Overview of Control 3

00:00

Hey, everyone, welcome back to the core. So in the last video, we wrapped up our discussion Uncle Control number two, which again is inventory in control of software assets.

00:09

In this video, we're to talk about control number three, which is continuous vulnerability management.

00:14

So we're to talk about what CIA's control three is and why we should care about it as well as, well, briefly talk through the sub controls.

00:24

So could troll. Number three is really focused on vulnerabilities with our software or the firmware. And the common vulnerability scoring system is just one method method to measure those vulnerabilities. But why do we actually care?

00:37

Well, Number one, There's always an attacker trying to find something else, right? So there's always an attacker trying to find a zero day. We'll find an exploit that they can use for our particular systems.

00:48

Also, there's security researchers that you know the good guys and the good Gail's, but they're just Breaking these various software is to find the vulnerability so they could be patched before the bad people find them. So, really, it's just a continuous process. No system will ever be 100% secure, so we just have to continuously scanner systems and find those vulnerabilities

01:06

that are applicable to us because we may find a vulnerability

01:10

through our skins. But it may not be actually really applicable to our particular organization.

01:18

So some control three point once where we're talking about running those automated vulnerability skinning tools. So tools like Messis open Voss and some others the's just allow you to quickly see what are the most common vulnerabilities that you have, and then prioritize those vulnerabilities.

01:33

And if you recall from module one excuse me module to control number one, we talked about the various groups, right? So we're talking about more of the mid level to larger enterprises with groups two and three that this is applicable to. However, I would state that if you're a small or medium enterprise small business out there,

01:52

I would recommend you actually just run some vulnerability scans as well on your systems. If you have those, if you use an like clouds, items etcetera. Just find what's applicable for you, but just run so vulnerability scanners and see what your actual vulnerabilities are,

02:07

said control. 3.2 years. We're talking about performing authenticated vulnerability, skinny So for this particular one were really focused on more Group two and three just cause we're gonna have some dedicated either I t or Cyber security assets to be performing these scans.

02:24

So control 3.3 is where we're talking about protecting dedicated assessment accounts. So making sure that we don't use that account we do for the vulnerability assessments making sure that that account with that particular access is not used for everything else on our systems.

02:42

Some control 3.4

02:44

deploying automated operating system patch management tools. So this really applies across the board for all groups, all types of entities. I will say that if you're a smaller business, this really just probably means depending on what you do, right. So I've given examples. And throughout this course of the business, I have a small business I have

03:01

where I do it primarily online, right? So,

03:05

really, my assets in that situation are gonna be like my mold mobile devices on making sure that I've got automated software updates set on those as well, as if I happen to be using a desktop or laptop, make sure I've got automated OS updates there as Well, so really, you just have to have determine what the

03:23

particular need is for your organization and

03:27

deploy things automatically based off your particular needs, you know, So you may be using a actual patch management system if you're in groups two or three.

03:37

Next step deploying automated software patch management tools. I've got a minor grammatical air there.

03:42

And so here we're just really talking about more of the software applications themselves and not specifically the operating system. So we just want to make sure those air getting updated as well.

03:52

Now we want to make sure we compare our back to back vulnerability scans, right? So we don't want to just run a scan and then fix stuff

03:59

and never run another scan. Right? So we wanna run a scan, find these vulnerabilities, patch things and then run another scan to make sure that it's actually patching it properly.

04:10

And then finally, we have some control. 3.7. That's where we're talking about the risk rating process, right? So primarily groups two and three, you're gonna see this in. But I would say also has a very small business owner. It's good to perform a risk assessment of

04:23

your particular systems that you're needing to use rights of using cloud or third party or fully online, like myself. You're gonna perform the risk assessments based off that. So you just want to have some kind of risk rating process in place. So that way, when you identify those vulnerabilities, you can say, Hey,

04:39

these were the things that could actually occur to my company, right? So, as an example of your small business, you're in e commerce business and you're selling products on your website.

04:47

What happens if you get someone that takes over your website? Right, So they do face it or they do a DDOS attack or something, and customers can no longer access your site. What do you do in that situation? So, for example, if I found out that I was vulnerable to Adidas attack, which pretty much every website is right, if I was vulnerable to Adidas attack,

05:08

I would say Okay, well, that's a pretty high risk for me. If all of my businesses online

05:13

through this one website, right, so I may consider, maybe I should get a backup website or get another, you know, physical car readers or something where I can still take customer orders even though my website is down.

05:25

So just thinking through those things. I know. According to C, I s controls,

05:29

it's categorized into groups two and three. But if you're a group one out there, you definitely need to think through some kind of risk rating process for your organization.