CSC 3 – Continuous Vulnerability Management
Computer networks are very similar to modern buildings; they are combination of numerous highly complex systems. Each constituent system introduces some level of vulnerability and therefore risk into the larger system as a whole. Control 3 requires the use of a standards-based vulnerability scanner to evaluate each computer system operating within the boundaries of a business’ computer network for the specific points in which it introduces risk to the system as a whole.
Control 3 is one of the least commonly implemented of the basic critical controls. It can be satisfied through the centralized and systematic vulnerability scanning and using practices we’ve reviewed in Control 1 and Control 2. Specifically, understanding what computers are on your network and what software is operating on those computers.
This control is the first control which requires network administrators to evaluate the security posture of a system. It demands a third party application scan using all permissions available to an administrative user for each system on the business computer network. The scans are looking for vulnerabilities, which are presentative of those published through open vulnerability reporting databases. When these vulnerabilities are identified the control requires that system administrators apply either patches to fix a specific vulnerability or implement compensating controls to mitigate the vulnerabilities’ impact.
Critical Control 3 provides the first systematic analysis of a business computer network to identify one vector of risk – software vulnerabilities. Using the data gained from these analysis cycles, system administrators can apply mitigation effort to vulnerabilities in a risk-prioritized manner further focusing their efforts onto the most critical risks first.
For a deeper understanding of CSC Control 3, check out CIT’s CSC Controls 3 blog.