Establishing a starting point, which can improve an organizations security posture to provide the greatest protection against threats and vulnerabilities, is beneficial to every security program. Information presented in this ARC contains basic security details, highlighting the first five CIS Critical Security Controls, that provide assistance in determining which further steps are the most beneficial. This ARC aligns with CIS CSC and the National Cyber Hygiene Campaign Foundational Guidelines, which enables better and more efficient vulnerability management, patching, and mitigation within the organization.
As defined by the Center for Internet Security (CIS), the Critical Security Controls (CSC) are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. Developed based on specific knowledge of the threat environment and currently available technologies, the Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of many experts.
The National Cyber Hygiene Campaign was developed as a foundation to assist in implementing the CIS Critical Security Controls. The campaign begins by asking five questions that align with the first five CSC categories: What is connected to the network? What software is running on the network? Are you managing your systems? Are you looking for known bad software? Do you track those with administrative privileges?
More details on each of the policy statements included in the ARC are given below. Clicking on a policy statement will bring up the analysis screen to display more details related to that policy statement. The ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.
This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Tenable.sc Feed under the category Executive.
The ARC requirements are:
- Tenable.sc 5.3.1
- Nessus 8.5.1
- NNM 5.9.1
- LCE 6.0.0
- Compliance data
Tenable's Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring solution. Tenable.sc CV includes active vulnerability detection with Tenable Nessus and passive vulnerability detection with the Tenable Nessus Network Monitor (NNM), as well as log correlation with the Tenable Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network.
ARC Policy Statements:
- No new hosts detected Actively, Passively, or by Event in the last 72 hours. This policy statement displays non-compliance if new hosts have been detected within the last 72 hours. Includes NNM, Nessus, and LCE data. NNM and LCE are not required for this policy to function, but it does provide additional functionality. CSC 1 suggests that organizations actively manage all hardware devices on the network. New devices should be identified and correctly assigned to the proper asset groups and unauthorized devices should be removed or otherwise restricted.
- No Unsupported Software installed on any host. This policy statement displays non-compliance if any unsupported software is detected within the environment. CSC 2 suggests that organizations actively manage all software so that only authorized software is installed and can execute. Unsupported software may have been authorized but could also pose a higher risk to the organization. Unsupported software should be updated or removed if no longer being utilized to reduce risk.
- Less than 5% of secure configuration compliance checks failed. This policy statement displays the ratio of failed to total secure configuration compliance checks. Secure configuration settings may include requirements to disable unnecessary ports and other functionality, among other things. CSC 3 suggests that secure configurations be established, implemented, and tracked to prevent attackers from exploiting vulnerable services and settings. Compliance is measured against those policy checks that reference standards such as the Cybersecurity Framework, NIST 800-53, and the CIS Critical Security Controls.
- No systems have exploitable vulnerabilities. This policy statement displays compliance if no devices have vulnerabilities that are known to be exploitable. CSC 4 suggests that organizations continuously monitor, assess, and take action in order to identify and remediate vulnerabilities. Vulnerabilities that are exploitable pose the greatest risk and should be remediated as soon as possible.
- Less than 5% of user access and least privilege compliance checks failed. This policy statement displays the percentage of user access and least privilege compliance checks that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Least privilege settings may include requirements to disable certain rights and privileges for specific users, among other things. Compliance is measured against those policy checks that reference standards such as the Cybersecurity Framework, NIST 800-53, and the CIS Critical Security Controls.