Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CJIS Security Policy

by Michael Willison
November 7, 2014

The Criminal Justice Information System (CJIS) Security Policy was created by the Federal Bureau of Investigation (FBI) to provide guidance to organizations dealing with Criminal Justice Information (CJI). The policy outlines roles and responsibilities for organizations, proper handling of CJI, and the implementation of both technical and physical security policies. The CJIS policy was designed to provide a base-level security policy for all entities that have access to CJI, and all organizations that interact with CJI must comply with the CJIS policy.

This dashboard focuses on the CJIS Security Policy. Tenable’s SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring platform, which includes active vulnerability detection with Nessus, passive vulnerability detection with the Passive Vulnerability Scanner (PVS), and log correlation with the Log Correlation Engine (LCE). SecurityCenter CV assists organizations in discovering compliance and vulnerability concerns on the network, assessing their impact, reporting on the results, and taking action to remediate issues. SecurityCenter CV provides proactive continuous monitoring across the organization to assist in responding to existing CJIS compliance requirements, as well as preparing for any changes to requirements that may arise in the future.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Compliance & Configuration Assessments.

The dashboard requirements are:

  • SecurityCenter 4.8.1
  • Nessus 5.2.7
  • LCE 4.4.0
  • PVS 4.0.2

Download the Analysis and Compliance to Meet CJIS and FTI Security Standards whitepaper.

Listed below are the included components:

