The Center for Internet Security (CIS) Controls prioritize identifying vulnerabilities before they can be exploited, and Control 7.6 focuses on externally-exposed enterprise assets. This safeguard ensures organizations regularly scan and assess the security of assets exposed to the public internet.

Here’s what this entails:

• Automated Scanning: Use automated tools to identify vulnerabilities in systems exposed externally, such as web servers, VPNs, email servers, and cloud-hosted services.
• SCAP-Compliant Tools: Select a Security Content Automation Protocol (SCAP)-compliant vulnerability scanning tool to ensure standardized and accurate results.
• Regular Cadence: Perform scans monthly or more frequently, depending on the sensitivity and importance of the assets. External systems are high-value targets for attackers, so frequent scans are critical.

Why is this important? Externally-exposed assets are the most accessible to attackers and are often the first point of entry in a cyberattack. Regular, automated scans help identify vulnerabilities early, allowing you to address them before they can be exploited.

To recap, CIS Control 7.6 ensures your organization conducts automated vulnerability scans of externally-facing assets on a regular basis, safeguarding your perimeter and reducing the risk of external attacks.