Now that you’ve learned about CIS Controls 1 and 2, we want to transition into discussing the importance of CIS Control 3- Continuous Vulnerability Management.
As we talked about in the last CIS Control blog, controls 1 and 2 are building blocks to prepare for control 3. For control 1, you want to know what you have physically and then for control 2, you want to know what it is you have on those networks, so that if something pops up, you know whether or not it’s suppose to be there. Moving into control 3, you take the information you know about controls 1 and 2 and practically apply it.
CIS Control 3 is very much about configuration management. For instance, are there any services running that don’t need to be running? What is the patch management like? Do you have a secure base line? We talked to one of The IT Company’s experts, Mike Sproat, who shared that the simplest way to sum up control 3 is as “consistency of settings.” By following the steps of control 3 to make things more consistent, it minimizes the ability for attackers to enter your network.
You want to be able to verify that what you need to have set up for your networks, is setup the way it needs to be setup. By regulating this, you are working toward preventing security incidents and ensuring systems are configured properly.
So what does control 3 look like? The first step is identifying what your base line needs to be and then following that by assessing what your “gold standard image” is going to be. (This allows for change controls in a matching format later on). There are a number of base lines already out there, in fact we suggest using the secure base line CIS has already created and then expanding it further as your organization needs. From there, you should take the network through the RFC/RA approval process. Then, control 3 goes into patch management, identifying what patches are installed and making sure those configurations are complete. Once these initial steps have been taken to put everything needed in place, it is a matter of consistently managing and updating systems, as well as updating the gold standard with current updates for future deployments. You want to make sure you are never playing catch up!
A lot of control 3 can be automated through different software tools that allow updates to be checked automatically. By doing so, it automatically checks that everything is up to date and whether there are any changes that need to be made.
Software often does not come out of the box configured for security. These software solutions are built with ease of use for the consumer in mind, so not every vendor programs things as securely as they should. Because of this, it becomes the task of whatever IT professional is in place to take on the security information and configure it. For example, for a file transfer protocol, there is a very common software called FileZilla. There are some older versions of this software that are known to be vulnerable and dangerous. The entire purpose of control 3 is for scenarios like this, when you need that software on your system, how to verify the version is up to date. Coinciding with that, if the old version is for some reason needed, control 3 guides you in configuring the software to make sure it does not get compromised.
The core reason for, and benefit behind, CIS Control 3 is security and functionality. It is vital to protect yourself and set yourself up for success. The importance of frequent monitoring, followed by maintenance of what you have on you your systems, should not be overlooked. Not only does the consistent management of software protect your network, but the steps of control 3 also cascade into the next crucial control, Control 4.
Stay tuned to learn more information on the remaining CIS controls!