Curious if anyone is using CISA services, i.e. vuln scanning. Any success? Lessons learned? Issues?

1.8k viewscircle icon2 Upvotescircle icon4 Comments
Sort by:
CISO @ Florida Gulf Coast University in Education2 years ago

Hi there,

We currently use CISA as an augmentation for our external vulnerability management and the reports they send out are customized versions of Tenable.io reports.  It is nice because they do not charge you for it, and the reports can be used for some help with some of Gartner's outcome driven metrics for security (e.g time to patch vulnerabilities etc).

I heard from several of the other CISOs I collaborate with in FL that they have used their risk assessment and tabletop exercise services with good success.  I think nailing CISA down on dates can be hard because they are busy, and they may overdo it a bit if you do not scope them in the beginning, but overall I have heard nothing but good things about their services.

HTH,

Sven

Lightbulb on3 circle icon1 Reply
no title2 years ago

thanks, this is helpful

Head of Information Security in Manufacturing2 years ago

While I haven't personally utilized the CISA vulnerability scanning services, my experience with similar services can shed some light on this topic. Vulnerability scanning as a service, such as what CISA offers, can be a valuable tool in identifying visible weaknesses from an external perspective. These services typically scan for known vulnerabilities in publicly accessible systems, offering insights into potential security gaps that external threats could exploit.

However, it's crucial to understand that these services have limitations. They primarily focus on external-facing systems, often overlooking internal vulnerabilities that could be just as, if not more, critical. While they can provide a snapshot of your external security posture, they don't offer a complete picture of your overall security health.

Effective use of such services also requires a comprehensive understanding of your organization's external IP addresses. Without this, the service might not cover all external assets, leaving some potentially vulnerable systems unscanned.

While external vulnerability scanning services, whether from CISA or another provider, can be useful to your security architecture, they should not be relied upon as the sole measure of your security posture. They are best viewed as one piece of a holistic security strategy, complementing other security measures such as internal vulnerability assessments, penetration testing, and continuous monitoring to ensure a robust defense against internal and external threats.

Lightbulb on3 circle icon1 Reply
no title2 years ago

Thanks! Much appreciated 

Content you might like

CIO46%

CISO43%

Other C-suite individual (please specify)8%

Difficult to say.2%

View Results

Over reach by an aggressive prosecutor ?6%

UBERs prior CEO should be the one charged ?39%

This sort of payment/use of bug bounty happens routinely ?30%

CISOs/CSOs are now on notice for the actions they take ?16%

I am going to do a deep dive on my bug bounty program immediately ?2%

Most companies do some sort of breach coverup - especially when it comes to potential IP theft?4%

View Results