Critical Control 10: Continuous Vulnerability Assessment and Remediation

Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and then launch that code against targets of interest.  Any significant delays in finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through, gaining control over the vulnerable machines and getting access to the sensitive data they contain.  Organizations that do not scan for vulnerabilities and address discovered flaws proactively face a significant likelihood of having their computer systems compromised.
This “Critical Control” is designed to assist in the identification of vulnerabilities and risks that may exist in our systems.  However, this control needs to be understood from the adversary’s perspective.  By monitoring security alerts identified by vendors, adversaries can utilize what was an unknown to their advantage.  Researching for exploits with the ability to target the now announced weaknesses affords ability to attack before repair or preparatory actions by companies and organizations.
Staying ahead of hackers using their own techniques on a continuous basis may not guarantee full awareness, but it will afford giving us a leg up on the competition (attackers).  Prior to placing a system into operation, a system should be created with a minimal required baseline of applications.  The system should then be updated with the most recent security patches.  Only the required services and minimal functionality that is required (continue reading...)