Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CSF IDENTIFY.Risk Assessment (ID.RA)

by Megan Daudelin
February 26, 2016

Performing risk assessments is an integral part of implementing a network security plan. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of objectives that allow an organization to build a comprehensive security plan to protect against security threats. This Assurance Report Card (ARC) aligns with the NIST Cybersecurity Framework category IDENTIFY.Risk Assessment (ID.RA), which provides accurate information on the risk status of an organization’s network and identifies key areas of risk that need additional measures implemented.

No matter the size of an organization, measuring risk can be a daunting task. Risk assessments need to account for all the devices that connect to the network, which can include a great number and variety of devices. Having adequate scan policies, up-to-date software, and a consistent patch and remediation plan can help reduce the level of risk an organization is exposed to. Organizations that do not monitor their risk exposure could be leaving their network vulnerable to attack, intrusion, or infection.

This ARC assists organizations in improving their risk assessment efforts. Systems and vulnerabilities are identified using a combination of active scans by Nessus and passive scans by the Nessus Network Monitor (NNM). NNM can detect hosts that may be missed by active scans, such as hosts that are only connected to the network intermittently. Policy statements are included that report on systems that have been recently scanned, unpatched vulnerabilities with patches over 30 days old, and systems running unsupported software. Additional policy statements report on various types of systems with exploitable vulnerabilities and exploitable vulnerabilities that have been recast or marked as accepted risks. Unpatched vulnerabilities, unsupported software, and exploitable vulnerabilities can leave a network exposed to malicious activity. Ensuring that systems are scanned regularly is key to monitoring and remediating the vulnerabilities on systems within a network in order to mitigate risk.

The information provided in this ARC provides a baseline to measure the effectiveness of an organization's risk assessment efforts and identifies whether the policies that are currently being enforced are effective. Policy statements can be customized as needed to meet organizational requirements.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:

  • Tenable.sc 5.2.0
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Nessus Network Monitor (NNM), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network assets, connections, and services.

ARC Policy Statements:

At least 80% of actively and passively detected systems have been scanned in the last 14 days: This policy statement compares the ratio of detected systems that have been scanned in the last 14 days to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems on the network are detected both passively by NNM and actively by Nessus. All systems should be actively scanned by Nessus to ensure that all systems are properly identified and evaluated.

Less than 5% of systems have unpatched vulnerabilities where patch was published over 30 days ago: This policy statement compares the number of systems with unpatched vulnerabilities with a patch published over 30 days ago to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Unpatched vulnerabilities leave systems exposed to exploitation and should be patched within 30 days of patch publication.

Less than 5% of systems are running unsupported software: This policy statement compares the number of systems running unsupported software to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement looks for unsupported software on a network, which can include outdated operating systems, applications, browsers, and other software. Unsupported software can be prone to vulnerabilities, which can present serious security risks for an organization. Some systems may not be capable of being patched due to lack of vendor support, end-of-life, or other business requirements. Unsupported software should be monitored regularly to determine whether software can and should be updated.

No systems have exploitable vulnerabilities: This policy statement compares the number of systems with exploitable vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems with exploitable vulnerabilities can expose the network to increased risk of malicious activity and should be patched.

No Internet-facing systems have exploitable vulnerabilities: This policy statement compares the number of Internet-facing systems with exploitable vulnerabilities to total Internet-facing systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on Internet-facing systems leave the network exposed to malicious activity and should be remediated.

No systems with VPN access have exploitable vulnerabilities: This policy statement compares the number of systems with VPN access that have exploitable vulnerabilities to total systems with VPN access. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy monitors exploitable vulnerabilities on all systems that have VPN access. Exploitable vulnerabilities on systems with VPN access leave the network especially exposed to malicious activity and need to be remediated.

No mobile devices have exploitable vulnerabilities: This policy statement compares the number of devices with exploitable vulnerabilities to total devices, for voice and mobile devices. Exploitable vulnerabilities on mobile devices increase the network’s potential exposure to malicious activity and should be remediated if possible.

No security devices have exploitable vulnerabilities: This policy statement compares the number of security devices with exploitable vulnerabilities to total security devices. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on security devices expose the network to a high level of risk and need to be remediated.

No web servers have exploitable vulnerabilities: This policy statement compares the number of web servers with exploitable vulnerabilities to total web servers. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on web servers expose the network to attack and should be remediated.

No systems with outbound external connections have exploitable vulnerabilities: This policy statement compares the number of systems with outbound external connections that have exploitable vulnerabilities to total systems with outbound external connections. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on systems with outbound external connections leave the network exposed to malicious activity and should be remediated.

No systems have exploitable vulnerabilities marked as accepted risks: This policy statement compares the number of systems with exploitable vulnerabilities marked as accepted risks to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities that have been marked as accepted risks can be overlooked sources of risk and should be reviewed carefully.

No systems have exploitable vulnerabilities recast to Info: This policy statement compares the number of systems with exploitable vulnerabilities recast to the Informational severity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities that have been recast to Info can be overlooked sources of risk and should be reviewed carefully.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training