by Megan Daudelin
February 26, 2016
Performing risk assessments is an integral part of implementing a network security plan. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of objectives that allow an organization to build a comprehensive security plan to protect against security threats. This Assurance Report Card (ARC) aligns with the NIST Cybersecurity Framework category IDENTIFY.Risk Assessment (ID.RA), which provides accurate information on the risk status of an organization’s network and identifies key areas of risk that need additional measures implemented.
No matter the size of an organization, measuring risk can be a daunting task. Risk assessments need to account for all the devices that connect to the network, which can include a great number and variety of devices. Having adequate scan policies, up-to-date software, and a consistent patch and remediation plan can help reduce the level of risk an organization is exposed to. Organizations that do not monitor their risk exposure could be leaving their network vulnerable to attack, intrusion, or infection.
This ARC assists organizations in improving their risk assessment efforts. Systems and vulnerabilities are identified using a combination of active scans by Nessus and passive scans by the Nessus Network Monitor (NNM). NNM can detect hosts that may be missed by active scans, such as hosts that are only connected to the network intermittently. Policy statements are included that report on systems that have been recently scanned, unpatched vulnerabilities with patches over 30 days old, and systems running unsupported software. Additional policy statements report on various types of systems with exploitable vulnerabilities and exploitable vulnerabilities that have been recast or marked as accepted risks. Unpatched vulnerabilities, unsupported software, and exploitable vulnerabilities can leave a network exposed to malicious activity. Ensuring that systems are scanned regularly is key to monitoring and remediating the vulnerabilities on systems within a network in order to mitigate risk.
The information provided in this ARC provides a baseline to measure the effectiveness of an organization's risk assessment efforts and identifies whether the policies that are currently being enforced are effective. Policy statements can be customized as needed to meet organizational requirements.
This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:
- Tenable.sc 5.2.0
- Nessus 8.5.1
- LCE 6.0.0
- NNM 5.9.0
Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Nessus Network Monitor (NNM), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network assets, connections, and services.
ARC Policy Statements:
At least 80% of actively and passively detected systems have been scanned in the last 14 days: This policy statement compares the ratio of detected systems that have been scanned in the last 14 days to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems on the network are detected both passively by NNM and actively by Nessus. All systems should be actively scanned by Nessus to ensure that all systems are properly identified and evaluated.
Less than 5% of systems have unpatched vulnerabilities where patch was published over 30 days ago: This policy statement compares the number of systems with unpatched vulnerabilities with a patch published over 30 days ago to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Unpatched vulnerabilities leave systems exposed to exploitation and should be patched within 30 days of patch publication.
Less than 5% of systems are running unsupported software: This policy statement compares the number of systems running unsupported software to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement looks for unsupported software on a network, which can include outdated operating systems, applications, browsers, and other software. Unsupported software can be prone to vulnerabilities, which can present serious security risks for an organization. Some systems may not be capable of being patched due to lack of vendor support, end-of-life, or other business requirements. Unsupported software should be monitored regularly to determine whether software can and should be updated.
No systems have exploitable vulnerabilities: This policy statement compares the number of systems with exploitable vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems with exploitable vulnerabilities can expose the network to increased risk of malicious activity and should be patched.
No Internet-facing systems have exploitable vulnerabilities: This policy statement compares the number of Internet-facing systems with exploitable vulnerabilities to total Internet-facing systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on Internet-facing systems leave the network exposed to malicious activity and should be remediated.
No systems with VPN access have exploitable vulnerabilities: This policy statement compares the number of systems with VPN access that have exploitable vulnerabilities to total systems with VPN access. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy monitors exploitable vulnerabilities on all systems that have VPN access. Exploitable vulnerabilities on systems with VPN access leave the network especially exposed to malicious activity and need to be remediated.
No mobile devices have exploitable vulnerabilities: This policy statement compares the number of devices with exploitable vulnerabilities to total devices, for voice and mobile devices. Exploitable vulnerabilities on mobile devices increase the network’s potential exposure to malicious activity and should be remediated if possible.
No security devices have exploitable vulnerabilities: This policy statement compares the number of security devices with exploitable vulnerabilities to total security devices. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on security devices expose the network to a high level of risk and need to be remediated.
No web servers have exploitable vulnerabilities: This policy statement compares the number of web servers with exploitable vulnerabilities to total web servers. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on web servers expose the network to attack and should be remediated.
No systems with outbound external connections have exploitable vulnerabilities: This policy statement compares the number of systems with outbound external connections that have exploitable vulnerabilities to total systems with outbound external connections. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on systems with outbound external connections leave the network exposed to malicious activity and should be remediated.
No systems have exploitable vulnerabilities marked as accepted risks: This policy statement compares the number of systems with exploitable vulnerabilities marked as accepted risks to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities that have been marked as accepted risks can be overlooked sources of risk and should be reviewed carefully.
No systems have exploitable vulnerabilities recast to Info: This policy statement compares the number of systems with exploitable vulnerabilities recast to the Informational severity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities that have been recast to Info can be overlooked sources of risk and should be reviewed carefully.