  • Vulnerability Top Ten - Top 10 Remediations - This table displays the top 10 remediations for the network. For each remediation, the risk reduction for the network if the remediation is implemented is shown, along with the number of hosts affected. The list is sorted so that the highest risk reduction is at the top of the list. Implementing the remediations will decrease the vulnerability of the network.
  • Vulnerability Top Ten - Top 10 Exploitable Vulnerabilities - This table displays the top 10 exploitable vulnerabilities on the network. The list is sorted so that the most critical vulnerability is at the top of the list. For each vulnerability, the severity and the number of hosts affected is shown.
  • Vulnerability Top Ten - Top 10 Most Vulnerable Hosts - This table displays the 10 hosts on the network that have the greatest number of exploitable critical and high severity vulnerabilities. The list is sorted so that the most vulnerable host is at the top of the list. For each host, a bar graph of its critical and high severity vulnerabilities are shown.
  • Track Mitigation Progress - Vulnerability Summary by Severity - SecurityCenter records when vulnerabilities are discovered, when patches are issued, and when vulnerabilities are mitigated. This component assists in tracking vulnerability mitigations. The matrix presents vulnerability summary information by severity. In the matrix, the row with purple is critical severity vulnerability information, the row with red is high severity, the row with orange is medium severity, and the row with blue is low severity. The Mitigated column displays the total number of mitigated vulnerabilities. The Unmitigated column displays the total number of vulnerabilities that have not yet been mitigated. The Exploitable column displays the percentage of those unmitigated vulnerabilities that are known to be exploitable. The Patch Available column displays the percentage of the unmitigated, exploitable vulnerabilities that have had a patch available for more than 30 days. Ideally, both of these percentages should be 0%, because all exploitable vulnerabilities and all vulnerabilities with patches available should have been mitigated already. The Exploitable Hosts column displays the number of hosts on the network that have unmitigated, exploitable vulnerabilities.
  • Monitor Security Solutions - Activity in Last 72 Hours - This component assists in monitoring security solutions. The matrix presents activity indicators for various security solutions: Firewall, IDS, Antivirus, Antispam, and Anti-scanning. This component assumes that if log events were received in the last 72 hours from a particular technology, then that technology is active on the network, so the indicator is highlighted green. Further investigation is warranted if a protection technology should be active, but no events are being received.
  • SEC Risk Alert - Potential Data Loss - This matrix displays various indications of potential for data leakage and loss. Red indicators signify that activity of high severity has occurred. Green indicators signify that activity that has the potential for data loss has occurred and further investigation may be warranted.
  • Detect Changes - Changes in Last 72 Hours - This component can assist in maintaining up-to-date inventories and detecting changes. The matrix presents indicators for network changes detected in the last 72 hours. Each indicator is based on one or more Log Correlation Engine (LCE) events; the indicator is highlighted yellow if the event occurred in the last 72 hours. Any changes should be investigated to determine if they are authorized. More information can be obtained on these events (such as change details, time, and IP address) by clicking on the specific indicator and viewing the raw syslog.
  • Detect Suspicious Activity - Alerts in Last 72 Hours - This matrix presents warning indicators for potentially suspicious network activity detected in the last 72 hours. Each indicator is based either on one or more Log Correlation Engine (LCE) events, or on active or passive vulnerability detections. The indicator is highlighted red if the event occurred in the last 72 hours. Any warnings should be further investigated. More information can be obtained on these events (such as details, time, and IP address) by clicking on the specific indicator and viewing the raw syslog (for events) or the detailed vulnerability list (for vulnerabilities).
    • Targeted Intrusion – An intrusion attack was detected that targeted systems and ports likely to be exploited by the detected attack
    • Botnet Activity – Traffic to or from a known malicious IP address was detected
    • Botnet Vulns – Botnet activity was actively detected
    • Data Leak – Potential data leakage was detected
    • Malware Vulns – Malware was actively or passively detected
    • Malicious Process – A malicious process was actively detected
    • Malicious Content – Malicious hosted web content was actively detected
    • Bad AutoRuns - Windows AutoRun and scheduled task registry entries known to be associated with malware were actively detected
    • Long-Term – Potentially suspicious activity occurring over a long period of time was detected
    • Crowd Surge – A large number of local hosts visiting the same server was detected
    • Long TCP – A TCP session lasting more than a day was detected
    • Large Xfr TCP – A TCP session which transferred more than 1GB was detected
  • Detect Suspicious Activity - Spikes in Last 72 Hours - This matrix presents warning indicators for potentially suspicious spikes in network activity detected in the last 72 hours. Each indicator is based on one or more Log Correlation Engine (LCE) events. The indicator is highlighted red if the event occurred in the last 72 hours. Any warnings should be further investigated. More information can be obtained on these events (such as details, time, and IP address) by clicking on the specific indicator and viewing the raw syslog.
    • Firewall Spike – A large number of firewall events, compared to previous event rates, were detected
    • Intrusion Spike – A large number of intrusion events, compared to previous event rates, were detected
    • Virus Spike – A large number of virus events, compared to previous event rates, were detected
    • Scanning Spike – A large number of scanning events (port scans, port sweeps, and probes), compared to previous event rates, were detected
    • Botnet Spike – A large number of threatlist events (traffic to or from known malicious IP addresses), compared to previous event rates, were detected
    • Process Spike – A large number of process events (such as process starts, stops, and crashes), compared to previous event rates, were detected
    • Auth Spike - A large number of login events, compared to previous event rates, were detected
    • Auth Fail Spike - A large number of login failure events, compared to previous event rates, were detected
    • File Access Spike – A large number of remote file access events (such as FTP and SMB transfers, and e-mail attachments), compared to previous event rates, were detected
    • Access Denied Spike – A large number of access denied events (attempts to retrieve objects, files, network shares and other resources that are denied), compared to previous event rates, were detected
    • Web Access Spike – A large number of web access events (successful connections to web resources), compared to previous event rates, were detected
    • Web Error Spike – A large number of web error events (web access events that are denied because the file does not exist, the server responded with an error, or a firewall or web application firewall blocked the access), compared to previous event rates, were detected
    • DNS Spike – A large number of DNS events, compared to previous event rates, were detected
    • Network Spike – A large number of network events, compared to previous event rates, were detected
    • NetFlow Spike – A large number of NetFlow events (detected by the Tenable NetFlow Monitor (TFM)), compared to previous event rates, were detected
    • Connect Spike – A large number of connection events (such as allowed connections through firewalls and established VPN sessions), compared to previous event rates, were detected
  • Compliance Summary - CJIS Security Policy - This matrix provides a sense of how the network complies with the security guidelines in the CJIS Security Policy. Sections from the Policy and Implementation chapter of the Security Policy are listed. For each section, the equivalent NIST 800-53 controls are displayed, along with the number of network systems that were audited against these controls, and ratio bars for the percentage of these compliance checks that either passed (green bar), failed (red bar), or require manual verification (orange bar). Since the CJIS Security Policy does not specifically mention the equivalent NIST 800-53 controls, the displayed information will not provide direct compliance data, but it will at least give a sense of how the network complies with the security guidelines in the Security Policy.