CCC 3: Deploy a secure network

The security of a network requires daily attention to logs, new ports, and traffic segmentation efforts.  This Assurance Report Card (ARC) provides the CISO with high-level understanding of insecure port usage, log collection, security of VPN clients, and the vulnerability status of key devices such as firewalls and VPN devices. Tenable.sc Continuous View (CV) monitors activity and identifies risk in all aspects of the modern IT landscape, including firewalls, load balancers, VPN clients, and more. By taking a continuous network monitoring approach to security Tenable.sc CV tracks the dependencies between users, the silos of data, and applications in use.

As described in the Tenable Critical Cyber Controls, deploying a secure network is a daily practice. Daily tasks include network segmentation, monitoring port usage, and protocols, managing firewalls to limit Internet access, continuously monitoring network traffic, and maintaining the ability to provide secure remote access.

Monitoring the network includes collecting traffic flow analysis data, log data from firewalls, and limiting network access as determined by the organizations Acceptable Use Policies (AUP). The ARC provides the CISO with a summary view of log collection efforts, and monitors all security devices for traffic flow analysis. The ARC will provide notification of the presence of unsecure protocols such as Telnet, FTP, or VNC. Organizations must also monitor the web applications for vulnerabilities; this ARC provides a convenient method to monitor servers accepting external connections for exploit able vulnerabilities.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The ARC can be easily located in the Feed by selecting category Executive. The ARC requirements are:

• Tenable.sc 5.0
• Nessus 8.5.1
• LCE 6.0.0
• NNM 5.9.0

This ARC uses all aspects of continuous monitoring, including scanning, sniffing, and log correlation. Using each of these technologies allows Tenable to provide a unique combination of detection, reporting, and pattern recognition utilizing industry recognized algorithms and models. Tenable.sc Continuous View integrates with many technologies such as patch management, mobile device management, malware defenses, network infrastructure, cloud services, and other log analysis platforms to provide a holistic approach to threat detection and risk analysis.

The policies for this ARC are:

Less than 5% of systems accepting external connections have an exploitable vulnerability: This policy uses NNM to identify systems accepting connections from outside the organizations network. Next, the systems are scanned actively to determine if there are any exploitable vulnerabilities. This policy will show compliant if there less than 5% of systems identified as exploitable and accepted external connections.

Less than 5% of Security Devices (Firewall, VPN, and Load Balancers) have a critical vulnerability: This policy identifies security infrastructure devices such as Firewalls, VPNs, and Load Balancers using active detection methods. These systems are then scanned for vulnerabilities. If less than 5% of these systems contain critical severity vulnerabilities this policy will show compliant.

Less than 5% of Systems with VPN access have an exploitable vulnerability older than 30 days: This policy uses an asset to identify systems with a VPN client installed. The clients are then scanned for vulnerabilities. The benefit of this policy is that systems with remote access may miss patching cycles or scanning attempts, and often are on unsecure networks. By monitoring these systems closely, the CISO can determine if remote access policies need to change to support better management of risk. The policy will show compliant when less than 5% of VPN client are exploitable.

Less than 10% of systems utilize insecure protocols external to the organization: This policy identifies systems in the network that are communicating with external systems using insecure clear text protocols. These protocols that cannot be secured should not be used. Any time traffic of this type is identified the usage should be investigated. This policy requires the use of NNM, Tenable Netflow Monitor, or the Tenable Network Monitor. This policy shows compliant when less than 10% of systems use these protocols.

Greater than 95% of Internet facing systems have centralized log collection enabled: This policy identifies systems that provide services to Internet customers, such as web servers, on which log collection is enabled.  With log collection enabled on these systems, attacks can be tracked more thoroughly.  The logs should track application services and operating system events. The ARC helps executives ensure necessary data is collected from the most exposed systems.  The policy will show as compliant when more that 95% of systems are sending logs to LCE.

Greater that 90% of systems are configured with active anti-virus protection: This policy reflects the organization's anti-virus status.  Every system that is detected actively or passively is evaluated to see if the anti-virus software is updated.  If more than 90% of systems are found to have up to date anti-virus software running, the policy will show as Compliant in green.

Less than 25% of websites requiring secure communication upgrades: This policy monitors the SSL key exchange and discovers the levels of encryption supported by the web server.  With the recent OpenSSL vulnerabilities, only the strongest encryption levels should be supported.  This policy will show as Compliant in green when less than 25% of web servers support weak encryption methods.

Greater than 90% of systems are protected by a firewall policy: The policy will use statistics from firewalls to identify systems that have traffic monitored by a firewall. LCE tracks the statistics collected from firewalls.  Next, LCE can attribute the host IP addresses monitored by the device.  This policy will show as Compliant when more that 90% of systems are tracked.

Greater than 90% of systems have network traffic monitored for intrusions: This policy provides an executive with an understanding of the systems currently monitored by IPS.  The policy uses an asset to identify systems with intrusion events and threat list events.  These systems may not have been compromised, but have IDS related events.  The policy will show as Compliant when more than 90% of systems are covered by IDS.