Budgetless CIS Top 20: Control 3: Continuous Vulnerability Management

Summary: Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers

I’m not going to go into as much detail on this one as I have on the previous ones, but will address all the subcontrols instead in my explanation because they are basically best practices as well.

The obvious ‘budgetless’ option here is nmap. nmap is great, but it’s not that user friendly once you need to go beyond a port scan in my opinion. What I’ve been using is OpenVAS. They have a virtual appliance you can download and have it going in under an hour and run vulnerability scans to your hearts content. You should use a dedicated, elevated account to run your scans. You should also compare scans over time to make sure vulnerabilities have been remediated in a timely manner. OpenVAS will allow you to see past reports by host, so it’s easy to see and compare how the scans have changed between each run. It also uses a risk rating like most vulnerability scanners to allow you to see which vulnerabilities it finds should be addressed first.

The other major piece of this control is patching for operating systems and third-party software. If you are doing the software inventory from Control 2, you know what software is where and what version everything is. Likely at this point in time, you own software that can help automate all this. WSUS is free from Microsoft and can assist with the OS patching if you aren’t comfortable with having automatic updates turned on. There are also some pretty inexpensive products in this arena for OS patching. For 3rd party software, again, I really like PDQ Deploy and it’s not expensive at all. Otherwise, you might find that your AV or some other software you own can also assist with patching as many AV vendors have started including a patching feature. Otherwise, you are going to have to script it. Powershell is your friend.

The last part I’ll add on this is that you will probably want some type of policy that states how often you are going to do vulnerability scanning and what you are going to do with the results. Mine also states how long I’ll keep the reports available for as I don’t want to have to keep years and years of these, just enough for due diligence and to have a bit of history for comparison. And that’s it for a budgetless Control 3.