The last few months we’ve taken you through the steps and importance of CIS Controls 1,2 and 3. Today, we introduce you to another vital piece in your security, CIS Control 4.
Control 4 is the continued vulnerability assessment remediation. Our first three controls give us an inventory of devices, the software on the network, and the configuration on it. In Control 4, we take what we have gained from controls 1,2,and 3 and utilize it. Control 4 is the scanning of both internal and external networks, in order to assess the posture of the environment. This includes making sure patches are getting done, the configuration is still as it should be, no user has made any massive changes they shouldn’t have, and managing logging. In simplest terms, CIS Control 4 is scanning the network to ensure there are no vulnerabilities and taking care of anything that could be dangerous.
Step 4 of the CIS Controls is the remediation of vulnerability. You want to remediate and then follow back up to make sure there are no more issues. And then maintaining the cycle of continuing to scan, so that you have a good baseline of what your network should be.
CIS recommends running these scans weekly, for the best defense and protection. There are a lot of different options to implement these scans such as outsourcing, soc analyst, and managing inhouse with internal software.
In Control 3 we were looking to maintain how something was suppose to be setup and how it is suppose to be run. However, because of the way that software is developed, there are chances of having vulnerabilities. So while Control 3 was just maintaining configuration, Control 4 is making sure that configuration does not have any inherit problems that could cause a danger to their network. It is possible to run Control 4 without having implemented Control 3, however 4 is not efficient or effective without 3.
We talked to one of our experts at The IT Company and asked what he saw the biggest benefit of CIS Control 4 is. He simply sated, “No ransomware.” While it cannot 100% prevent ransomware from infected a network, the constant and continuous scans can be a very powerful tool.
Every company, no matter the size should implement CIS Control 4 because there is always a chance of being hit, no matter the size of your business. Larger companies have more tools and funds for damage control if they are hit. Smaller businesses may be completely taken down if they are hit, so it’s extremely important for them to implement this control as a preventative.
At The IT Company we implement Control 4 by running external vulnerability scans, remediating those vulnerabilities, and doing patch management for our customers. By choosing to implement CIS Control 4, whether through an outsourced option or an internal software, you choose to better protect your company.