Control 3 Mapping to the Cybersecurity Framework

00:00

Hey, everyone, welcome back to the course. So in the last video, we just took a look at a brief overview of control number three, which again is continuous vulnerability management.

00:08

And this video word is going to see how control number three matches up to the NIST cybersecurity framework.

00:15

So sub control 3.1. We're talking about running automated vulnerability scanning tools, right? So these air your various tools that you'll be seen out there in the industry. So maybe you're using lycopene. Voss the free you know, the free version. Or maybe you're using, like, necessary something like that. Either the free or paid version. Whatever it is, you're just running a tool to try to identify those most common

00:35

vulnerabilities on your network.

00:38

Sub control 3.2 This is where you're performing authenticated vulnerability. Scanning right, because we don't want

00:45

a malicious actor being able to scan and say, Oh, here's all the vulnerabilities, right? So you want some type of

00:50

authentication in place there. Now, again, you're gonna notice here that the new cybersecurity framework, the mapping it's not a direct 1 to 1. In the aspect of the this category. The sub categories talking about vulnerability. Vulnerability scans are performed, so that's kind of like an overarching thing. But inside of that, you would be scanning

01:07

with authenticating authenticated Excuse me running authenticated scans.

01:12

So that's why we've got it mapped up here.

01:15

Some control. 3.3 We're talking about protection of dedicated assessment accounts, so you've got specific accounts that run these vulnerability scans. You don't issues your traditional administrator account, and you notice here there's not a direct 1 to 1 map for NIST CSF

01:34

Some control 3.4 So we're talking about deploying Ogg automated operating System patch management tools. So instead of us having to remember, Okay, it's patch Tuesday. Let's go in and manually do all these patching. We just use the power of automated tools to do all that stuff for us. Now, keeping in mind that based off your organization or the type of organization it is, for example,

01:53

critical infrastructure. You know you may not be running

01:56

these types of tools, so just keep that in mind.

02:00

Some control 3.5. We're talking about deploying automated software patch management tools, so again using the power of automation so we don't have to manually do these processes, and you notice here again, there's not a direct 1 to 1 correlation in this cybersecurity framework.

02:16

Some control 3.6 comparing our back to back phone ability. Scan. So we run one. Let's say we run one today. We run on tomorrow. Or maybe next week. We're just gonna compare those what new vulnerabilities are identified. Have we fixed any issues? And are those fixes actually working? Right?

02:32

So that's where we're talking about with sub control 3.6 and again, there's really not a direct 11 match in the NIST CSF

02:40

of Control 3.7, utilizing a risk rating process. So just because we find a vulnerability doesn't mean that it's a high risk for our particular organization or what we do with our critical business systems, Right? So we need to identify a specific risk rating process we're gonna use and then

02:57

rate those risk of saying yes, this is a vulnerability. It's very critical, but

03:01

it's not critical for our organization or were at least willing to accept this particular risk.