Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CIS CSC: Devices and Software (CIS CSC 1,2,3,8,18) ARC

by Josef Weiss
June 20, 2016

Identifying new devices, when software is installed, out of date, or contains malware is important in maintaining a secure environment. This dashboard provides information to assist in identifying new devices and protecting organizations from unwanted or potentially dangerous applications, enabling better and more efficient vulnerability management. The data presented aligns with CIS CSC 1, 2, 3, 8, and 18.

As defined by the Center for Internet Security (CIS), the Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. Developed based on specific knowledge of the threat environment and currently available technologies, the Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of many experts. The data presented aligns with CIS Critical Security Control 1 (CSC 1) Inventory of Authorized and Unauthorized Devices; Control 2 (CSC 2) Inventory of Authorized and Unauthorized Software; Control 3 (CSC 3) Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers; Control 8 (CSC 8) Malware Defenses; and Control 18 (CSC 18) Application Software Security.

Attackers are continuously looking for vulnerable software, which can be compromised to gain access to a host. Once attackers compromise a host, that system is commonly used to laterally pivot to other hosts. Many times attackers take advantage of exploits or previously known vulnerabilities that have not yet been patched by the organization. Attackers often install backdoor programs that give them long-term control of the host. Each policy statement allows the viewer to drill down into the data to review additional details on new hosts, software installations, identified malware, and patching status within the organization. This information will help the organization prevent or minimize exploitation, potential intrusions, attacks, and data loss.

More details on each of the policy statements included in the ARC are given below. Clicking on a policy statement will bring up the analysis screen to display more details related to that policy statement. The ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.

This ARC is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the SecurityCenter Feed under the category Executive.

The ARC requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.5.4
  • PVS 5.0.0
  • LCE 4.8.0
  • Compliance data

 

Tenable SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring solution. SecurityCenter CV includes active vulnerability detection with Tenable Nessus and passive vulnerability detection with the Tenable Passive Vulnerability Scanner (PVS), as well as log correlation with the Tenable Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network.

 

 

ARC Policy Statements:

 

  • No new hosts detected Actively, Passively, or by Event in the last 72 hours. This policy statement displays non-compliance if new hosts have been detected within the last 72 hours. Includes PVS, Nessus, and LCE data. PVS and LCE are not required for this policy to function, but it does provide additional functionality. CSC 1 suggests that organizations actively manage all hardware devices on the network. New devices should be identified and correctly assigned to the proper asset groups and unauthorized devices should be removed or otherwise restricted.
  • No new MAC address found on the network in the last 72 hours. This policy statement displays non-compliance if new wireless or mobile devices have been detected within the last 72 hours. This policy utilizes events New_Wireless_MAC and New_Mobile_MAC to display results. CSC 1 suggests that organizations actively manage all hardware devices on the network. New devices should be identified and correctly assigned to the proper asset groups and unauthorized devices should be removed or otherwise restricted.
  • No Unsupported Software installed on any host. This policy statement displays non-compliance if any unsupported software is detected within the environment. CSC 2 suggests that organizations actively manage all software so that only authorized software is installed and can execute. Unsupported software may have been authorized but could also pose a higher risk to the organization. Unsupported software should be updated or removed if no longer being utilized to reduce risk.
  • No systems have missing patches over 30 days old. This policy statement displays non-compliance if any hosts are missing patches over 30 days old. CSC 3 suggests that organizations keep systems up to date with the latest application and software security patches. Poor patching continues to be most significant threat to data security. To reduce risk, missing patches should be identified and applied as soon as possible.
  • No Software Installation events have been detected over the last 72 hours. This policy statement display non-compliance if software installations have been detected over the specified time period. CSC 2 suggests that organizations actively manage all software so that only authorized software is installed and inventory is managed. This policy detects the number of installations on an OS by count over the last 72 hours. Each operating system is tailored by specific Normalized Events that detect software installation events. Information presented within this chart can assist the analyst in tracking software inventory across the network.
  • No systems are infected with malware. This policy statement displays non-compliance if any hosts are infected with malware. CSC 8 suggests that malware defenses be established that control the installation, spread, and execution of malicious code. Malware can be a simple annoyance such as an adware, or can be more serious such as a virus or trojan. Malware can cause serious harm or transmit information to unwanted third parties and should be identified and removed as quickly as possible.