Council on CyberSecurity 20 Critical Security Controls Dashboard

by Cody Dumont
March 14, 2014

This dashboard displays many indicators of the Council on CyberSecurity 20 Critical Security Controls.

  • Security Center 4.7.1
  • LCE 4.2.2
  • PVS 4.0.1
  • Nessus Scanner 5.2.5

As published by Council on CyberSecurity, the goal of the 20 Critical Security Controls is to protect assets, infrastructure, and information by strengthening your organization’s defensive posture through continuous automated protection and monitoring. This SecurityCenter Dashboard is comprised of one dashboard with 15 individual components that provide insight to nearly 50 items that directly correlate to the Council on CyberSecurity 20 Critical Security Controls.

The dashboard is laid out in an easy to read and browse color-coded series of 15 tables and indicators, displayed on one dashboard tab within two columns. A quick scan from the top level gives a rapid overview, while selecting or clicking on an individual indicator takes you to into a deep dive analysis of the triggered events or vulnerabilities.

In addition, the requirements of having Nessus, PVS, and LCE are needed to enable functionality of certain compliance indicators, such as CIS, HIPAA, PCI, or DISA. These can be left to the organization’s preference, and regulatory requirements that need to be fulfilled are fully customizable within the component itself.

Depending on organizational requirements and/or needs, all component sections are easily and highly configurable to be used in any environment with basic knowledge of SecurityCenter. The following is a brief description of each component and the associated control.

CoCS 20 Critical Security Controls - Control 1 New Device DetectionThis component utilizes Nessus and PVS plugins (active and passive) to report new hosts found in the configured network range over the last 48 hours by recording the network address and machine names.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: CM-8, IA-3, SA-4, SC-17, SI-4,PM-5

CoCS 20 Critical Security Controls - Control 3 Secure Configurations: The results for this component are defined by keywords in vulnerability text that match text contained in several plugins. Indicators alert for compliance data against PCI, DISA, CIS, and HIPAA checks.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, CM-9, CM-11, MA-4, RA-5, SA-4, SC-15, SI-2, SI-4

CoCS 20 Critical Security Controls - Control 4 Continuous Vulnerability Scanning: This component displays the total number of known systems within the specified range, the number that have been observed over the last 30 days, and the percentage of systems that have had a credentialed scan completed over the last 30 days. It allows you to determine if vulnerability scanning is occurring against all the systems in the specified range.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: RA-5, SI-4, SI-7

CoCS 20 Critical Security Controls - Control 5 Malware Controls: This component displays indicator type results from the Tenable Malicious Process Detection plugin, as well as provides details on large virus anomalies, and active virus detection on the specified network range.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: SC-39, SI-3, SI-4

CoCS 20 Critical Security Controls - Control 6 Web Application Security: This component utilizes PVS and a wide variety of plugins to passively identify application vulnerabilities within web applications, even detecting unsupported or vulnerable software versions. Included tests are: SQL injections, CGI abuses, Backdoors, XSS, DNS and FTP checks, IMAP, SMTP, and POP checks, Internet Service Checks, and Web Server checks, sorted by severity.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: RA-5, SA-3, SA-10, SA-11, SA-17, SC-39, SI-10, SI-16

CoCS 20 Critical Security Controls - Control 7 Wireless Access Control: This component utilizes active and passive checks for Wireless Access Point Detection to report on the total number of WAP devices found, as well as a check to report the number that have appeared over the last 7 days, and if they have any known vulnerabilities. This component will also report on Advanced Web Scanning.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-18, AC-19, CA-3, CM-2, IA-3, SC-8, SC-17, SI-4

CoCS 20 Critical Security Controls - Control 10 Secure Configurations for Network Devices: The results for this component are defined by keywords in vulnerability text that match text contained in several plugins. Indicators alert for compliance data against Cisco IOS and Juniper devices.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-4, CA-3, CM-2, CM-3, CM-5, CM-6, CM-8, MA-4, SC-24, SI-4

