I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
This control includes seven (7) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are two (2) IG1 controls and seven (7) IG2 controls. This means that, at a minimum, we want to:
- Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
- Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
Generally, the commercial tools have the best user interface and consoles for managing the data and creating reports. Largely, all the commercial and open-source tools listed here pull from the same data sources, namely the NIST NVD and MITRE CVE data sources. If you are comfortable with working in the command line, as well as creating your own graphics and reports to supplement those provided by the open source tools, you can implement the first half of this control with “free” tools.
As far as deploying patches is concerned, the commercial tools tend to win out on the user interface side again. You can certainly leverage the local software updater tools on each system, as well as manually apply patches to network devices, but this is going to be very time consuming and error prone. Money is well spent when it comes to patch identification and application.
# nmap uses the -sC flag to denote a script scan (this alone will trigger "the most common
# scripts"). These scripts will also be run when using the -A flag.
nmap -sC 192.168.0.0/16
# Alternatively, you can run specific scripts using the --script flag (note the two (2) dashes
# this is useful when there is a specific script or set of scripts you want to run
nmap -p139,445 --script smb-protocols 192.168.0.0/16
Relevant News Stories
- https://www.wired.com/2010/01/operation-aurora/
- https://www.zdnet.com/article/microsoft-says-google-was-hacked-with-ie-zero-day/
Relevant Tools
| Commercial | Open-Source & “Freemium” |
| Rapid7 NeXpose | OpenVAS |
| Tenable.sc / Nessus | Nmap Scripting Engine |
| QualysGuard | |
| IP360 (Tripwire) | |
| Skybox Vulnerability Management | |
| SAINT and SAINTmanager |
The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #3 page here.
The Personal Blog of Sean Goodwin 
One thought on “CIS CSC #3 – Continuous Vulnerability Management”