icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

CIS CSC: Foundational Cyber Hygiene (CSC 1,2,3,4,5)

by David Schwalenberg
June 20, 2016

Establishing a starting point, which can improve an organizations security posture to provide the greatest protection against threats and vulnerabilities, is beneficial to every security program. New or unknown devices, software, applications, and vulnerabilities on an organization's network pose a great risk to the organization. Continuous monitoring for vulnerabilities, including new/unknown devices, and proactively addressing discovered flaws could reduce the risks of network compromise, data theft, or destruction.

This dashboard provides a high-level overview that aligns with the Top 5 Priorities of the National Cyber Hygiene Campaign: “Count, Configure, Control, Patch, and Repeat”.

As defined by the Center for Internet Security (CIS), the Critical Security Controls (CSC) are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. Developed based on specific knowledge of the threat environment and currently available technologies, the Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of many experts.

The National Cyber Hygiene Campaign was developed as a foundation to assist in implementing the CIS Critical Security Controls. The campaign begins by asking five questions that align with the first five CSC categories: What is connected to the network? What software is running on the network? Are you managing your systems? Are you looking for known bad software? Do you track those with administrative privileges?

Analysts can use this dashboard to easily drill down into the data to determine further steps that can be the most beneficial in securing the network. Knowing these details can enable better and more efficient vulnerability management strategies within the organization. Subsequently the organization may be better protected from exploitation of network vulnerabilities, and potential intrusions, attacks, and data loss.

This dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Security Industry Trends. The dashboard requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.5.4
  • PVS 5.0.0
  • LCE 4.8.0
  • Compliance data

Tenable SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring solution. SecurityCenter CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable Passive Vulnerability Scanner (PVS), as well as log correlation with Tenable Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network vulnerabilities.

The following components are included in this dashboard:

  • CSC - Inventory of Authorized and Unauthorized Devices: This component displays new hosts detected within the last 24 hours, 72 hours, and 7 days. Includes PVS, Nessus, and LCE Data. PVS and LCE are not required for this component to function, but it does provide additional functionality.
  • CSC - Inventory of Authorized and Unauthorized Software: Utilizing Nessus active scan results, this component detects unsupported applications, and missing patches. Hosts which have LCE Clients installed will also report the installation of new software as a triggered event. Reporting timeframes are within the last 24 hours, 72 hours, and 7 days.
  • CSC - Compliance Checks: This component presents the results of compliance audits to verify secure system configurations. There are two rows, one for compliance checks specific to the CIS Critical Security Controls and one for all compliance checks. Each row includes the system count, whether scans were performed in the last 7 days, and the percentage of checks that passed, failed, or require manual verification. Passed checks are displayed in green, failed checks are in red, and checks that require manual verification are in orange. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details on the compliance checks and allow further investigation. In the vulnerability analysis screen, setting the tool to IP Summary will display the systems on which the compliance checks are present. Setting the tool to Vulnerability Detail List will display the full details on each compliance check, possibly including further information such as the expected and actual policy values and the specific sections of the various standards to which the compliance check relates.
  • CSC - Controlled Use of Administrative Privileges (Last 72 Hours): This component presents indicators of events related to user accounts and administrative privilege use. Indicators are included for new user and user account change events, privilege change events, and group and group membership change events. An indicator is also included for events that report performed or attempted administrative actions. Clicking on a highlighted indicator will bring up the event analysis screen to display details on the events and allow further investigation. In the analysis screen, setting the tool to Raw Syslog will display the raw syslog of the events, which can give more details. Any unexpected events should be further investigated.
  • CSC - New Notifications: This component utilizes LCE events to report new changes that have occurred in the environment over the last 24 hours, 72 hours, and last 7 days. New hosts, users, installed software, open ports, and trust relationships to external hosts are displayed in this table.
  • Track Mitigation Progress - Vulnerability by Severity: SecurityCenter records when vulnerabilities are discovered, when patches are issued, and when vulnerabilities are mitigated. This component assists in tracking vulnerability mitigations. The matrix presents vulnerability summary information by severity. In the matrix, the row with red is critical severity vulnerability information, the row with orange is high severity, the row with yellow is medium severity, and the row with green is low severity. The Mitigated column displays the total number of mitigated vulnerabilities. The Unmitigated column displays the total number of vulnerabilities that have not yet been mitigated. The Exploitable column displays the percentage of those unmitigated vulnerabilities that are known to be exploitable. The Patch Available column displays the percentage of the unmitigated, exploitable vulnerabilities that have had a patch available for more than 30 days. Ideally, both of these percentages should be 0%, because all exploitable vulnerabilities and all vulnerabilities with patches available should have been mitigated already. The Exploitable Hosts column displays the number of hosts on the network that have unmitigated, exploitable vulnerabilities.
  • Vulnerability Trend - Severity Matrix: This component displays counts of vulnerabilities observed in the past 24 hours, 7 days, and 30 days. The columns display vulnerability counts by severity level and a percentage bar shows the ratio of exploitable vulnerabilities. This component provides insight into whether detected vulnerabilities are exploitable as well as whether mitigation efforts are effective over time.