Notes from the Field: Center for Internet Security Control 7 – Continuous Vulnerability Management

by Greg Halpin / July 6th, 2023

This is the seventh in a series of posts expert auditor Greg Halpin is writing on the Center for Internet Security (CIS) Controls (Version 8) discussing vulnerability management.  As a reminder, the CIS Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data.

In this post Greg discusses what he sees in his work as an information security auditor with clients regarding Control 07 – Continuous Vulnerability Management.

The clients I work with vary a great deal in terms of their information security maturity levels. Some have advanced programs with good policies and strong controls in place. Others are just getting started on their information security journey. They don’t know what they need to do or where to go to find out. Vendors attempt to sell them expensive solutions that they don’t understand and do not have enough staff to successfully implement.

I recommend my clients start by reading the CIS Controls document. It’s a concise document that executives can understand and information security professionals can base their security programs on.  It provides guidance on many different topics of information security, including vulnerability management.

The overview for Control 07 – Continuous Vulnerability Management is – Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

Control 07 includes seven sub-controls, or safeguards. They are:

  • 7.1 Establish and Maintain a Vulnerability Management Process
  • 7.2 Establish and Maintain a Remediation Process
  • 7.3 Perform Automated Operating System Patch Management
  • 7.4 Perform Automated Application Patch Management
  • 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
  • 7.6 Perform Automated Vulnerability Scans of Externally Exposed Enterprise Assets
  • 7.7 Remediate Detected Vulnerabilities Applications

Why is vulnerability management critical in your infosec program?

Attackers are continuously scanning corporate networks from the outside, looking for vulnerabilities to exploit. Some of their many goals include compromising those networks to exfiltrate data or install ransomware, both of which can be profitable for them. They generally look for easy targets, companies with insecure practices. Don’t let your company be an easy target.

Information security teams must continually scan their networks for vulnerabilities to remediate them before attackers find them. Attackers have the same access to vulnerability information that infosec pros do. They also have sophisticated tools to quickly exploit those vulnerabilities. We can’t wait to remediate vulnerabilities until there’s a convenient time.

We must prioritize vulnerability management as the consequences of neglecting it are catastrophic. Companies that are victims of attackers have paid millions of dollars to ransomware gangs to retrieve their data and have later paid even more millions of dollars to clean up their networks and pay claims in lawsuits from customers and shareholders.

Trust, But Verify Your Scanning Tool Is Working Like It Should

The clients I work with usually have some type of vulnerability scanning tool in place – such as Nessus, Qualys, Rapid7, OpenVAS – scanning their internal and external networks. Sometimes they scan both the hosts and applications, but usually just the hosts. Unfortunately, the vulnerability scans are often misconfigured, resulting in vulnerabilities that can go unmediated for months or even years.

During a recent gap assessment, a client I worked with had implemented Nessus Professional, which is a paid product. The employee who had set it up months before left the company shortly thereafter. Nevertheless, the information technology team continued to receive the weekly vulnerability scan reports showing that there were no vulnerabilities.

While I was onsite conducting their audit, the IT manager shared his screen to the large wall monitor in the conference room and displayed the four most recent reports. None of them listed any vulnerabilities. The manager went back further, still no vulnerabilities. He was proud to show how secure their network was.  We always hope that’s true, but every time I see vulnerability scans that consistently find no vulnerabilities, I know the scans are not running properly.

I pointed out that between the time a vulnerability is identified and patched, the scans would have found something over the past several months. We looked a little closer when it became very clear what was going on.

The report simply showed open ports on systems. The departed employee had set up a port scan. These types of scan results only list unsupported operating systems. We discussed the importance of credentialed vulnerability scans, and they reconfigured the scans accordingly. It doesn’t help your organization receive “clean” scans if there are actually vulnerabilities you don’t know about making your organization vulnerable.

When we reviewed the scan results a few hours later, there were pages of vulnerabilities, many several years old. The organization was not as secure as the manager thought but was on its way in the right direction towards actual security.

Are You Scanning the Right Stuff?

Many clients that I’ve worked with have set up vulnerability scans but are not scanning the right parts of their systems.  Sometimes scans aren’t scanning enough of the environment, or they are scanning systems without entering credentials into the scan configuration, which is necessary to conduct authenticated scans.  Deep scans are also necessary in which the scanning tool can identify missing security and application patches as well as registry and configuration vulnerabilities.

In one recent case, a client was conducting proper authenticated scans against its production network but not its User Acceptance Testing (UAT) environment. This is common, but what was different in this case is that their UAT systems were public facing in which customers tested web applications prior to the company moving the applications into Staging and later into Production. An attacker could potentially compromise the UAT environment and move into the Production environment as they were on the same subnet.

Finally, there are customers that are not scanning their systems at all. They don’t think they need to. They don’t have any public facing systems, or they believe the data hosted on the servers is data that no one would target. That’s not a good approach to protecting your network. Even if a company only had public data on its websites, a compromise of a web server would cause reputational damage at a minimum. From the web servers, the attackers could make their way to the internal networks where there is more desirable data to be exfiltrated or encrypted for ransom. People often look through a very narrow lens at situations. It’s important to look at the big picture in both life and information security. 

Partner with an Expert to Implement Vulnerability Management That Keeps Your Organization Secure

Vulnerability management is critical to your organization’s security program. It means implementing automated vulnerability scanning and patch remediation processes. It also means regularly verifying that the automated are configuring and running properly. This is critical to protecting your company and customer data from attackers.

We understand that implementing these controls can be complicated and overwhelming. To make sure you’re doing it right, or to partner with someone who cares about your security goals, connect with one our experts today and set your organization up for success.

About the Author

Greg Halpin

Greg Halpin has 25 years of experience in information technology and security. He has a Master’s in Information Sciences – Cybersecurity and Information Assurance from Penn State University, and he has earned the CISSP, CISA, and CCSP certifications. He has experience and additional
certifications in Amazon Web Services, Azure Cloud Services, Linux and Windows systems administration, vulnerability scanning, intrusion detection/prevention, and project management. He enjoys working with people and organizations to help them secure their networks and systems.