Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CNBV – Unsupported Product Summary

by Cesar Navas
July 9, 2020

CNBV – Unsupported Product Summary

The National Banking and Securities Commission (CNBV) Annex 72 is a collection of Key Risk Indicators (KRI) that establish compliance standards for financial institutions operating in Mexico. Financial institutions in Mexico should be prepared to divulge cyber risk KRIs to CNBV when requested.  The KRIs relating to obsolete or outdated system versions are grouped by asset function, for example the servers, workstation, network devices, and other asset types. Within each of these asset categories, there are KRI’s that require only supported and maintained software is allowed to be installed on systems. This dashboard relates to the following KRIs: KRI0008, KRI0018, KRI0024, KRI0026, and KRI0027.

 

The proliferation of unsupported and end-of-life products is common security problem experienced across all institutions. The risk managers work closing with IT Managers to minimize risk using managed software deployment systems.  As applications and operating systems reach their end-of-life (EOL), vendors stop offering support. Therefore, security and stability decrease, raising concern as time progresses. Patches, updates and security fixes will no longer be available, so identifying systems running EOL applications is an important part of assessing and minimizing organizational risk. In compliance with CNBV’s Annex 72, Financial institutions are required to keep track of whether infrastructural equipment (KRI0008), workstations (KRI0018), servers (KRI0024), databases (KRI0026), and applications (KRI0028) are out of date.

Tenable.sc uses active and passive detection methods to identify unsupported (end-of-life) products found in the environment.  Passive detection methods include monitoring for user-agent string, service banners, and other clues in network communications that indicate the software installed on the asset. Active detection methods use a more exact discovery by looking in the Microsoft registry, common software installations locations, or using applications utilities such as YUM or APT in Linux systems. Using all of the available methods the risk manager is able to verify the operation team’s activities and identity areas for risk mitigation.

This dashboard is available in the Tenable.sc feed, which is a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc feed under the Executive category. The dashboard requirements are as follows:

 

  • Tenable.sc 5.14.1    
  • Nessus 8.10.1

     

This dashboard provides the organization with a clear and simplified method to identify and establish compliance according to Annex 72 by CNBV. The data can be Analyzed to provide more detail in non-compliant areas, which facilitates the Fix and Measuring steps to the Cyber Exposure Lifecycle. Tenable.sc is the On-prem solution for understanding the picture of the network, while keeping the data under the organization’s control. Built on leading Nessus technology, Tenable.sc discovers unknown assets and vulnerabilities, and monitors unexpected network changes before they turn into breaches.

Components

Unsupported Product Summary - Operating Systems: This indicator matrix reports on operating systems that are no longer supported.  The matrix displays popular operating systems but is easily modified to fit organizational requirements.  Plugin ID #33850, with vulnerability text filters that filter for the appropriate operating system name in the plugin output, alert on Unix-based operating systems that are no longer supported.  Keyword filters, along with a CPE string for Microsoft, is used to alert on end-of-life Microsoft operating systems by turning the indicator purple when a vulnerable asset is present.

Unsupported Product Summary - Software by Severity: This pie chart presents a graphical representation based on severity, unsupported applications and operating systems found in the environment.

Unsupported Product Summary - Applications by Type and Percentage: This matrix displays the percentage of unsupported applications and operating systems based on plugin family, such as database servers, web servers, Windows, or other operating systems. In this component, the base query uses the plugin family.  The percentage is then calculated using the “Unsupported” keyword in the plugin name.   The matrix helps illustrate the percentage of unsupported or end-of-life applications within the organization.

Unsupported Product Summary - Microsoft OS: This table displays all unsupported Microsoft operating systems. Displayed are the IP address, NetBIOS identifier, DNS name, MAC address, and repository of the offending device.  This component identifies unsupported Microsoft operating systems by the "unsupported" filter against the plugin name. and the base CPE string to identify Microsoft operating systems via the IP Summary tool.

Unsupported Product Summary - Applications: The table displays unsupported applications by name and sorted by severity. Displayed is the plugin ID, application name, plugin family, severity, and the total host count found. This component utilizes the keyword “unsupported” in the plugin name field. Additionally the table filters based on severity, dropping any informational results, and presents them via the Vulnerability Summary tool.

Unsupported Product Summary - *nix OS: This table displays all unsupported Unix-based operating systems. Displayed are the IP address, NetBIOS identifier, DNS name, MAC address, and repository of the offending device.  This component identifies unsupported *nix operating systems by the Nessus plugin 33850 (Unix OS No Longer Supported) operating systems via the IP Summary tool.

CNBV - Unsupported Databases: This table shows unsupported databases that have been detected. The component utilizes the plugin name and plugin family filters to determine the plugin ID for the unsupported database. The selected display columns show the plugin ID, plugin name, severity, count and if applicable, the plugin’s VPR.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.