Control 3: A Framework for an Offense-informed Defense

As we discussed in our earlier blog posts on the 20 Critical Security Controls, they provide an offense-informs-defense framework through which an organization can effectively defend against cyberattacks.  In this installment, we’re examining Control Three. This control is a ‘Basic control’ and represents one which every organization, regardless of size, in which information (or their client’s/customer’s/partner’s information) is considered an asset should be meaningfully adopted. CSC 3 advances the framework beyond assets and software to shift into the analysis of a computer system. Specifically, the inherent vulnerabilities of the aggregate hardware, software, and compensating controls therein. 

Critical Control #3

All complex systems have vulnerabilities; these vulnerabilities may create fundamental flaws in the system which are very difficult to remediate. Identify, quantify, and remediate them using a prescribed and consistent manner.” 

In January of 2001 a significant earthquake was experienced in the Kutch District of Gujarat India. This magnitude 7.7 earthquake for practical purposes leveled the region. Over 1 million structures were damaged or destroyed. (no that’s not a typo). Nearly 40% of all homes were destroyed in this quake. By all accounts this was an extreme earthquake. Comparing the Kutch earthquake to earthquakes of similar magnitude which impacted regions of similar socioeconomic status and population density, the 2003 Colima earthquake is near the top of the list. This magnitude 7.5 earthquake impacted the central pacific coast of Mexico in a region with similar population density. This quake destroyed two thousand structures and damaged around seven thousand. The damage was minimal when compared to the Kutch earthquake. The difference? In 1985 Mexico began a program of closed-loop seismic engineering design coupled to building standards. This initiative was started following a major earthquake in Mexico City which killed more than 10,000 people and seriously damaged over 90,000 buildings. These standards called for a national seismically-informed set of building standards to be implemented and retrofitted to new buildings and those renovated respectively. Mexican authorities used regional and city-specific seismic data to inform these standards rather than a ‘one size fits all’ approach. The results have continued to demonstrate themselves year over year as more buildings meet these codes. How this relates to CSC 3 is through the use of localized vulnerabilities, in this case specific seismic risk profiles, to continuously improve a complex system.  Computer networks are very similar to modern buildings; they are the combination of numerous highly complex systems. Each constituent system introduces some level of vulnerability and therefore risk into the larger system as a whole. CSC 3 requires the use of a standards-based vulnerability scanner to evaluate each computer system operating within the boundaries of a business’ computer network for the specific points in which it introduces risk to the system as a whole. While the concept seems simple, application and implementation of these systems can be much more difficult. This is often the reason behind this control being one of the least commonly implemented of the basic Critical Controls.  CSC 3 can be satisfied through the use centralized and systematic vulnerability scanning and using practices we’ve reviewed in Control 1 and Control 2.  Specifically, understanding what computers are (and should be) on your network and what software is (and should be permitted to) operate on those computers. That software should be supported by its original manufacturer and able to be regularly patched. These practices combined with a systematic means to detect new vulnerabilities and the tools to implement compensating controls when they’re discovered satisfies Control 3. 

Critical Control 3: Continuous Vulnerability Management

Sub-control Applies to: Security Function (intention) Sub-control Title Description
3.1 Applications Detect Run Automated Vulnerability Scanning Tools Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems.
3.2 Applications Detect Perform Authenticated Vulnerability Scanning Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.
3.3 Users Protect Protect Dedicated Assessment Accounts Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses.
3.4 Applications Protect Deploy Automated Operating System Patch Management Tools Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
3.5 Applications Protect Deploy Automated Software Patch Management Tools Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
3.6 Applications Respond Compare Back-to-back Vulnerability Scans Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner.
3.7 Applications Respond Utilize a Risk-rating Process Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

Making application: Control 3

CSC 3 is the first control which requires network administrators to evaluate the security posture of a system. The whole of the computer hardware, software, and settings therein. CSC 3 demands a third party application scan using all permissions available to an administrative user each system on the business computer network. These scans aren’t looking for assets is in Control 1 or Control 2. They are looking for vulnerabilities. These vulnerabilities are representative of those published through open (public) vulnerability reporting databases. Once vulnerabilities are identified Control 3 requires that system administrators apply either patches to fix a specific vulnerability or implement compensating controls to mitigate the vulnerabilities’ impact. In many instances making a configuration change is all that’s required to mitigate a vulnerability. Fully adopting Control 3 requires that each vulnerability is quantified at the time of discovery and the mitigation thereof prioritized using a risk rating system, such as the Common Vulnerability Scoring System (CVSS). 


Critical Control 3 provides the first systematic analysis of a business computer network to identify one vector of risk – software vulnerabilities. Using the data gained from these analysis cycles, system administrators can apply mitigation effort to vulnerabilities in a risk-adjusted and risk-prioritized manner further focusing their efforts onto the most critical risks first. 

Who is Corporate Information Technology (CIT):

Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including Critical Control centric Managed and Co-Managed technology services, information security policy creation & assessment, cybersecurity services, penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations maximize and optimize their technology systems while identifying and mitigating cybersecurity risks presented by those very systems. 

Contact us to learn more and let us show you how good I.T. can be!

All references to tools or other products in this document are provided for informational
purposes only, and do not represent the endorsement by CIT of any particular company,
product, or technology.
This material has been compiled using material licensed for public use under the Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License. The link to the license terms can be found at Creative Commons

Comments are closed

Learn More
error: Alert: This Content is protected!