The Center for Internet Security (CIS) Controls emphasize identifying vulnerabilities before attackers can exploit them. Control 7.5 ensures organizations perform automated vulnerability scans on internal enterprise assets regularly.

This safeguard requires organizations to conduct both authenticated and unauthenticated scans using a SCAP-compliant vulnerability scanning tool.

Here’s how to implement this:

• Automated Scanning: Schedule automated vulnerability scans of all internal systems, including servers, workstations, and network devices.
• Authenticated vs. Unauthenticated Scans:
  • Authenticated scans use valid credentials to identify vulnerabilities that are only visible with access, providing deeper insights.
  • Unauthenticated scans simulate an external attacker’s perspective, identifying vulnerabilities visible without access.
• Regular Cadence: Perform scans quarterly or more frequently based on the criticality of the assets and the evolving threat landscape.
• SCAP-Compliant Tools: Use tools that comply with the Security Content Automation Protocol (SCAP) to ensure consistent and standardized reporting.

Why is this important? Vulnerability scans identify weaknesses in your systems before attackers can exploit them. Conducting both authenticated and unauthenticated scans provides a comprehensive view of your security posture.

To recap, CIS Control 7.5 ensures your organization performs regular, automated vulnerability scans of internal assets, helping to identify and address security gaps proactively.