Vulnerability Management - Top 20 Security Controls
April 2021 | Michael Wetherald

Top 20 Critical Security Controls Series

In this article, we continue our blog series on the industry standard top 20 critical security controls -- sometimes referred to as the SANS top 20 or CIS Critical Security Controls. These controls provide your organization a set of best practices for protecting your organization from the most common attacks faced around the world.

Basic Security Controls

Controls 1-6 are considered the basic controls every organization should employ to have a solid foundation to build from:

#3: Vulnerability Management

Vulnerabilities are the openings adversaries use to compromise your organization. It's important to implement a calculated strategy for mitigating the risk of any of those vulnerabilities being exploited.

Why Is This Control Important?

Software is continuously updated to patch security vulnerabilities. Adversaries only need to exploit your systems between the announcement of a new exploit and before your organization has had a chance to install the updates which patch that exploit. The longer the time you wait to update systems, the wider the window of opportunity for attackers to compromise your systems.

How to Implement This Control

This control is comprised of methods for implementing an effective strategy to catch those vulnerabilities before your enemies do. This breaks down into two categories, vulnerability scanning and patch management.

Vulnerability Scanning

Vulnerability scanning is the process we'll use to quickly find vulnerabilities in your environment before your adversaries do. Effectively implementing a vulnerability scanning program will involve a combination of tools, policies, and procedures.

Automated Vulnerability Scanning Tools

There are many tools which you can use to scan the systems on your network, looking for hosts which are running out of date software running known vulnerabilities. Run these scans at least weekly to find potential vulnerabilities early.

Authenticated Vulnerability Scanning Tools

Perform vulnerability scans with agents running on each of your machines, or by using remote scanning tools that can remotely authenticate with the hosts. Be sure to use a dedicated assessment account that is not used for any other administrative purposes in order to effectively monitor the proper use of those credentials.

Managing Vulnerability Scan Results

When your vulnerability scans come in, make sure vulnerabilities are used in a risk-rating system to prioritize higher risk vulnerabilities for remediation. These results need to be tied in to procedures for your staff to remediate. Some companies find it worth integrating their scan results automatically with their IT ticketing system. Be sure to compare back-to-back vulnerability scans to verify that your patch management strategies are effectively patching vulnerabilities in a timely fashion.

Patch Management

The other half of this control involves quickly patching systems as updates become available. Expecting your users to patch their systems will not be a good strategy for timely remediation of vulnerabilities. Instead make sure you have a plan for determining when updates are available, and procedures in place to deploy those updates. Or ideally, use automated patch management tools.

Automated Patch Management Tools

Implement automated patch management tools in to quickly deploy patches for software as they come in. These tools should be used to automate patches for both operating systems, software (including third-party software) running on those hosts.

Conclusion

Be sure to check out the next article in our series, where we cover security control #4: Controlled Use of Administrator Privileges

Vulnerability Management is a crucial control for developing the security program at your organization. Viam is here to help guide you through implementing this control at your organization. Contact us today if you are ready to take steps to reduce the cybersecurity risk in your organization.

Michael Wetherald
Security Engineer and Co-Founder

Michael is the inventor of a patent pending web proxy technology and brings to Viam his expertise in web and Linux security. Outside of work he enjoys carpentry, having built a dog mansion for his spoiled dog.

When criminals compromise your organization will you know? Viam Technologies provides a range of cyber security services.
Contact us today to be prepared.

© 2023 Viam Technologies