CIS CSC #3 – Continuous Vulnerability Management

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

This control includes seven (7) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are two (2) IG1 controls and seven (7) IG2 controls. This means that, at a minimum, we want to:

  • Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
  • Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

Generally, the commercial tools have the best user interface and consoles for managing the data and creating reports. Largely, all the commercial and open-source tools listed here pull from the same data sources, namely the NIST NVD and MITRE CVE data sources. If you are comfortable with working in the command line, as well as creating your own graphics and reports to supplement those provided by the open source tools, you can implement the first half of this control with “free” tools.

As far as deploying patches is concerned, the commercial tools tend to win out on the user interface side again. You can certainly leverage the local software updater tools on each system, as well as manually apply patches to network devices, but this is going to be very time consuming and error prone. Money is well spent when it comes to patch identification and application.

# nmap uses the -sC flag to denote a script scan (this alone will trigger "the most common 
# scripts"). These scripts will also be run when using the -A flag.

nmap -sC

# Alternatively, you can run specific scripts using the --script flag (note the two (2) dashes
# this is useful when there is a specific script or set of scripts you want to run

nmap -p139,445 --script smb-protocols

Relevant News Stories

Relevant Tools

CommercialOpen-Source & “Freemium”
Rapid7 NeXposeOpenVAS / NessusNmap Scripting Engine
IP360 (Tripwire)
Skybox Vulnerability Management
SAINT and SAINTmanager

The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #3 page here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s