by Cody Dumont
June 20, 2016
As organizations continue to adopt regulatory and compliance frameworks, one of the most crucial steps in maintaining overall compliance is having an accurate asset inventory. Any gaps in scanning an organization’s asset inventory can allow for unauthorized hosts, vulnerable systems, and malicious software to infiltrate an organization’s network. This Assurance Report Card (ARC) can assist organizations in identifying both authorized or unauthorized systems, and whether assets are being scanned on a regular basis.
Asset management provides organizations with a complete picture of the location and status of hardware and software assets on the network. Having an accurate inventory can assist organizations with establishing an accurate baseline, and assist with improving licensing costs, auditing, and compliance requirements. This Assurance Report Card (ARC) aligns with the asset management controls of the ISO/IEC 27002 framework, which helps to ensure that physical devices, systems, and software applications are inventoried on a continuous basis.
Attackers are using increasingly sophisticated ways to gain control over critical network assets. Having unknown or unauthorized assets can lead to data leakage, compromised hosts, and leave critical systems vulnerable to attack. An effective asset management program will help organizations to quickly identify existing assets, and prioritize security risks. In addition, organizations will be able to quickly identify and remediate any gaps within security policies on the network.
This ARC provides a comprehensive look into an organization’s current hardware and software assets, and whether inventories are being updated. Systems and vulnerabilities are identified using a combination of active scans by Nessus and passive scans by the Nessus Network Monitor (NNM). Devices that connect to the network intermittently will be detected by NNM. Organizations will be able to verify if any wireless access points or scanned mobile devices are present on the network. Additional policy statements will detect assets running with unsupported software, and Microsoft Office or Adobe applications installed. Having complete visibility on current network assets will allow organizations to quickly detect, respond, and prevent unauthorized assets on the network. Policy statements can be customized as needed to meet organizational requirements.
This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:
- Tenable.sc 5.3.2
- Nessus 8.5.1
- LCE 6.0.0
- NNM 5.9.0
Tenable Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable Nessus Network Monitor (NNM), as well as log correlation with Tenable Log Correlation Engine (LCE). Tenable.sc CV can help an organization continuously monitor and measure the effectiveness of security controls. Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network assets.
ARC Policy Statements:
At least 70% of actively and passively detected systems have been scanned: This policy statement displays the number of systems that have been scanned to the total of actively and passively detected systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems on the network are detected both passively by NNM and actively by Nessus. To ensure that every system is properly identified and evaluated, all systems should be actively scanned by Nessus on a continual basis.
At least 70% of systems are registered in DNS: This policy statement displays the number of systems that have a Fully Qualified Domain Name (FQDN) in DNS to the total systems that have been detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems on the network are detected both passively by NNM, and actively by Nessus. Any detected device without a FQDN discovered in DNS could be an unknown or unauthorized device, and should be further investigated.
Scanned mobile devices that have been detected within the last 7 days: This policy statement displays the number of scanned mobile devices that have been detected within the last 7 days to total scanned mobile devices. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Scanned mobile devices detected within this policy statement are considered unmanaged/non-MDM mobile devices. Unmanaged mobile devices often remain unpatched for long periods of time, and can present serious security risks for an organization. Organizations should monitor all scanned mobile devices to ensure whether the device is authorized and up-to-date.
Wireless access point devices that have been detected within the last 7 days: This policy statement displays the number of wireless access point devices that have been detected within the last 7 days to total wireless access point devices. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Many organizations utilize wireless access points (WAP) for mobile and portable device connectivity. Unauthorized or rogue WAPs can provide attackers with the ability to subvert security policies and install malicious code on critical systems. All systems should be monitored to detect and prevent rogue WAPs from accessing network resources.
At least 70% of systems have been inventoried for Microsoft Office or Adobe applications: This policy statement displays the number of systems that have detected Microsoft Office or Adobe applications installed to total systems where software enumeration has been conducted. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. The results are monitored to determine when software was last inventoried for Microsoft Office or Adobe applications. Most organizations have license keys associated with Microsoft Office and most Adobe applications. Information included within this policy statement can provide an assessment of current license keys that may be in use.
Less than 5% of systems are running unsupported software: This policy statement displays the number of systems with unsupported software installed to the total systems that have been detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Software on a network that is no longer supported by the vendor can present serious security risks for an organization, as any software vulnerabilities will no longer be patched. This software may include outdated operating systems, applications, browsers, or other software. Unsupported software should be monitored regularly to determine whether the software should be updated or removed, or have additional security controls deployed.