by Andrew Freeborn
May 18, 2016
The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that can assist organizations in meeting many of the recommendations and best practices in the DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports, suggestions are given for monitoring the network for each of these patterns. This ARC can assist an organization in monitoring its network to reduce the successfulness of these attack patterns and to reduce its chances of a data breach.
Employing a multi-layered defense strategy across all endpoints provides the best protection against intrusions or attacks. Internet-facing assets including web servers and VPNs need to be monitored to ensure that unauthorized users do not gain access to network resources. Systems should be adequately protected by protection tools such as antivirus, system-hardening controls which are standard across the organization, and host intrusion protection systems. These controls and tools help to ensure that critical systems are not left vulnerable to intrusions or attacks. Wireless and mobile device vulnerabilities must be addressed so that additional security risks are not introduced into the network. Organizations that do not continuously monitor and secure network defenses will not be able to respond or defend network assets effectively.
This ARC assists organizations in improving security and network defense controls. Policy statements included within this ARC report on systems that are sending logs to the Log Correlation Engine (LCE), systems that are covered by firewall and antivirus policies, and systems that have detected intrusion or botnet activity. Additional policy statements report on VPN, wireless, and mobile devices with exploitable vulnerabilities. Having complete visibility of network security allows organizations to proactively respond to threats, mitigate vulnerabilities, and take preventative measures before any serious damage occurs.
The information provided in this ARC provides a baseline to measure the effectiveness of an organization's information security policies and whether the current policies being enforced are effective. The ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.
This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Tenable.sc Feed under the category Security Industry Trends. The ARC requirements are:
- Tenable.sc 5.3.1
- Nessus 8.5.1
- LCE 6.0.0
- NNM 5.9.0
Tenable.sc Continuous View (CV) provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. Tenable.sc is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. The Nessus Network Monitor (NNM) performs deep packet inspection to enable discovery and assessment of operating systems, network devices, hypervisors, databases, tablets, phones, web servers, cloud applications, and critical infrastructure. The Log Correlation Engine (LCE) performs deep log analysis and correlation to continuously discover and track systems, applications, cloud infrastructure, trust relationships, and vulnerabilities. By integrating with Nessus, NNM, and LCE, Tenable.sc CV’s continuous network monitoring is able to detect events and vulnerabilities across the enterprise.
The following policy statements are included in this ARC:
At least 90% of systems are protected by a firewall policy: This policy statement displays the ratio of systems that are protected by a firewall policy to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Firewall policies may be applied to workstations, servers, and other devices, which can filter both inbound and outbound traffic. When properly configured, firewalls can help to improve network security and reduce risk to network devices by filtering access to ports and services. Systems that are not covered by a firewall policy should be investigated immediately by the organization, as this could indicate a possible unauthorized or unknown host on the network, or a host vulnerable to attack.
No unusual VPN activity has been detected on systems in the organization: This policy statement displays the ratio of systems that have unusual VPN activity detected to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement utilizes the LCE event “VPN_Login_From_Unusual_Source”. This event triggers when a VPN login originates from a source IP address that is not part of the same class B address space as what is normal for the login user ID. Systems that detect unusual VPN activity should be investigated immediately by the organization, as this could indicate possible unauthorized activity.
No systems detected having VPN activity have exploitable vulnerabilities: This policy statement displays the ratio of systems that have exploitable vulnerabilities to total systems, for systems with VPN access. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. VPN access provides secure access over an insecure connection to an organization’s network. Reducing the number of exploitable vulnerabilities can greatly help to reduce the risk to the network. Systems with VPN access that have exploitable vulnerabilities should remediated immediately.
No systems have been detected communicating with known botnets or command-and-control servers: This policy statement displays the ratio of systems detected interacting with known botnets to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Tenable.sc receives a daily updated list of IP addresses and domains that are participating in known botnets. Using this information, systems on the network that interact with known botnets can be detected. Any systems interacting with known botnets should be investigated immediately by the organization to minimize security risks.
Less than 10% of Internet-facing systems use insecure communication protocols: This policy statement displays the ratio of external-facing systems using insecure communication protocols to all external-facing systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. External-facing systems are especially susceptible to malicious activity, and the use of insecure communication protocols dramatically increases the risk of exploitation. The number of systems using insecure communication protocols should be limited and carefully monitored to ensure data security.
No systems with detected data leakage events have exploitable vulnerabilities: This policy statement displays the ratio of systems that have reported data leakage events and have exploitable vulnerabilities to all systems with data leakage events. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data leakage events from systems with exploitable vulnerabilities could be indicative of an intrusion or other malicious activity. Such systems should be investigated immediately to address the exploitable vulnerabilities and ensure that sensitive data has not been exfiltrated from the network.
Any systems detected using USB devices: This policy statement displays the ratio of systems that have been detected with a connected USB device to all systems in the organization. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Depending on the organization, USB devices may or may not be authorized devices in the environment. If USB devices are authorized, there may be inventory requirements as well as restricted use of USB devices to certain groups or individuals. Systems detected with this policy statement should be investigated immediately to ensure compliance with organizational standards. The systems detected with USB devices could have the potential for data exfiltration and should be investigated for unauthorized activity.
Less than 25% of systems are capable of supporting weak SSL or TLS ciphers: This policy statement displays the ratio of servers running SSL or TLS that support weak ciphers to the total number of systems running SSL or TLS. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. The use of weak ciphers heightens the risk of data exposure, especially on systems used for transmitting data. Systems running SSL or TLS should be configured to use strong ciphers if possible to reduce the risk of data leakage.