Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

NIST 800-53: Workforce Mobility

by Stephanie Dunn
January 31, 2017

As organizations continue to adapt to the demands of a mobile workforce, controls need to be in place to provide a secure way to remotely access, connect, and exchange information without compromising network security. Many organizations allow mobile and portable devices to be used without any additional security controls in place that can protect corporate data from being misused. These devices are usually running outdated operating systems, and contain vulnerabilities that can spread malware, leak confidential data, and infect other network assets. Enabling security controls that protect data-at-rest and data-in-motion will help to reduce overall security risks and support mobility requirements. This dashboard aligns NIST 800-53 guide that will assist analysts in managing mobile devices, tracking portable devices, and monitoring usage of cloud-based services.

The National Institute of Standards and Technology (NIST) developed the NIST Special Publication (SP) 800-53 revision 4, “Security and PrivacyControls for Federal Information Systems and Organizations” to provide federal information systems and organizations with security controls and processes to protect against a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors. By integrating these controls, organizations will be able to achieve a more consistent level of security and flexibility that can be customized for use with specific industries, standards, and business requirements, and complement other established information security standards. Data presented within this dashboard aligns with NIST 800-53 controls that support the security of remote access solutions, ensure mobile device security, and controlling the use of portable devices. This dashboard aligns with the following controls:

  • Remote Access (AC-17)
  • Wireless Access (AC-18)
  • Access Control for Mobile Devices (AC-19)
  • Use of External Information Systems (AC-20) 

Having the ability to access data remotely in today’s competitive marketplace is critical in an organization’s long term survival. Devices used to support the mobile workforce can include unmanaged devices that are often outdated and contain vulnerabilities that can leave critical systems or data at risk. Additional risks can include the usage of personal cloud-based services to store and access corporate data from anywhere. Organizations that fail to monitor and protect data from being stored in the cloud can lead to confidential information being inadvertently or intentionally exposed.

This dashboard will assist organizations with monitoring mobile devices, remote access solutions, access to cloud-based services, and detection of wireless devices on the network. Analysts can use the information presented to detect vulnerabilities on both scanned and managed MDM-based mobile devices. This information can be used to prevent outdated or unauthorized mobile devices from connecting to the network. Monitoring wireless devices and events can alert analysts to rogue devices or unauthorized wireless devices currently in use. Access to cloud-based services will help security teams identify and prevent corporate data from being stored outside of the network. 

This dashboard is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Compliance & Configuration Assessment. The dashboard requirements are:

  • SecurityCenter 5.4.2
  • Nessus 6.9.3
  • LCE 4.8.2
  • PVS 5.2.0

Tenable SecurityCenter Continuous View (CV) will provide continuous visibility enabling organizations to take decisive actions to secure the enterprise. Active scanning periodically examines systems to determine vulnerabilities and compliance concerns on remote access solutions and portable devices. Passive listening provides real-time discovery of vulnerabilities on mobile and portable devices. Host data and data from other security products is analyzed to monitor the network for secure communications, remote access activity, and portable device connections. SecurityCenter CV provides an organization with the most comprehensive view of the network and the intelligence needed to support workforce mobility requirements.

The following components are included within this dashboard:

  • Workforce Mobility - Mobile Device Detections: This component presents counts of mobile devices and associated vulnerabilities detected passively by the Tenable Passive Vulnerability Scanner (PVS) and via Mobile Device Management (MDM) systems. The rows break down the detected devices by OS/Vendor. The last row presents those mobile devices and vulnerabilities detected via mobile applications. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to allow further investigation.
  • CSF - Mobile Devices and Removable Media: This component assists an organization in monitoring mobile devices and removable media. Indicators are highlighted purple for mobile devices detected through active and passive scans, and for mobile devices managed through an MDM server. Indicators are also presented for device connection histories, vulnerabilities, and USB events. Additional indicators are highlighted red for compliance failures related to portable devices and removable media. Clicking on a highlighted indicator will bring up the analysis screen to display details on the detections and events and allow further investigation.
  • CSF - Wireless Detections: This component presents a breakdown of detected wireless access points, wireless vulnerabilities, and wireless event activity on the network. Indicators will turn purple when an event or vulnerability is detected. Analysts can drill down to obtain additional information, including IP addresses and MAC addresses. This information can assist an organization in maintaining an accurate inventory and detecting any unauthorized wireless devices.
  • Web Activity - SSL Sessions: This component presents passive detections of SSL session traffic over the last 72 hours to various destinations, including cloud file storage access, access to services commonly used for sensitive data, and social media access. A count and trend is included for each of the events. Clicking on the Browse Component Data icon will bring up the event analysis screen to allow further investigation. Viewing the raw syslog of the events will show the SSL connection times and destinations
  • Cloud Services - Top Subnets Interacting with Cloud Services: This component displays the top Class C subnets with passive detections of interactions with cloud services such as iCloud, Google Drive, Dropbox, Salesforce, DocuSign, and others. Presenting these interactions by subnet allows easy understanding of which areas of the network are interacting most with the cloud, and if any areas of the network that are not supposed to be interacting with the cloud in fact are. Clicking on the Browse Component Data icon will bring up the vulnerability analysis screen to allow further investigation. If desired, the analysis tool can be changed to present the cloud interactions by vulnerability, IP address, or asset list.
  • Cloud Services - Services Detected: This table presents a list of passive detections of network interactions with cloud services. This information can be used to determine which cloud services are most used and if any unauthorized services are being used.
  • Verizon DBIR - Remote Access: The Verizon DBIR notes that it is important to restrict remote access to systems. This matrix assists the organization in monitoring remote access activity across the network. The Unusual VPN indicator is highlighted purple when a VPN login originates from an IP address that is not normal for the user ID. Multiple indicators highlight VPN, SSH, RDP, VNC, and SSL traffic events within the last 72 hours, including potential intrusion events, events associated with known bad IP addresses (threatlist), and long-term events. The VPN Sniffed and SSH Sniffed indicators are highlighted purple if those protocols, respectively, are passively detected on the network. The Compliance Fails indicator is highlighted red if there are any remote access compliance failures. The GoToMyPC and RemotelyAnywhere indicators are highlighted purple if those applications are detected on the network. Clicking on a highlighted indicator will bring up the analysis screen to display details on the detections and events and allow further investigation.