Control: The organisation:
B. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
- Enumerating platforms, software flaws, and improper configurations;
- Formatting checklists and test procedures; and
- Measuring vulnerability impact;
Vulnerability Scanning Supplemental Guidance:
Security categorisation of information systems guides the frequency and comprehensiveness of vulnerability scans. Organisations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organisations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analysers) and in source code reviews. Vulnerability scanning includes, for example:
- (i) scanning for patch levels;
- (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and
- (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms.
Organisations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organisations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).
Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2.
Vulnerability Scanning Control Enhancements:
RA-5 (1) Vulnerability Scanning - Update tool capability
The organisation employs vulnerability scanning tools that include the capability to readily update
the information system vulnerabilities to be scanned.
Supplemental Guidance: The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.
RA-5 (3) Vulnerability Scanning - Breadth / Depth of coverage
The organisation employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).
RA-5 (4) Vulnerability Scanning - Discoverable Information
The organisation determines what information about the information system is discoverable by
adversaries and subsequently takes [Assignment: organisation-defined corrective actions].
Supplemental Guidance: Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organisational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries.
Related control: AU-13.
RA-5 (5) Vulnerability Scanning - Privileged Access
The information system implements privileged access authorisation to [Assignment: organisation- identified information system components] for selected [Assignment: organisation-defined vulnerability scanning activities].
Supplemental Guidance: In certain situations, the nature of the vulnerability scanning maybe more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorisation to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning.
RA-5 (7) Vulnerability Scanning - Automated Detection and Notification of Unauthorised components
[Withdrawn: Incorporated into CM-8].
RA-5 (8) Vulnerability Scanning - Review historic audit logs
The organisation reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.
Supplemental Guidance: Related control: AU-6.
RA-5 (9) Vulnerability Scanning - Penetration testing and analysis
[Withdrawn: Incorporated into CA-8].
RA-5 (10) Vulnerability Scanning - Correlate scanning information
The organisation correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability / multi-hop attack vectors.