Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Are you better off with FDCC? How do you know?

Over the past few months, I’ve had the chance to speak with many different federal government customers who have rolled out FDCC compliance programs. These programs feature central management and auditing of large numbers of desktop configurations. A few years ago, I heard a government administrator proclaim that “satellites would fall out of the sky” when these settings went in place, but recently, I hear federal executives speak about a reduction in volume of help-desk calls and fewer virus outbreaks. So how do you know if FDCC is working for your organization?

This blog discusses some key issues to consider when looking at FDCC or any other type of configuration auditing guidelines. I often ask potential customers, conference speakers and federal CIOs the following questions. The answers I receive often provide clues into how effective the overall FDCC program is.

Are there fewer help desk calls?

As a “security product vendor” I often get confused looks when I ask this question. Networks are large and complex; and when they break users call the help desk. If we simplify the complexity, there should be fewer things that can go wrong, and thus fewer calls to the help desk.

FDCC specifies 700 to 800 different configuration settings for Windows XP and Vista. Pushing these settings throughout your network reduces configuration randomness and complexity. Right now, these settings have been determined by a variety of sources including Microsoft, the OEM who distributed the operating system, third party software, driver manufacturers and a sampling of IT staff and users. Creating consistency in these settings ensures uniform behavior in your software, and this in turn results in fewer crashes, compatibility issues and help desk tickets.

Are there fewer virus outbreaks?

Another interesting statistic to track is the overall number of virus infections. There are many factors that can impact a virus infection;  vulnerable client software, vulnerable server software, outdated anti-virus agents, and lack of virus agents.

FDCC does not have a magic setting that prevents all virus infections, however, many of the settings limit what malicious software can do within a computer and when communicating with other local computers.

I’ve also spoken with customers who have said that the effort to secure their desktops with FDCC settings also uncovered deficiencies in how they were managing, updating and auditing their anti-virus deployments. These customers encountered scenarios where IT administration issues had eventually caused outages on their anti-virus deployments.

Are you more confident to adopt new technologies?

When Tenable first got into FDCC auditing, we were working with a large federal client who was not very happy with their existing agent-based solution. It was not really the fault of the specific agent technology; rather it was the fact that all of the computers had many combinations of settings that made getting the agent to work consistently difficult. After auditing their systems with Tenable’s agent-less solution and moving their configurations to the FDCC standard, the organization is now confident they can roll out a variety of agent-based solutions for asset inventory, anti-virus, performance and more.

Anyone who has worked in the government or DOD knows that there are hundreds if not thousands of “common” operating environments that do not work well together. However, with the advent of FDCC, I’m seeing federal organizations start to feel confident about testing and deploying new software across the entire enterprise. Organizations that were “stuck” using MSIE 6 for their official browser are now investigating MSIE 7, MSIE 8, Firefox or Opera. I’ve also talked to some organizations that felt they were “locked” into their anti-virus agent solution.  Now, with the confidence of knowing that their systems are configured identically, they  are more likely to consider an anti-virus vendor change.

Has FDCC exposed any deficiencies or best practices in your IT organization?

Before federal organizations were required to monitor system configurations of their desktops, they had no knowledge of when these systems became non-compliant. Organizations that I have spoken with that have “become compliant” with FDCC have said they were surprised where non-compliant settings originated from. Some of the anecdotal reasons I have been told include:

  • Installation of any printer, scanner, camera or other driver required to operate some external computer hardware made changes to the underlying OS configuration.
  • Virus infections have made changes to various settings which have made systems non-FDCC compliant.
  • Organizations that did not enforce restrictions on “unauthorized software” installations often had the side effect of experiencing configuration changes made by the use of these programs.
  • System administrators or systems administration tools were configured incorrectly and were in fact pushing out non-compliant FDCC settings.
  • Operating systems which were placed into production directly from the vendor uncovered a procedural error where these systems should have been hardened and configured per FDCC requirements before being used.

At Tenable, one of the things we help our customers do is sample the configuration of their systems or perform an entire audit of every system. In either case, an organization can efficiently monitor very large networks for many types of changes.

For More Information

Tenable offers several different types of agent-less configuration auditing solutions based on the Tenable Nessus vulnerability scanner. Tenable’s Security Center management console is certified to perform FDCC audits on Windows XP and Vista systems. Customers can also audit their networks and systems for configuration standards available for technologies such as Unix, SQL and applications such as IIS and Apache.

I’ve also recorded a vendor neutral webinar that discusses the benefits of a configuration auditing program, how it can be used to enhance your vulnerability scanning, SIM, IDS or NBAD deployments and why it should be the basis of any security monitoring program. The recorded webinar is available to the public here.

We also have many more articles on the various types of security metrics you can use for tracking compliance ans measuring risk. 

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training