Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CSF PROTECT.Data Security (PR.DS)

by Sharon Everson
February 26, 2016

Data security aims to protect the confidentiality, integrity, and availability of an organization’s information. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of objectives that allow an organization to build a comprehensive security plan to protect against security threats. This Assurance Report Card (ARC) aligns with the data leakage and protection aspects of the NIST Cybersecurity Framework category PROTECT.Data Security (PR.DS), which provides accurate information on the data leakage concerns within the network and potential sources of vulnerability or exposure.

Data security is essential to every organization. Ensuring that data is protected from unauthorized access, manipulation, and distribution is a necessary piece of an organization’s security plan. Having effective data leakage and file integrity monitoring policies can help organizations ensure the security of their data. Monitoring a network for specific vulnerabilities and the use of insecure communication protocols is also a useful step in securing the data on a network. Organizations that do not maintain the security of their data could be vulnerable to data leakage and exploitation.

This ARC assists organizations in improving their data security measures. Systems and vulnerabilities are identified using a combination of active scans by Nessus and passive scans by the Nessus Network Monitor (NNM). NNM can detect hosts that may be missed by active scans, such as hosts that are only connected to the network intermittently. Policy statements are included that report on systems that have data leakage events, systems that are using insecure communication protocols, and systems with data exposure or cryptographic vulnerabilities. Additional policy statements report on various compliance checks related to data protection and file integrity policies. Systems that have reported data leakage events or are using insecure communication protocols can leave an organization vulnerable to a breach in data security. Ensuring that systems are monitored for related events, vulnerabilities, and activity is essential to identifying and addressing potential sources of data leakage or exposure.

The information provided in this ARC provides a baseline to measure the effectiveness of an organization's data security efforts and identifies whether the policies that are currently being enforced are effective. Policy statements can be customized as needed to meet organizational requirements.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:

  • Tenable.sc 5.2.0
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Nessus Network Monitor (NNM), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network assets, connections, and services.

ARC Policy Statements:

No data leakage has been detected: This policy statement compares the number of systems where data leakage has been detected to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Any type of data leakage, either intentional or unintentional, can result in the exposure of confidential or private information. This policy statement will help to measure the effectiveness of security controls in place on the network. Systems with detected data leakage should be investigated immediately to minimize potential security risks.

No systems with data leakage events have exploitable vulnerabilities: This policy statement compares the number of systems that have reported data leakage events and have exploitable vulnerabilities to all systems with data leakage events. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data leakage events from systems with exploitable vulnerabilities could be indicative of an intrusion or other malicious activity. Such systems should be investigated immediately to address the exploitable vulnerabilities and ensure that sensitive data has not been exfiltrated from the network.

No systems with data leakage events communicate outside the network: This policy statement compares the number of systems that have reported data leakage events and communicate outside the network to all systems with data leakage events. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data leakage events from systems that are communicating outside the network could be indicative of an intrusion or other malicious activity. Such systems should be investigated immediately to ensure that the outside communication is not exfiltrating sensitive data from the network.

Less than 5% of systems have data exposure vulnerabilities: This policy statement compares the number of systems with data exposure vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems with data exposure vulnerabilities are especially susceptible to attacks that could lead to data leakage. Remediation efforts should be targeted to address systems with data exposure vulnerabilities to ensure that they are not exploited.

Less than 5% of systems have cryptographic vulnerabilities: This policy statement compares the number of systems with cryptographic vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Cryptographic vulnerabilities can cause systems to be at risk of exposing information due to improper encryption. Systems could transmit unencrypted data via typically secure protocols without the user’s knowledge. Systems with cryptographic vulnerabilities should be prevented from transmitting data until the vulnerabilities can be remediated.

Less than 5% of data protection compliance checks failed: This policy statement compares the number of failed to total data compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data protection settings may include encryption and access control requirements, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:

  • Cybersecurity Framework PR.DS-1 (Data-at-rest is protected)
  • Cybersecurity Framework PR.DS-2 (Data-in-transit is protected)
  • NIST 800-53 control SC-8 (TRANSMISSION CONFIDENTIALITY AND INTEGRITY)
  • SANS/Council on CyberSecurity Critical Security Control 15 (Controlled Access Based on the Need to Know)
  • SANS/Council on CyberSecurity Critical Security Control 17 (Data Protection)
  • DoD Instruction 8500.2 control ECCD (Changes to Data)
  • DoD Instruction 8500.2 control ECCR (Encryption for Confidentiality (Data at Rest))
  • DoD Instruction 8500.2 control ECCT (Encryption for Confidentiality (Data in Transit))
  • DoD Instruction 8500.2 control ECNK (Encryption for Need-To-Know)
  • PCI DSS requirement 3 (Protect stored cardholder data)
  • PCI DSS requirement 4 (Encrypt transmission of cardholder data across open, public networks)
  • PCI DSS requirement 7 (Restrict access to cardholder data by business need to know)

Less than 5% of file integrity compliance checks failed: This policy statement compares the number of failed to total file integrity compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. File integrity settings may include proper setup of a file integrity tool and baseline, among other things.

Less than 5% of systems are reporting file integrity event spikes: This policy statement compares the number of systems that have reported file integrity event spikes to all systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. File integrity event spikes indicate that a large number of file changes occurred, compared to previous file change rates; this could be an indication of malicious activity. Systems reporting file integrity event spikes should be investigated so that any problems can be remediated.

Less than 10% of external facing systems use insecure communication protocols: This policy statement compares the number of external facing systems using insecure communication protocols to all external facing systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. External facing systems are especially susceptible to malicious activity, and the use of insecure communication protocols dramatically increases the risk of exploitation. The number of systems using insecure communication protocols should be limited and carefully monitored to ensure data security.

Less than 25% of servers running SSL or TLS support weak ciphers: This policy statement compares the number of servers running SSL or TLS that support weak ciphers to the total number of systems running SSL or TLS. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. The use of weak ciphers heightens the risk of data exposure, especially on systems used for transmitting data. Systems running SSL or TLS should be configured to use strong ciphers if possible to reduce the risk of data leakage.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training