In October 2023, a network appliance and software vendor announced that a critical vulnerability had been exploited on a version of their operating system and released an update to patch the security flaw.
In February 2025, 16 months after the vulnerability was announced, a state-sponsored threat actor identified three unpatched network appliances belonging to a telecommunications company and exploited the vulnerability. The threat actors then configured a tunnel to enable traffic collection from the network.
To secure the confidentiality, integrity and availability of an organization’s information, the Center for Internet Security (CIS) Critical Security Controls has developed Safeguard 7.6 to ensure externally exposed assets are scanned for known vulnerabilities on a monthly, or more frequent, basis.
What is CIS Safeguard 7.6?
This safeguard falls under Control 7 of the CIS Controls framework: Continuous Vulnerability Management.
“Perform automated vulnerability scans of externally-exposed enterprise assets on a regular basis and when new vulnerabilities are disclosed.”
Why This Safeguard Is Critical
After a vendor releases a patch and sends out an alert for a Common Vulnerability or Exposure (CVE) to their clients, that is where the vendor’s responsibility ends. It is the responsibility of the client organization to have a Continuous Vulnerability Management program and remediation process. Smaller organizations that fall under CIS Implementation Group 1 (IG1), with only one or two externally exposed enterprise assets, may be able to manage a program manually, but medium and larger organizations with more complex externally exposed infrastructure (IG2 and IG3) require the use of an automated vulnerability scanning tool to satisfy this safeguard.
Automated vulnerability scanning tools are continuously updated with the latest CVEs, enabling them to detect newly discovered threats in real time. They identify externally exposed enterprise assets that are susceptible to known vulnerabilities. This proactive approach helps prevent breaches by ensuring critical weaknesses are found and addressed before attackers can exploit them.
Threat Scenarios
- Unauthorized Access
Attackers may exploit known vulnerabilities in public-facing systems to gain access to internal environments, bypassing authentication or privilege controls. - Malicious Code Injection
Unpatched web applications or services can be targeted with malicious payloads, leading to malware infections or backdoor installations. - Web Defacement
Vulnerable websites may be compromised and altered, damaging brand reputation and signaling deeper security issues. - Expose Sensitive Data
Misconfigured software or services can inadvertently expose customer or internal data to the public internet, leading to identity theft or compliance violations. - Security Misconfiguration
Default settings, open ports, or unnecessary services on exposed assets can be leveraged by attackers to infiltrate systems or escalate privileges. - Ransomware Deployment
Public-facing vulnerabilities can serve as entry points for ransomware, allowing attackers to encrypt critical data and demand payment. - Infiltrate Environment
Once inside, attackers can move laterally through the network, escalating their access and compromising additional systems.
Implementing CIS Safeguard 7.6
- Inventory External Assets
Identify all internet-facing systems, including web servers, cloud services, and APIs. - Choose a Scanning Tool and Schedule Regular Scans
Automate scans weekly or monthly, and trigger scans when new vulnerabilities are announced. - Review and Remediate Findings
Prioritize critical vulnerabilities and assign remediation tasks. - Integrate with Vulnerability Management Processes
Ensure findings are tracked, reported, and resolved within defined SLAs.
Supporting Safeguards
1.1 Establish and Maintain Detailed Enterprise Asset Inventory: A complete and accurate inventory of externally-exposed assets ensures that all relevant systems are included in vulnerability scans
2.1 Establish and Maintain a Software Inventory: Knowing what software is running on your external assets helps scanners identify version-specific vulnerabilities and misconfigurations.
7.1 Establish and Maintain a Vulnerability Management Process: This safeguard provides the governance and structure needed to manage vulnerabilities discovered during scans, including prioritization and tracking.
7.2 Establish and Maintain a Remediation Process: Once vulnerabilities are identified, this safeguard ensures there’s a clear and consistent process for fixing them, reducing the window of exposure.
7.3 Perform Automated Operating System Patch Management: Once vulnerabilities are identified, this safeguard ensures there’s a clear and consistent process for fixing them, reducing the window of exposure.
Resources
- [CIS Controls and Safeguards v8.1](CIS Critical Security Controls Version 8.1)
- [NIST Cybersecurity Framework (CSF) 2.0](- https://www.nist.gov/cyberframework)
- [Cyber threat bulletin: People’s Republic of China cyber threat activity](Cyber threat bulletin: People’s Republic of China cyber threat activity: PRC cyber actors target telecommunications companies as part of a global cyberespionage campaign – Canadian Centre for Cyber Security)