How can this control be implemented, automated, and its effectiveness measured?
QW: Verify that vulnerability testing of networks, systems, and applications are run no less than weekly. Where feasable, vulnerability testing should occur on a daily basis.
Config/Hygiene: Ensure vulnerability testing is performed in authenticated mode (i.e., configuring the scanner with administrator credentials) at least quarterly, either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested, to overcome limitations of unauthenticated vulnerability testing.
Config/Hygiene: Compare the results from back-to-back vulnerability tests to verify that vulnerabilities were addressed either by patching, implementing a compensating control, or by documenting and accepting a reasonable business risk. Such acceptance of business risks for existing vulnerabilities should be periodically reviewed as well, to determine if newer compensating controls or subsequent patches can address vulnerabilities that were previously accepted, or if conditions have changed increasing the risk.
Config/Hygiene: Chart the numbers of unmitigated, critical vulnerabilities, for each department/division and share the reports with senior management to provide effective incentives for mitigation.
Config/Hygiene: Measure the delay in patching new vulnerabilities and ensure the delay is equal to or less than the benchmarks set forth by the organization, which should be no more than a week for critical patches unless a mitigating control that blocks exploitation is available.
Advanced: Deploy automated patch management tools for all systems for which such tools are available and safe.
Procedures and tools for implementing this control:
Organizations can use vulnerability-scanning tools, such as the free and commercial tools described in Critical Control #3.