Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CSF IDENTIFY.Risk Assessment (ID.RA)

by Megan Daudelin
February 26, 2016

Performing risk assessments is an integral part of implementing a network security plan. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of objectives that allow an organization to build a comprehensive security plan to protect against security threats. This Assurance Report Card (ARC) aligns with the NIST Cybersecurity Framework category IDENTIFY.Risk Assessment (ID.RA), which provides accurate information on the risk status of an organization’s network and identifies key areas of risk that need additional measures implemented.

No matter the size of an organization, measuring risk can be a daunting task. Risk assessments need to account for all the devices that connect to the network, which can include a great number and variety of devices. Having adequate scan policies, up-to-date software, and a consistent patch and remediation plan can help reduce the level of risk an organization is exposed to. Organizations that do not monitor their risk exposure could be leaving their network vulnerable to attack, intrusion, or infection.

This ARC assists organizations in improving their risk assessment efforts. Systems and vulnerabilities are identified using a combination of active scans by Nessus and passive scans by the Nessus Network Monitor (NNM). NNM can detect hosts that may be missed by active scans, such as hosts that are only connected to the network intermittently. Policy statements are included that report on systems that have been recently scanned, unpatched vulnerabilities with patches over 30 days old, and systems running unsupported software. Additional policy statements report on various types of systems with exploitable vulnerabilities and exploitable vulnerabilities that have been recast or marked as accepted risks. Unpatched vulnerabilities, unsupported software, and exploitable vulnerabilities can leave a network exposed to malicious activity. Ensuring that systems are scanned regularly is key to monitoring and remediating the vulnerabilities on systems within a network in order to mitigate risk.

The information provided in this ARC provides a baseline to measure the effectiveness of an organization's risk assessment efforts and identifies whether the policies that are currently being enforced are effective. Policy statements can be customized as needed to meet organizational requirements.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:

  • Tenable.sc 5.2.0
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Nessus Network Monitor (NNM), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network assets, connections, and services.

ARC Policy Statements:

At least 80% of actively and passively detected systems have been scanned in the last 14 days: This policy statement compares the ratio of detected systems that have been scanned in the last 14 days to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems on the network are detected both passively by NNM and actively by Nessus. All systems should be actively scanned by Nessus to ensure that all systems are properly identified and evaluated.

Less than 5% of systems have unpatched vulnerabilities where patch was published over 30 days ago: This policy statement compares the number of systems with unpatched vulnerabilities with a patch published over 30 days ago to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Unpatched vulnerabilities leave systems exposed to exploitation and should be patched within 30 days of patch publication.

Less than 5% of systems are running unsupported software: This policy statement compares the number of systems running unsupported software to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement looks for unsupported software on a network, which can include outdated operating systems, applications, browsers, and other software. Unsupported software can be prone to vulnerabilities, which can present serious security risks for an organization. Some systems may not be capable of being patched due to lack of vendor support, end-of-life, or other business requirements. Unsupported software should be monitored regularly to determine whether software can and should be updated.

No systems have exploitable vulnerabilities: This policy statement compares the number of systems with exploitable vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems with exploitable vulnerabilities can expose the network to increased risk of malicious activity and should be patched.

No Internet-facing systems have exploitable vulnerabilities: This policy statement compares the number of Internet-facing systems with exploitable vulnerabilities to total Internet-facing systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on Internet-facing systems leave the network exposed to malicious activity and should be remediated.

No systems with VPN access have exploitable vulnerabilities: This policy statement compares the number of systems with VPN access that have exploitable vulnerabilities to total systems with VPN access. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy monitors exploitable vulnerabilities on all systems that have VPN access. Exploitable vulnerabilities on systems with VPN access leave the network especially exposed to malicious activity and need to be remediated.

No mobile devices have exploitable vulnerabilities: This policy statement compares the number of devices with exploitable vulnerabilities to total devices, for voice and mobile devices. Exploitable vulnerabilities on mobile devices increase the network’s potential exposure to malicious activity and should be remediated if possible.

No security devices have exploitable vulnerabilities: This policy statement compares the number of security devices with exploitable vulnerabilities to total security devices. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on security devices expose the network to a high level of risk and need to be remediated.

No web servers have exploitable vulnerabilities: This policy statement compares the number of web servers with exploitable vulnerabilities to total web servers. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on web servers expose the network to attack and should be remediated.

No systems with outbound external connections have exploitable vulnerabilities: This policy statement compares the number of systems with outbound external connections that have exploitable vulnerabilities to total systems with outbound external connections. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on systems with outbound external connections leave the network exposed to malicious activity and should be remediated.

No systems have exploitable vulnerabilities marked as accepted risks: This policy statement compares the number of systems with exploitable vulnerabilities marked as accepted risks to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities that have been marked as accepted risks can be overlooked sources of risk and should be reviewed carefully.

No systems have exploitable vulnerabilities recast to Info: This policy statement compares the number of systems with exploitable vulnerabilities recast to the Informational severity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities that have been recast to Info can be overlooked sources of risk and should be reviewed carefully.

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.