ISO/IEC27000: Vulnerability Management

As most organizations perform vulnerability scanning and patching, some perform these tasks intermittently to avoid disruption of critical services. Without knowing which systems are vulnerable, and who has access to network resources, organizations can face significant disruptions and catastrophic damage. This report will help organizations gain valuable insight into existing vulnerabilities, which can aid in strengthening vulnerability management procedures.

The ISO/IEC 27002:2013 provides a framework that can be used to develop and enhance information security policies for any organization. Each security control and objective provided within the standard can be tailored to specific business and regulatory objectives, and assist with maintaining overall compliance. This report aligns with the ISO/IEC 27002 12.6.1 control, which can assist organizations with vulnerability scanning and monitoring patch management efforts across the enterprise.

Organizations can easily lose visibility and control over network endpoints when vulnerability scanning and patching falls behind. Without knowing how systems could be attacked or exploited, organizations may fail to respond to threats in a timely manner.  The Center for Internet Security (CIS) released the CIS Critical Security Controls framework, which includes a control on Continuous Vulnerability Assessment and Remediation. This control recommends performing vulnerability scanning on a weekly or more frequent basis. Organizations can then perform proper risk assessments, which can help to identify the potential impact of existing vulnerabilities. Analysts can use this information to correlate attacks with existing vulnerability scans and apply patches to the most vulnerable hosts first.

Information provided in this report will present the latest details on existing vulnerabilities. This report utilizes Nessus and the Nessus Network Monitor (NNM), which will monitor the network for both actively and passively detected vulnerabilities. Each chapter includes targeted information that analysts can use to identify and remediate high-risk vulnerabilities. Hosts with exploitable vulnerabilities are also included, as exploits can allow for an attacker to gain unauthorized access to a system through a system flaw or weakness. Organizations will also be able to obtain information on the top vulnerabilities by severity, which will help analysts in remediating vulnerabilities that pose the greatest risk. Any gaps in vulnerability scanning will increase the potential for data leakage, malware infections, and targeted attacks that can affect an organization’s bottom line. Implementing a continuous monitoring approach is the best solution for any organization to improve overall security and health of a network.

This report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The report requirements are:

• Tenable.sc 5.3.2
• Nessus 8.5.1
• NNM 5.9.1

Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring platform. The Log Correlation Engine (LCE) performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure. The Nessus Network Monitor (NNM) provides deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities. Nessus is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. Tenable.sc CV, which includes Nessus, LCE and NNM, scales to meet future demand of monitoring virtualized systems, cloud services, and the proliferation of devices.

The report contains the following chapters:

• Executive Summary: The Executive Summary chapter presents information on the most vulnerable hosts on a network. Analysts will find the information presented in this chapter beneficial in prioritizing and remediating the most severe vulnerabilities. Organizations can monitor patch management and remediation efforts. This report aligns with the ISO/IEC 27002 12.6.1 control, which can assist organizations with vulnerability scanning and monitoring patch management efforts across the enterprise.
• Vulnerability Summary: This chapter presents an overview of vulnerabilities detected across various operating systems. Elements in this chapter include vulnerabilities from Windows, Linux, Mac OS X, and mobile device management (MDM) solutions. Each table will provide targeted information that organizations can use to report on patch management efforts, and where efforts need to be focused.
• Detections By Severity: This chapter displays detections by count and severity. The matrix severity table quickly assists the analyst to determine the counts of detections by severity and exploitability. Each element will report on the latest vulnerability information by severity level. Additional details are provided via a Vulnerability Summary - IP Detail, filtered on the detection plugins and the respective severity level. Only the top 10 detections with severity levels of Low, Medium, High, and Critical are reported in the respective tables.
• Critical Vulnerability Summary: This chapter provides a comprehensive summary at the top critical vulnerabilities that have been detected on a network. Elements within this chapter include a bar chart of the top 20 systems, a table of top 10 systems with system details, a port summary, and the top critical vulnerabilities. Each system presented in this chapter is considered high-risk, and should be patched as soon as possible.
• Exploitable Vulnerability Summary: This chapter provides a comprehensive summary of the top exploitable vulnerabilities that have been detected on a network. Elements within this chapter include a bar chart of the top 20 systems, a table of top 10 systems with system details, a port summary, and the top exploitable vulnerabilities. Each system presented in this chapter is considered high-risk, and should be patched as soon as possible.
• Mitigation Summary: The Mitigation Summary chapter presents a list of vulnerabilities that have been mitigated within the last 30 days. The top mitigated vulnerabilities table will provide additional information on what type of vulnerabilities and systems are being patched. Organizations can use this chapter to gain insight into how often systems are being patched, and where remediation efforts need to be focused.