Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CIS CSC: Data Protection (CSC 13,14) ARC

by David Schwalenberg
June 20, 2016

Data leakage can happen when organizations lose track of where sensitive data is stored, who has access to that data, and how sensitive data traverses the network. Financial information, credit card numbers, and Personally Identifiable Information (PII) can be leaked both unintentionally and intentionally. Security incidents can increase the risk of identity theft, stolen account information, and exfiltration of sensitive internal data, which can be costly and damaging to an organization’s reputation and business. The Data Protection Assurance Report Card (ARC) provides insight into the data protection policies implemented in an organization’s network and identifies potentially vulnerable areas that may need to be addressed. Organizations can use this ARC to measure the effectiveness of the data protection methods used on their networks.

As defined by the Center for Internet Security (CIS), the Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. Developed based on specific knowledge of the threat environment and currently available technologies, the Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of many experts. This ARC aligns with CIS Critical Security Controls 13, Data Protection, and 14, Controlled Access Based on the Need to Know, which address securing sensitive data, monitoring the network for data exfiltration, and detecting activity on the network that could lead to data leakage.

More details on each of the policy statements included in the ARC are given below. Clicking on a policy statement will bring up the analysis screen to display more details related to that policy statement. The ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.

This ARC is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the SecurityCenter Feed under the category Executive. The ARC requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.5.4
  • PVS 5.0.0
  • LCE 4.8.0
  • Compliance data

Tenable SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring solution. SecurityCenter CV includes active vulnerability detection with Tenable Nessus and passive vulnerability detection with the Tenable Passive Vulnerability Scanner (PVS), as well as log correlation with the Tenable Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network.

ARC Policy Statements:

No data leakage has been detected: This policy statement displays the percentage of total systems where data leakage has been detected. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Any type of data leakage, either intentional or unintentional, can result in the exposure of confidential or private information. This policy statement will help to measure the effectiveness of security controls in place on the network. Systems with detected data leakage should be investigated immediately to minimize potential security risks.

No systems with data leakage events communicate outside the network: This policy statement displays the percentage of systems with reported data leakage events that communicate outside the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data leakage events from systems that are communicating outside the network could be indicative of an intrusion or other malicious activity. Such systems should be investigated immediately to ensure that the outside communication is not exfiltrating sensitive data from the network.

Less than 5% of systems have data exposure vulnerabilities: This policy statement displays the percentage of total systems that have data exposure vulnerabilities. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems with data exposure vulnerabilities are especially susceptible to attacks that could lead to data leakage. Remediation efforts should be targeted to address systems with data exposure vulnerabilities to ensure that they are not exploited.

Less than 5% of systems have cryptographic vulnerabilities: This policy statement displays the percentage of total systems that have cryptographic vulnerabilities. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Cryptographic vulnerabilities can cause systems to be at risk of exposing information due to improper encryption. Systems could transmit unencrypted data via typically secure protocols without the user’s knowledge. Systems with cryptographic vulnerabilities should be prevented from transmitting data until the vulnerabilities can be remediated.

Less than 5% of systems have plaintext/cleartext vulnerabilities: This policy statement displays the percentage of total systems that have plaintext or cleartext vulnerabilities. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Plaintext password disclosures and cleartext authentication vulnerabilities could allow inadvertent exposure of credentials. These plaintext and clear text vulnerabilities should be addressed before the exposed credentials fall into the wrong hands, potentially leading to significant data breaches.

Less than 5% of data protection compliance checks failed: This policy statement displays the percentage of data compliance checks that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data protection settings may include encryption and access control requirements, among other things. Compliance is measured against those policy checks that reference standards such as the Cybersecurity Framework, NIST 800-53, the CIS Critical Security Controls, and the PCI Data Security Standard.

Less than 5% of file integrity compliance checks failed: This policy statement displays the percentage of file integrity compliance checks that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. File integrity settings may include proper setup of a file integrity tool and baseline, among other things.

Less than 5% of removable media and USB compliance checks failed: This policy statement displays the percentage of removable media and USB compliance checks that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Removable media and USB settings may include requirements to turn off Autoplay and disable USB, among other things. To protect against data loss or system compromise, removable media compliance issues must be addressed.

No systems have been detected interacting with malicious IPs: This policy statement displays the percentage of total systems that have been detected interacting with known malicious IP addresses. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. SecurityCenter receives a daily updated list of IP addresses and domains that are participating in known botnets. Using this information, systems on the network that interact with known malicious IP addresses can be detected. Any systems interacting with known malicious IP addresses should be investigated immediately by the organization to minimize security risks.