by Sharon Everson
February 26, 2016
With the increase in governance and compliance regulations, establishing a strong policy to address legal and regulatory compliance requirements is a must. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a set of objectives that address compliance standards, guidelines, and best practices across multiple regulations. This Assurance Report Card (ARC) aligns with the CSF category IDENTIFY.Governance (ID.GV), which recommends understanding, managing, and ultimately applying legal and regulatory cybersecurity requirements to systems within an organization.
Compliance can be a complex and time consuming process for any organization to undertake. Maintaining compliance assures that systems are configured in accordance with an established policy. Performing vulnerability scans on a regular basis is only a small part of maintaining compliance. Systems also need to be configured properly, as many operating systems and devices come with less-than-secure default security settings, permissions, and accounts. Best practice is to secure systems before deployment, and ensure that appropriate security settings, patches, and configurations are applied. Non-compliant systems on a network can leave the organization exposed to attack, and can result in data breaches, damage to critical systems, and loss of reputation.
This ARC assists an organization in assessing its compliance status in several key areas. The ARC makes use of standards such as the CSF, NIST 800-53, DoD Instruction 8500.2, and the PCI Data Security Standard to highlight compliance failures relating to data protection, anti-malware, secure configuration, and least privilege. Addressing these compliance failures can help an organization limit their attack surface and control access. Additional compliance checks include login configuration, default accounts and passwords, and database and web server checks. Compliance failures may indicate that hosts are improperly configured and secured. The organization should continuously monitor this information and correct any compliance issues so that the network can be made more secure.
Clicking on a policy statement will bring up the analysis screen to display details on any compliance failures related to that policy statement. In the analysis screen, setting the tool to IP Summary will display the systems on which the compliance failures are present.
This ARC relies on audit results obtained from Nessus scans of the systems on the network using appropriate audit files. Tenable provides over 450 audit files, available for download from the Tenable Customer Support Portal, that cover a wide range of major regulatory and other auditable standards. The audit files and ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.
The policy statements included within this ARC will allow the organization to easily identify and remediate any compliance related issues, which can help to reduce or eliminate compliance gaps. Incidents due to non-compliance can result in data breaches and attacks, which can be a devastating and costly expense for an organization. By implementing a continuous approach to compliance monitoring, organizations can ensure data integrity and overall compliance.
This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:
- Tenable.sc 5.2.0
- Nessus 8.5.1
- NNM 5.9.0
- Compliance Data
Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Nessus Network Monitor (NNM), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network.
ARC Policy Statements:
At least 95% of actively and passively detected systems have been audited in the past 90 days: This policy statement compares the number of systems have been audited in the past 90 days to total systems that have been actively and passively detected. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems on the network are detected both passively by NNM and actively by Nessus. Compliance scans are performed by Nessus. Non-compliant systems should be reviewed further by the organization. This policy statement helps an organization measure whether compliance scans are being performed on a regular basis.
Less than 25% of compliance checks failed on Windows, Linux, Solaris and Mac OS machines: This policy statement compares the number of failed to total compliance checks across Windows, Linux, Solaris and Mac OS machines. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement will help an organization identify non-compliant systems, which can help to address outstanding compliance issues.
