by Sharon Everson
February 26, 2016
Data security aims to protect the confidentiality, integrity, and availability of an organization’s information. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of objectives that allow an organization to build a comprehensive security plan to protect against security threats. This Assurance Report Card (ARC) aligns with the data leakage and protection aspects of the NIST Cybersecurity Framework category PROTECT.Data Security (PR.DS), which provides accurate information on the data leakage concerns within the network and potential sources of vulnerability or exposure.
Data security is essential to every organization. Ensuring that data is protected from unauthorized access, manipulation, and distribution is a necessary piece of an organization’s security plan. Having effective data leakage and file integrity monitoring policies can help organizations ensure the security of their data. Monitoring a network for specific vulnerabilities and the use of insecure communication protocols is also a useful step in securing the data on a network. Organizations that do not maintain the security of their data could be vulnerable to data leakage and exploitation.
This ARC assists organizations in improving their data security measures. Systems and vulnerabilities are identified using a combination of active scans by Nessus and passive scans by the Nessus Network Monitor (NNM). NNM can detect hosts that may be missed by active scans, such as hosts that are only connected to the network intermittently. Policy statements are included that report on systems that have data leakage events, systems that are using insecure communication protocols, and systems with data exposure or cryptographic vulnerabilities. Additional policy statements report on various compliance checks related to data protection and file integrity policies. Systems that have reported data leakage events or are using insecure communication protocols can leave an organization vulnerable to a breach in data security. Ensuring that systems are monitored for related events, vulnerabilities, and activity is essential to identifying and addressing potential sources of data leakage or exposure.
The information provided in this ARC provides a baseline to measure the effectiveness of an organization's data security efforts and identifies whether the policies that are currently being enforced are effective. Policy statements can be customized as needed to meet organizational requirements.
This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:
- Tenable.sc 5.2.0
- Nessus 8.5.1
- LCE 6.0.0
- NNM 5.9.0
Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Nessus Network Monitor (NNM), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network assets, connections, and services.
ARC Policy Statements:
No data leakage has been detected: This policy statement compares the number of systems where data leakage has been detected to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Any type of data leakage, either intentional or unintentional, can result in the exposure of confidential or private information. This policy statement will help to measure the effectiveness of security controls in place on the network. Systems with detected data leakage should be investigated immediately to minimize potential security risks.
No systems with data leakage events have exploitable vulnerabilities: This policy statement compares the number of systems that have reported data leakage events and have exploitable vulnerabilities to all systems with data leakage events. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data leakage events from systems with exploitable vulnerabilities could be indicative of an intrusion or other malicious activity. Such systems should be investigated immediately to address the exploitable vulnerabilities and ensure that sensitive data has not been exfiltrated from the network.
No systems with data leakage events communicate outside the network: This policy statement compares the number of systems that have reported data leakage events and communicate outside the network to all systems with data leakage events. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data leakage events from systems that are communicating outside the network could be indicative of an intrusion or other malicious activity. Such systems should be investigated immediately to ensure that the outside communication is not exfiltrating sensitive data from the network.
Less than 5% of systems have data exposure vulnerabilities: This policy statement compares the number of systems with data exposure vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems with data exposure vulnerabilities are especially susceptible to attacks that could lead to data leakage. Remediation efforts should be targeted to address systems with data exposure vulnerabilities to ensure that they are not exploited.
Less than 5% of systems have cryptographic vulnerabilities: This policy statement compares the number of systems with cryptographic vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Cryptographic vulnerabilities can cause systems to be at risk of exposing information due to improper encryption. Systems could transmit unencrypted data via typically secure protocols without the user’s knowledge. Systems with cryptographic vulnerabilities should be prevented from transmitting data until the vulnerabilities can be remediated.
Less than 5% of data protection compliance checks failed: This policy statement compares the number of failed to total data compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data protection settings may include encryption and access control requirements, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:
- Cybersecurity Framework PR.DS-1 (Data-at-rest is protected)
- Cybersecurity Framework PR.DS-2 (Data-in-transit is protected)
- NIST 800-53 control SC-8 (TRANSMISSION CONFIDENTIALITY AND INTEGRITY)
- SANS/Council on CyberSecurity Critical Security Control 15 (Controlled Access Based on the Need to Know)
- SANS/Council on CyberSecurity Critical Security Control 17 (Data Protection)
- DoD Instruction 8500.2 control ECCD (Changes to Data)
- DoD Instruction 8500.2 control ECCR (Encryption for Confidentiality (Data at Rest))
- DoD Instruction 8500.2 control ECCT (Encryption for Confidentiality (Data in Transit))
- DoD Instruction 8500.2 control ECNK (Encryption for Need-To-Know)
- PCI DSS requirement 3 (Protect stored cardholder data)
- PCI DSS requirement 4 (Encrypt transmission of cardholder data across open, public networks)
- PCI DSS requirement 7 (Restrict access to cardholder data by business need to know)
Less than 5% of file integrity compliance checks failed: This policy statement compares the number of failed to total file integrity compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. File integrity settings may include proper setup of a file integrity tool and baseline, among other things.
Less than 5% of systems are reporting file integrity event spikes: This policy statement compares the number of systems that have reported file integrity event spikes to all systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. File integrity event spikes indicate that a large number of file changes occurred, compared to previous file change rates; this could be an indication of malicious activity. Systems reporting file integrity event spikes should be investigated so that any problems can be remediated.
Less than 10% of external facing systems use insecure communication protocols: This policy statement compares the number of external facing systems using insecure communication protocols to all external facing systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. External facing systems are especially susceptible to malicious activity, and the use of insecure communication protocols dramatically increases the risk of exploitation. The number of systems using insecure communication protocols should be limited and carefully monitored to ensure data security.
Less than 25% of servers running SSL or TLS support weak ciphers: This policy statement compares the number of servers running SSL or TLS that support weak ciphers to the total number of systems running SSL or TLS. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. The use of weak ciphers heightens the risk of data exposure, especially on systems used for transmitting data. Systems running SSL or TLS should be configured to use strong ciphers if possible to reduce the risk of data leakage.