9 hours 54 minutes
Hey, everyone, welcome back to the course. So in the last video, we just took a look at a brief overview of control number three, which again is continuous vulnerability management.
And this video word is going to see how control number three matches up to the NIST cybersecurity framework.
So sub control 3.1. We're talking about running automated vulnerability scanning tools, right? So these air your various tools that you'll be seen out there in the industry. So maybe you're using lycopene. Voss the free you know, the free version. Or maybe you're using, like, necessary something like that. Either the free or paid version. Whatever it is, you're just running a tool to try to identify those most common
vulnerabilities on your network.
Sub control 3.2 This is where you're performing authenticated vulnerability. Scanning right, because we don't want
a malicious actor being able to scan and say, Oh, here's all the vulnerabilities, right? So you want some type of
authentication in place there. Now, again, you're gonna notice here that the new cybersecurity framework, the mapping it's not a direct 1 to 1. In the aspect of the this category. The sub categories talking about vulnerability. Vulnerability scans are performed, so that's kind of like an overarching thing. But inside of that, you would be scanning
with authenticating authenticated Excuse me running authenticated scans.
So that's why we've got it mapped up here.
Some control. 3.3 We're talking about protection of dedicated assessment accounts, so you've got specific accounts that run these vulnerability scans. You don't issues your traditional administrator account, and you notice here there's not a direct 1 to 1 map for NIST CSF
Some control 3.4 So we're talking about deploying Ogg automated operating System patch management tools. So instead of us having to remember, Okay, it's patch Tuesday. Let's go in and manually do all these patching. We just use the power of automated tools to do all that stuff for us. Now, keeping in mind that based off your organization or the type of organization it is, for example,
critical infrastructure. You know you may not be running
these types of tools, so just keep that in mind.
Some control 3.5. We're talking about deploying automated software patch management tools, so again using the power of automation so we don't have to manually do these processes, and you notice here again, there's not a direct 1 to 1 correlation in this cybersecurity framework.
Some control 3.6 comparing our back to back phone ability. Scan. So we run one. Let's say we run one today. We run on tomorrow. Or maybe next week. We're just gonna compare those what new vulnerabilities are identified. Have we fixed any issues? And are those fixes actually working? Right?
So that's where we're talking about with sub control 3.6 and again, there's really not a direct 11 match in the NIST CSF
of Control 3.7, utilizing a risk rating process. So just because we find a vulnerability doesn't mean that it's a high risk for our particular organization or what we do with our critical business systems, Right? So we need to identify a specific risk rating process we're gonna use and then
rate those risk of saying yes, this is a vulnerability. It's very critical, but
it's not critical for our organization or were at least willing to accept this particular risk.
So in this video, we just talked through again. The CIA's control number three mapping so again that since continuous vulnerability management and the next module, we're gonna take a look at the controlled use of administrative privileges.