Less than 5% of secure configuration compliance checks failed: This policy statement compares the number of failed to total secure configuration compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Secure configuration settings may include requirements to disable unnecessary ports and other functionality, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:
- NIST 800-53 control CM-6 (CONFIGURATION SETTINGS)
- NIST 800-53 control CM-7 (LEAST FUNCTIONALITY)
- SANS/Council on CyberSecurity Critical Security Control 3 (Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers)
- SANS/Council on CyberSecurity Critical Security Control 10 (Secure Configurations for Network Devices such as Firewalls, Routers, and Switches)
- SANS/Council on CyberSecurity Critical Security Control 11 (Limitation and Control of Network Ports, Protocols, and Services)
- DoD Instruction 8500.2 control ECSC (Security Configuration Compliance)
- PCI DSS requirement 2.2.2 (Enable only necessary services, protocols, daemons, etc., as required for the function of the system)
- PCI DSS requirement 2.2.3 (Implement additional security features for any required services, protocols, or daemons that are considered to be insecure)
- PCI DSS requirement 2.2.4 (Configure system security parameters to prevent misuse)
- PCI DSS requirement 2.2.5 (Remove all unnecessary functionality)
Less than 5% of anti-malware compliance checks failed: This policy statement compares the number of failed to total anti-malware compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Anti-malware settings may include requirements to use and regularly update anti-virus software, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:
- Cybersecurity Framework DE.CM-4 (Malicious code is detected)
- NIST 800-53 control SI-3 (MALICIOUS CODE PROTECTION)
- SANS/Council on CyberSecurity Critical Security Control 5 (Malware Defenses)
- DoD Instruction 8500.2 control ECVP-1 (Virus Protection)
- PCI DSS requirement 5 (Protect all systems against malware and regularly update anti-virus software or programs)
Less than 5% of data protection compliance checks failed: This policy statement compares the number of failed to total data protection compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data protection settings may include encryption and access control requirements, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:
- Cybersecurity Framework PR.DS-1 (Data-at-rest is protected)
- Cybersecurity Framework PR.DS-2 (Data-in-transit is protected)
- NIST 800-53 control SC-8 (TRANSMISSION CONFIDENTIALITY AND INTEGRITY)
- SANS/Council on CyberSecurity Critical Security Control 15 (Controlled Access Based on the Need to Know)
- SANS/Council on CyberSecurity Critical Security Control 17 (Data Protection)
- DoD Instruction 8500.2 control ECCD (Changes to Data)
- DoD Instruction 8500.2 control ECCR (Encryption for Confidentiality (Data at Rest))
- DoD Instruction 8500.2 control ECCT (Encryption for Confidentiality (Data in Transit))
- DoD Instruction 8500.2 control ECNK (Encryption for Need-To-Know)
- PCI DSS requirement 3 (Protect stored cardholder data)
- PCI DSS requirement 4 (Encrypt transmission of cardholder data across open, public networks)
- PCI DSS requirement 7 (Restrict access to cardholder data by business need to know)
Less than 5% of login configuration compliance checks failed: This policy statement compares the number of failed to total login configuration compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Login configuration settings may include auditing and banner requirements, among other things. To protect systems against unauthorized use, login configuration issues must be addressed.
Less than 5% of default account/password compliance checks failed: This policy statement compares the number of failed to total default account and password compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Default account and password settings may include requirements to disable default accounts and limit use of blank passwords, among other things. To protect systems against unauthorized use, default accounts and passwords should be changed.
Less than 5% of least privilege compliance checks failed: This policy statement compares the number of failed to total least privilege compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Least privilege settings may include requirements to disable certain rights and privileges for specific users, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:
- Cybersecurity Framework PR.AC-4 (Access permissions are managed, incorporating the principles of least privilege and separation of duties)
- NIST 800-53 control AC-6 (LEAST PRIVILEGE)
- SANS/Council on CyberSecurity Critical Security Control 12 (Controlled Use of Administrative Privileges)
- DoD Instruction 8500.2 control ECLP (Least Privilege)
Less than 5% of database compliance checks failed: This policy statement compares the number of failed to total database compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement relies on audit results received from Nessus scans utilizing database audit files for compliance scanning. To secure databases and meet compliance requirements, any non-compliant database settings must be addressed.
Less than 5% of web server compliance checks failed: This policy statement compares the number of failed to total web server compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Web server compliance checks are identified by text strings such as "Apache", "IIS", or "Application server" in their descriptions. If necessary, additional text strings can be added in the Base and Drilldown filters of this policy statement. To secure web services and meet compliance requirements, non-compliant web server settings must be addressed.
Less than 5% of remote access compliance checks failed: This policy statement compares the number of failed to total remote access compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Remote access settings may include requirements to disable certain remote access services and set appropriate permissions, among other things. To protect systems against unauthorized access, remote access compliance issues must be addressed.
Less than 5% of removable media and USB compliance checks failed: This policy statement compares the number of failed to total removable media and USB compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Removable media and USB settings may include requirements to turn off Autoplay and disable USB, among other things. To protect against data loss or system compromise, removable media compliance issues must be addressed.
Less than 5% of wireless compliance checks failed: This policy statement compares the number of failed to total wireless compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Wireless settings may include requirements to deactivate wireless interfaces and set specific configurations, among other things. To improve wireless security and protect against unauthorized access, wireless compliance issues must be addressed.