CoCS 20 Critical Security Controls - Control 11 Control of Ports/Protocols/Services: This component utilizes Nessus to identify open ports over the last 24 hours in an indicator fashion. The total number of hosts on the defined network is displayed, as well as the total number of services found active.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-4, CM-2, CM-6, CM-8, SC-20, SC-21, SC-22, SI-4

CoCS 20 Critical Security Controls - 12 Controlled Use of Administrator Privileges: This component provides an indication of change in user accounts by utilizing LCE’s ability to trend user creation, modification, and removals over the last 72 hours. Various deployments of software often include the creation of, and many times the subsequent removal of temporary accounts, all of which will also be detected. Other items under CoCS Critical Control 12, such as the password requirements, are bundled in Control-16, which covers Account Monitoring.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-2, AC-6, AC-17, AC-19, IA-2, IA-4, IA-5, SI-4

CoCS 20 Critical Security Controls - Control 13 Boundary Defense: This component focuses on common anomalies that may indicate unwanted activity against internal systems. The indicators display devices that are identified as remote hosts listed in public botnet databases, websites that contain links that are listed in public malware databases, threat-list intrusion events, and threat-list statistics. Also indicated are spikes in large firewall statistical anomalies, connections, denial of access events, and authentication failures.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-4, AC-17, AC-20, CA-3, CM-2, SA-9, SC-7, SC-8, SI-4

CoCS 20 Critical Security Controls - Control 14 Monitoring and Analysis of Logs: This component displays indications in several areas. First, it displays the number of Normalized Events that were triggered over the last 24 hours. A null value here would indicate an error with logging. Four indicators are displayed that will trigger on stored LCE events, which may indicate that malicious activity is present. Those include, Long Term Intrusion Activity, and System Errors, as well as Host Scanning and Net Sweeps.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AU-2, AU-3, AU-4, AU-5, AU-6, AU-8, AU-9, AU-10, AU-12, SI-4

CoCS 20 Critical Security Controls - Control 15 Controlled Access/Sensitive Information: This component focuses on Nessus vulnerability data, sorted by severity, that may indicate the exfiltration of sensitive data, as well as utilizing PVS’s ability to capture sensitive data in transit. A handful of the triggers are: Peer to Peer File Sharing, IM, FTP, and PVS’s Data Leakage plugins.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-1, AC-2, AC-3, AC-6, RA-2, SI-4

CoCS 20 Critical Security Controls - Control 16 Account Monitoring and Control: This is an indicator style component that displays four different account event anomalies that have appeared on the defined network over the last 48 hours, such as login failures, account lockout events password guessing and successful password guessing. Also displayed are indicators showing account related settings found by active scanning, such as passwords that are set to never expire, have never been changed, are blank, and that are set to default. 

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-2, AC-3, IA-5, SC-17, SC-23, SI-4

CoCS 20 Critical Security Controls - Control 17 Data Protection: From PVS’s Data Leakage family of plugins to Nessus active scanning plugins that report USB device usage, this indicator style component triggers on events that could potentially be data leakage events. Dropbox usage and BitTorrent activity are also reported.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-3, AC-4, MP-5, SC-8, SC-28, SI-4

CoCS 20 Critical Security Controls - Control 20 Penetration Testing: Just as penetration testing seeks out vulnerabilities and attempts exploits, this component focuses on exploitable vulnerabilities found by active and passive scanning. Active scan results based on patching levels are analyzed, and this indicator is triggered if any active exploits exist against the vulnerabilities. Mobile devices and web clients are passively monitored by PVS and a wide variety of active and passive plugins are used to trigger a general indicator. Ports that have been found to be exploitable are broken down into 4 ranges (1-1024, 1025-5000, 5000-10000 and 10000+) and are displayed in an indicator fashion below the services, allowing you to rapidly locate and identify newly opened or vulnerable ports.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: CA-8, SI-6, PM-6, PM-14