by Sharon Everson
February 26, 2016
Organizations must ensure that proper processes and procedures are in place to manage protection of information systems and assets. Misconfigured and vulnerable systems and unauthorized network changes can leave the network vulnerable to compromise and data leakage. However, proper configuration, change, and vulnerability management are notoriously difficult to implement and maintain. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of objectives that allow an organization to build a comprehensive security plan to protect against security threats. This Assurance Report Card (ARC) aligns with the NIST Cybersecurity Framework category PROTECT.Information Protection Processes and Procedures (PR.IP), which will assist an organization in measuring the effectiveness of and improving protection processes and procedures.
As networks become more complex, organizations can easily lose track of configuration changes. Having a proper change control process in place is essential for the organization to keep track of changes in real time and to help reduce unauthorized changes. Vulnerability management is another process that organizations should incorporate to quickly identify and mitigate vulnerabilities and reduce risk exposure. Additionally, network systems must be kept properly configured and in compliance to any applicable regulations. Misconfigured systems are more vulnerable to malicious attacks.
This ARC can assist an organization in improving protection processes and security configuration efforts. The organization can verify that systems meet compliance requirements, vulnerabilities are mitigated in a timely manner, and that large spikes in network changes are not occurring. Organizations can use this information to enhance and improve overall network security.
The information provided in this ARC provides a baseline to measure the effectiveness of an organization's information security policies, and whether the current policies being enforced are effective. Some of the policy statements in this ARC rely on audit results obtained from Nessus scans of network systems using appropriate audit files. The descriptions of the policy statements below include information on what details are used to find those audit checks relevant to the policy statement and what the percentage pass rate must be to be considered compliant. The audit files and ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.
This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:
- Tenable.sc 5.2.0
- Nessus 8.5.1
- LCE 6.0.0
- NNM 5.9.0
- Compliance Data
Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Nessus Network Monitor (NNM), as well as log correlation with Tenable's Log Correlation Engine (LCE). Tenable.sc CV can help an organization continuously monitor and measure the effectiveness of security controls. Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network security posture.
ARC Policy Statements:
At least 95% of actively and passively detected systems have been audited in the past 90 days: This policy statement compares the number of systems that have been audited in the past 90 days to total systems that have been actively and passively audited. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement helps an organization measure whether compliance scans are being performed on a regular basis. Non-compliant systems should be reviewed further to assess the risk to an organization.
Less than 25% of compliance checks failed on Windows, Linux, Solaris and Mac OS machines: This policy statement compares the number of failed to total compliance checks across Windows, Linux, Solaris and Mac OS machines. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement will help an organization identify non-compliant systems, which can help to address outstanding compliance issues.
Less than 5% of secure configuration compliance checks failed: This policy statement compares the number of failed to total secure configuration compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Secure configuration settings may include requirements to disable unnecessary ports and other functionality, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:
- NIST 800-53 control CM-6 (CONFIGURATION SETTINGS)
- NIST 800-53 control CM-7 (LEAST FUNCTIONALITY)
- SANS/Council on CyberSecurity Critical Security Control 3 (Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers)
- SANS/Council on CyberSecurity Critical Security Control 10 (Secure Configurations for Network Devices such as Firewalls, Routers, and Switches)
- SANS/Council on CyberSecurity Critical Security Control 11 (Limitation and Control of Network Ports, Protocols, and Services)
- DoD Instruction 8500.2 control ECSC (Security Configuration Compliance)
- PCI DSS requirement 2.2.2 (Enable only necessary services, protocols, daemons, etc., as required for the function of the system)
- PCI DSS requirement 2.2.3 (Implement additional security features for any required services, protocols, or daemons that are considered to be insecure)
- PCI DSS requirement 2.2.4 (Configure system security parameters to prevent misuse)
- PCI DSS requirement 2.2.5 (Remove all unnecessary functionality)
Less than 5% of anti-malware compliance checks failed: This policy statement compares the number of failed to total anti-malware compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Anti-malware settings may include requirements to use and regularly update anti-virus software, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:
- Cybersecurity Framework DE.CM-4 (Malicious code is detected)
- NIST 800-53 control SI-3 (MALICIOUS CODE PROTECTION)
- SANS/Council on CyberSecurity Critical Security Control 5 (Malware Defenses)
- DoD Instruction 8500.2 control ECVP-1 (Virus Protection)
- PCI DSS requirement 5 (Protect all systems against malware and regularly update anti-virus software or programs)
Less than 5% of data protection compliance checks failed: This policy statement compares the number of failed to total data protection compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data protection settings may include encryption and access control requirements, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:
- Cybersecurity Framework PR.DS-1 (Data-at-rest is protected)
- Cybersecurity Framework PR.DS-2 (Data-in-transit is protected)
- NIST 800-53 control SC-8 (TRANSMISSION CONFIDENTIALITY AND INTEGRITY)
- SANS/Council on CyberSecurity Critical Security Control 15 (Controlled Access Based on the Need to Know)
- SANS/Council on CyberSecurity Critical Security Control 17 (Data Protection)
- DoD Instruction 8500.2 control ECCD (Changes to Data)
- DoD Instruction 8500.2 control ECCR (Encryption for Confidentiality (Data at Rest))
- DoD Instruction 8500.2 control ECCT (Encryption for Confidentiality (Data in Transit))
- DoD Instruction 8500.2 control ECNK (Encryption for Need-To-Know)
- PCI DSS requirement 3 (Protect stored cardholder data)
- PCI DSS requirement 4 (Encrypt transmission of cardholder data across open, public networks)
- PCI DSS requirement 7 (Restrict access to cardholder data by business need to know)
Less than 5% of default account/password compliance checks failed: This policy statement compares the number of failed to total default account and password compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Default account and password settings may include requirements to disable default accounts and limit use of blank passwords, among other things. To protect systems against unauthorized use, default accounts and passwords should be changed.
No systems have exploitable vulnerabilities: This policy statement compares the number of systems that have exploitable vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. No systems on the network should have vulnerabilities that are known to be exploitable. Systems with exploitable vulnerabilities can threaten systems on the network, and should be patched immediately to reduce risk.
Less than 5% of systems are running unsupported software: This policy statement compares the number of systems with unsupported software installed to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Software on a network that is no longer supported by the vendor can present serious security risks for an organization, as any software vulnerabilities will no longer be patched. This software may include outdated operating systems, applications, browsers, or other software. Unsupported software should be monitored regularly to determine whether the software should be updated or removed, or other compensating mitigations put in place.
Less than 5% of systems have unpatched vulnerabilities where patch was published over 30 days ago: This policy statement compares the number of systems that have unpatched vulnerabilities where the patch was published over 30 days ago to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Any systems with unpatched vulnerabilities that are not mitigated in a timely manner can introduce security risk to an organization. This policy statement can measure patch management and mitigation efforts across the organization.
Less than 5% of systems have misconfiguration vulnerabilities: This policy statement compares the number of systems that have misconfiguration vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Misconfigured hosts may provide an entry point for attackers and put the network at risk. Organizations should quickly identity and remediate any misconfiguration vulnerabilities on hosts.
Less than 5% of systems report change spikes: This policy statement compares the number of systems reporting change spikes to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Change spikes indicate that a large number of network changes were detected compared to previous change event rates. Changes can include new software installations, firewall changes, and more. Organizations can use this information to detect potentially unauthorized changes on the network.