Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CIS CSC: Secure Configuration (CSC 3,11) ARC

by David Schwalenberg
June 20, 2016

Compliance and regulatory changes can be challenging for organizations to manage effectively. Not only do organizations have to keep systems updated with the latest patches, but systems also need to be hardened to reduce the attack surface. Default configurations for operating systems, applications, and devices tend to be geared for ease-of-use rather than security. If these systems are not locked down, attackers will find opportunities to exploit them. Hardening systems will remove access to unnecessary services, software, and users, which helps to ensure the security of network systems. The Secure Configuration Assurance Report Card (ARC) provides insight into the compliance and device hardening efforts of an organization.

As defined by the Center for Internet Security (CIS), the Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. Developed based on specific knowledge of the threat environment and currently available technologies, the Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of many experts. This ARC aligns with CIS Critical Security Controls 3 and 11, Secure Configurations, which address establishing and maintaining secure configurations for applications and devices.

Nessus can measure compliance using audit files that cover a wide range of major regulatory and other auditable standards, such as the CIS Critical Security Controls and other CIS benchmarks, the CyberSecurity Framework, HIPAA, NIST SP 800-53, PCI DSS, STIGs, and more. Tenable provides over 500 audit files, available for download from the Tenable Customer Support Portal, in categories such as operating systems, applications, databases, and network devices. Audit files can be customized if desired to match an organization’s security policy. If custom audit files are generated to reflect the organization's standard configuration baselines, compliance scans can then highlight any deviations. For more information on using audit files, see Nessus Compliance Checks: Auditing System Configurations and Content.

More details on each of the policy statements included in the ARC are given below. Clicking on a policy statement will bring up the analysis screen to display more details related to that policy statement. The ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.

This ARC is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the SecurityCenter Feed under the category Executive. The ARC requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.5.4
  • PVS 5.0.0
  • LCE 4.8.0
  • Compliance Data

Tenable SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring solution. SecurityCenter CV includes active vulnerability detection with Tenable Nessus and passive vulnerability detection with the Tenable Passive Vulnerability Scanner (PVS), as well as log correlation with the Tenable Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network.

ARC Policy Statements:

At least 95% of actively and passively detected systems have been audited in the past 90 days: This policy statement displays the percentage of detected systems that have been audited in the past 90 days. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems on the network are detected both passively by PVS and actively by Nessus. Compliance scans are performed by Nessus. Non-compliant systems should be reviewed further by the organization. This policy statement helps an organization measure whether compliance scans are being performed across all systems on a regular basis.

Less than 25% of compliance checks failed on Windows, Linux, Solaris and Mac OS machines: This policy statement displays the percentage of all compliance checks across Windows, Linux, Solaris and Mac OS machines that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement will help an organization identify non-compliant systems, which can help to address outstanding compliance and secure configuration issues. If custom audit files are generated to reflect the organization's standard configuration baselines, this policy statement can help highlight any deviations.

Less than 5% of secure configuration compliance checks failed: This policy statement displays the percentage of secure configuration compliance checks that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Secure configuration settings may include requirements to disable unnecessary ports and other functionality, among other things. Compliance is measured against those policy checks that reference standards such as the Cybersecurity Framework, NIST 800-53, the CIS Critical Security Controls, and the PCI Data Security Standard.

Less than 5% of database compliance checks failed: This policy statement displays the percentage of database compliance checks that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement relies on audit results received from Nessus scans utilizing database audit files for compliance scanning. To secure databases and meet compliance requirements, any non-compliant database settings must be addressed.

Less than 5% of web server compliance checks failed: This policy statement displays the percentage of web server compliance checks that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Web server compliance checks are identified by text strings such as "Apache", "IIS", or "Application server" in their descriptions. If necessary, additional text strings can be added in the Base and Drilldown filters of this policy statement. To secure web services and meet compliance requirements, non-compliant web server settings must be addressed.

Less than 5% of systems have unpatched vulnerabilities where patch was published over 30 days ago: This policy statement displays the percentage of total systems that have unpatched vulnerabilities with a patch published over 30 days ago. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Unpatched vulnerabilities can leave systems exposed to exploitation and should be patched within 30 days of patch publication.

Less than 5% of systems report change spikes: This policy statement displays the percentage of total systems that have reported change spikes. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Change spikes indicate that a large number of network changes were detected compared to previous change event rates. Changes can include new software installations, firewall changes, and more. Organizations can use this information to detect potentially unauthorized changes on the network.

Less than 5% of systems report file integrity event spikes: This policy statement displays the percentage of total systems that have reported file integrity event spikes. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. File integrity event spikes indicate that a large number of file changes occurred, compared to previous file change rates; this could be an indication of malicious activity. Organizations can use this information to detect potentially unauthorized changes on the network.