by Megan Daudelin
June 20, 2016
Boundary devices within organizations provide the first line of defense against outside threats. Most organizations use firewalls, proxy servers, and border routers for establishing boundary defenses; however, any misconfigured devices can allow for security or data breaches to occur. This Assurance Report Card (ARC) can assist organizations in managing remote access, protecting network segments, and ensuring the confidentiality and integrity of data.
One of the most effective ways to protect a network is by deploying a multi-layered security strategy, so that if one device fails, the organization will remain protected. However, any misconfigurations or vulnerabilities on boundary devices can leave a network vulnerable to malicious attacks. This Assurance Report Card (ARC) aligns with the network and segregation controls of the ISO/IEC 27002 framework, which can help organizations detect network intrusions and other suspicious activity on boundary devices.
Many organizations focus on deploying traditional boundary defense solutions that can consist of firewalls, IDS/IPS, DLP, and anti-virus. With the growth in the number of advanced persistent threats (APTs) and other malicious attacks, security teams are finding that traditional security methods are becoming ineffective. By continuously monitoring the network, organizations will have the targeted information needed to respond, defend, and recover from an incident.
The policy statements included within the ARC can assist an organization in strengthening network boundary controls. Systems are scanned to detect whether hosts are being protected by a firewall policy. Any system not protected by a firewall should be investigated immediately to determine the status. Additionally, systems are scanned to ensure that anti-virus policies are active and up-to-date. Several policy statements will report on detected intrusions or other suspicious activity. Events can include internal and external botnet communications, as well as logins from unusual sources on remote access devices and services. Information provided within this ARC will help organizations to identify points of entry and prevent future attacks.
This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:
- Tenable.sc 5.3.1
- Nessus 8.5.1
- LCE 6.0.0
- NNM 5.9.0
Tenable Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Tenable Nessus and passive vulnerability detection with Tenable Nessus Network Monitor (NNM), as well as log correlation with Tenable Log Correlation Engine (LCE). Tenable.sc CV can help an organization continuously monitor and measure the effectiveness of security controls. Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network security posture.
ARC Policy Statements:
At least 90% of systems are protected by a firewall policy: This policy statement displays the number of systems that are protected by a firewall policy to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Firewall policies may be applied to workstations, servers, and other devices that can filter both inbound and outbound traffic. When properly configured, firewalls can help to improve network security and reduce risk to network devices by filtering access to ports and services. Systems that are not covered by a firewall policy can be vulnerable malicious processes or attacks, and should be investigated immediately by the organization.
At least 90% of Windows and Mac OS X systems have active and up-to-date anti-virus protection: This policy statement displays the number of systems with active and up-to-date anti-virus protection to the total number of systems detected on the network for Windows and Mac OS X systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. All systems should have active and up-to-date anti-virus software installed to protect against malware infections. Organization can use this information to identify and resolve anti-virus software issues on systems.
Less than 5% of systems are reporting intrusion activity: This policy statement displays the number of systems with potential intrusion activity to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Intrusion events include password guessing, IDS events, and network sweeps, among other things. Intrusion events could indicate ongoing attacks or hosts that have been compromised. Organizations should investigate intrusion events to determine the scope, impact, and actions needed for remediation.
Less than 15% of systems have detected suspicious network activity: This policy statement displays the number of systems with large network anomalies. The inbound, outbound, and internal connections are tracked by the statistics daemon. Client and server connections are also monitored. Any large anomalies in network traffic events will be reflected within this policy statement. Events may indicate new types of software installations, patching, or instances of malicious activity on the network. Organizations should investigate any suspicious network activity to determine the impact and response needed.
No systems have been detected interacting with known botnets: This policy statement displays the number of systems detected interacting with known botnets to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Tenable.sc receives an updated list of IP addresses and domains that are participating in known botnets daily. Using this information, systems on the network that interact with known botnets can be detected. Any systems interacting with known botnets should be investigated immediately by the organization to minimize security risks.
No unusual VPN activity has been detected: This policy statement displays the number of systems with unusual VPN activity to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement utilizes the LCE event “VPN_Login_From_Unusual_Source”. This event triggers when a VPN login originates from a source IP address that is not part of the same address space as what is normal for the login user ID. Systems that detect unusual VPN activity should be investigated immediately by the organization, as this could indicate possible unauthorized activity.
No unusual Remote Desktop activity has been detected: This policy statement displays the number of systems with unusual Remote Desktop (RDP) activity to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement utilizes the Inbound and Outbound RDP Threatlist session events, which can indicate potential intrusion events, interactions with known bad IP addresses, and long-term events. Organizations should monitor all RDP sessions to prevent unauthorized activity.
No unusual SSH activity has been detected: This policy statement displays the number of systems with unusual SSH activity to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement utilizes the Inbound and Outbound SSH Threatlist session events, which can report on potential attacks and malicious activity. Any systems that are reporting unusual SSH activity should be investigated further to determine the scope and cause.