Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
In Jurassic Park, the electric fences surrounding the dinosaur enclosures were the first line of defense. They were designed to keep threats contained and protect the outside world. But when those fences failed—due to poor maintenance and lack of monitoring—the consequences were catastrophic.
This is the perfect analogy for CIS Safeguard 7.6, which emphasizes the importance of automated vulnerability scans of externally-exposed enterprise assets. These assets: web servers, VPN gateways, cloud interfaces, and APIs—are your digital perimeter. If they’re not regularly scanned and secured, attackers can walk right in.
What Is CIS Safeguard 7.6?
CIS Safeguard 7.6 is part of the Vulnerability Management control family. It states:
“Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a monthly, or more frequent, basis.”
This safeguard focuses on assets that are accessible from the internet—those most likely to be targeted by threat actors. Regular, automated scans help identify known vulnerabilities before they’re exploited.
Why It Matters
In Jurassic Park, the failure to monitor and maintain the electric fences allowed the dinosaurs to escape. Similarly, failing to scan and patch vulnerabilities in externally-facing systems can lead to data breaches, ransomware infections, and reputational damage.
Unlike internal assets, external systems are constantly probed by bots, scanners, and adversaries. A single unpatched vulnerability can be exploited within hours of being discovered.
How to Implement It
To align with CIS Safeguard 7.6, organizations should:
- Inventory all externally-exposed assets (e.g., public IPs, cloud services, domains).
- Deploy automated external vulnerability scanners (e.g., Qualys, Tenable.io, Intruder, or open-source tools like OpenVAS).
- Schedule scans at least monthly, or more frequently for critical assets.
- Use unauthenticated scans to simulate attacker behavior.
- Integrate scan results into vulnerability management workflows for triage and remediation.
- Track trends over time to identify recurring issues or misconfigurations.
Jurassic Park’s Perimeter Failure
When Dennis Nedry disabled the park’s security systems, the electric fences went offline. No one noticed until it was too late. Had there been automated perimeter diagnostics, the system could have alerted staff immediately, potentially preventing disaster.
In cybersecurity, automated external scans serve the same purpose: early detection of perimeter weaknesses before adversaries exploit them.
Final Thoughts
CIS Safeguard 7.6 is about proactive perimeter defense. Your externally-facing assets are like the fences in Jurassic Park—they need constant monitoring, testing, and maintenance. Automated vulnerability scans are your electric current, keeping threats at bay.
Resources
Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 7 – Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
CIS Safeguard 7.6 – Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a monthly, or more frequent, basis.
Shameless Marketing Information
Gotham Technology Group offers a Managed Vulnerability & Prioritization service powered by Tenable. Our team will leverage Tenable’s Vulnerability Prioritization Rating to ensure you are mitigating the most critical vulnerabilities first.