Control 7: Continuous Vulnerability Management
Why is this Control critical?
Cyber defenders are constantly being challenged from attackers who are looking for vulnerabilities
within their infrastructure to exploit and gain access. Defenders must have timely threat information
available to them about: software updates, patches, security advisories, threat bulletins, etc., and
they should regularly review their environment to identify these vulnerabilities before the attackers
do. Understanding and managing vulnerabilities is a continuous activity, requiring focus of time,
attention, and resources.
Attackers have access to the same information and can often take advantage of vulnerabilities more
quickly than one can remediate. While there is a gap in time from a vulnerability being
known to when it is patched, defenders can prioritize which vulnerabilities are most impactful to the
enterprise, or likely to be exploited first due to ease of use. For example, when researchers or the
community report new vulnerabilities, vendors have to develop and deploy patches, indicators of
compromise (IOCs), and updates. Defenders need to assess the risk of the new vulnerability,
regression-test patches, and install the patch.
There is never perfection in this process. Attackers might be using an exploit to a vulnerability
that is not known within the security community. They might have developed an exploit to this
vulnerability referred to as a “zero-day” exploit. Once the vulnerability is known in the community,
the process mentioned above starts. Therefore, defenders must keep in mind that an exploit might
already exist when the vulnerability is widely socialized. Sometimes vulnerabilities might be known
within a closed community (e.g., vendor still developing a fix) for weeks, months, or years before it is
disclosed publicly. Defenders have to be aware that there might always be vulnerabilities they cannot
remediate, and therefore need to use other controls to mitigate.
People that do not assess their infrastructure for vulnerabilities and proactively address
discovered flaws face a significant likelihood of having their assets compromised.
The CIS Controls have 18 security controls. Vulnerability Management is just one of them. You can download the PDF (https://learn.cisecurity.org/cis-controls-d…TEkajI3JGwwJGgw) ( It requires a business email, but you should be able to use a temporary email site ) . It has a to-do list for each of the 18 controls.
The main point is, for good security, you should not rely on just one or two controls - you need to do it holistically and cover all the bases.
The second point is that security is a process. You have to upkeep your security, like doing continuous vulnerability scans and patching.
