Perform Automated Vulnerability Scans of Externally>Exposed Enterprise Assets
Description
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Implementation Checklist
Tool Recommendations
Continuous vulnerability assessment and exposure management across IT assets, cloud, containers, and OT
Tenable · Per-asset subscription
Cloud-based vulnerability management, detection, and response with integrated patch management and asset inventory
Qualys · Per-asset subscription
Vulnerability management platform with live dashboards, risk prioritization, and remediation workflows
Rapid7 · Per-asset subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Internet-Facing Vulnerability Exploitation by Automated Scanners
ConfidentialityThreat actors continuously scan internet-facing assets using tools like Shodan and Censys to identify exploitable vulnerabilities in web servers, VPN gateways, and email systems that the organization has not detected through its own external scanning.
Perimeter Service Compromise via Undetected Misconfigurations
IntegrityExternally exposed services with misconfigurations such as open admin panels, exposed API endpoints, or weak TLS configurations are discovered and exploited by attackers before the organization identifies them through external vulnerability scanning.
Exploitation of Shadow Internet-Facing Assets
ConfidentialityExternally exposed assets that were provisioned outside normal change management, such as development servers or test environments, contain critical vulnerabilities that are never scanned because no automated external scanning program exists.
Vulnerabilities (When Safeguard Absent)
No Automated External Vulnerability Scanning Program
The organization does not perform regular automated vulnerability scans of its external attack surface, leaving internet-facing assets unassessed while attackers continuously probe them for weaknesses.
Incomplete External Asset Scope for Scanning
External vulnerability scans cover only known IP ranges and domains, missing cloud-hosted assets, CDN endpoints, third-party hosted services, and shadow IT exposed to the internet.
Scan Frequency Below Monthly Cadence
External scans are performed quarterly or less frequently rather than monthly, creating windows of exposure where newly published vulnerabilities in perimeter systems go undetected for extended periods.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |