modules, blurring the line between free and commercial tools.
Advanced vulnerability scanning tools can be configured with user credentials to login to scanned systems and perform more comprehensive scans than can be achieved without login credentials. For example, organizations can run scanners every week or every month without credentials for an initial inventory of potential vulnerabilities. Then, on a quarterly or semi-annual basis, the organization can run the same scanning tool with user credentials or a different scanning tool that supports scanning with user credentials to find additional vulnerabilities.
In addition to the scanning tools that check for vulnerabilities and misconfigurations across the network, various free and commercial tools can evaluate security settings and configurations of local machines on which they are installed. Such tools can provide fine-grained insight into unauthorized changes in configuration or the introduction of security weaknesses inadvertently by administrators.
Effective organizations link their vulnerability scanners with problem ticketing systems that automatically monitor and report progress on fixing problems and that make visible unmitigated critical vulnerabilities to higher levels of management to ensure the problems are solved.
Critical Control 4: Secure configurations of network devices such as firewalls, routers, and switches.
How do attackers exploit the lack of this control?
Attackers take advantage of the fact that network devices may become less securely configured over time as users demand exceptions for specific and temporary business needs, the exceptions are deployed, and those exceptions are not undone when the business need is no longer applicable. Making matters worse, in some cases, the security risk of the exception is never properly analyzed, nor is this risk measured against the associated business need. Attackers search for electronic holes in firewalls, routers, and switches and use those to penetrate defenses. Attackers have exploited flaws in these network devices to redirect traffic on a network (to a malicious system masquerading as a trusted system), and to intercept and alter information while in