07 provides the minimum requirements, table stakes if you will, for establishing a successful vulnerability management program.

Key Takeaways for Control 7

At the core of CIS Control 7 is a reliance on known standards; terms from organizations like NIST and MITRE, that those of us in the cybersecurity space have heard for years. CVE, CVSS, OVAL, SCAP, and more are keywords that can be found throughout this document. While those terms frequent this document, it is important to note that they are not the be-all and end-all of a vulnerability management program. The controls document notes that some systems, like CVSS, must be augmented by additional data. This is an important note to consider when planning continuous vulnerability management.

The biggest takeaway from Control 7 is that if a vulnerability is patched, it cannot be exploited. This is why the process is critical and becomes a continuous cycle:

  • Discover vulnerabilities
  • Prioritize vulnerabilities
  • Resolve vulnerabilities
  • Repeat

This control also serves as a great reminder for what vulnerability management is not. It should not be a reactionary process for 0-day vulnerabilities. You have other controls to help you mitigate that. Instead, this control is focused on reducing the known risk in your environment, something that many organizations often forget.

Safeguards for Control 7

Establish and Maintain a Vulnerability Management Process

Description: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this safeguard is Protect. This process should detail the process from start to finish with important consideration being given to the concept of a cyclical process. Vulnerability Management is not a one-and-done process nor is it a set it and forget it process. Much like a body builder visits the gym daily, this is about sets and reps and finding the correct mix that provides results for you.

2. Establish and Maintain a Remediation Process

Description: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.

Notes: The security function associated with this safeguard is Respond. The remediation process is a subset of your vulnerability management process, with a focus on how you will actually fix the vulnerabilities that are discovered. This is where it is critical to develop a prioritization system that works for your organization and considers all external data that could influence organizations risk.

3. Perform Automated Operating System Patch Management

Description: Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

Notes: The security function associated with this safeguard is Protect. It is important that the controls call out patch management as a subset of vulnerability management. Often, these processes are considered one and the same, but they are not. Patch management is about the deployment of patches, which may or may not resolve vulnerabilities, vulnerability management is about ultimately resolving those vulnerabilities and reducing your overall risk. Security patches often require post-patch configuration, something that patch management software often neglects to include and your continuous vulnerability management program will identify those missed configurations.

4. Perform Automated Application Patch Management

Description: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

Notes: The security function associated with this safeguard is Protect. This should be considered identical to Safeguard 3 with the added consideration that the attack surface provided by your applications is often far more extensive than your OS attack surface due to the sheer number of applications installed on some systems.

5. Perform Automated Vulnerability Scans of Internal Enterprise Assets

Description: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.

Notes: The security function associated with this safeguard is Identify. This is one of the controls where CIS veers the wrong way. While standards are good, SCAP-compliant does not indicate the value of a scanning tool, simply the adherence to specific standards. When considering a tool for scanning, consider depth and breadth of coverage along with both false positive and false negative rates. Additionally, understand the frequency with which updates to the tool’s coverage are released.

6. Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets

Description: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.

Notes: The security function associated with this safeguard is Identify. A good general rule to reduce complexity and ensure adoption is to use the same tool for scanning your internal and externally-exposed assets.

7. Remediate Detected Vulnerabilities

Description: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.

Notes: The security function associated with this safeguard is Respond. Remediation is a key aspect of the process. Remediation is ultimately what reduces your risk, either by way of patching or another means. If you are missing the remediation step or failing to properly prioritize your results, you put your entire system at risk. The continuous vulnerability management process can easily become a house of cards and staying on top of remediation can add stability to that fragile structure.

See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading this guide here.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

The post ” CIS Control 07: Continuous Vulnerability Management” appeared first on TripWire

Source:TripWire – Tyler Reguly

Tags: Critical Severity, TripWire, Vulnerability

Continue Reading

Previous Canopy Parental Control App Wide Open to Unpatched XSS Bugs
Next Cyber Security WEBINAR — How to Ace Your InfoSec Board Deck

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

18 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

20 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

21 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

How Samsung Knox Helps Stop Your Network Security Breach

23 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

1 day ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Data Breach
  • Vulnerabilities

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

1 day ago [email protected] (The Hacker News)

Recent Posts

  • China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
  • CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
  • Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
  • How Samsung Knox Helps Stop Your Network Security Breach
  • Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT