CSF IDENTIFY.Asset Management (ID.AM)

Organizations today are taking a more active role in responding to cyber threats. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of objectives that allow an organization to build a comprehensive security plan to protect against security threats. This Assurance Report Card (ARC) aligns with the NIST Cybersecurity Framework category IDENTIFY.Asset Management (ID.AM), which provides accurate information on current assets on a network and aids in improving an organization’s asset management program.

As organizations grow, keeping track of systems, software, and services can be an impossible task for any analyst to manage. Networks can have hundreds or thousands of servers, workstations, laptops, and mobile assets across multiple locations. Having accurate asset information will allow the organization to control what assets are connected to the network and control what software is in use. Organizations that don’t know what’s installed or connected to their network will expose themselves to attacks, network breaches, fees for non-compliance, and more.  

This ARC assists the organization in improving its asset management program.  Systems on the network are identified using a combination of both active scans by Nessus, and passive scans by Nessus Network Monitor (NNM). NNM will detect hosts that are missed by active scans, such as hosts that connect occasionally or briefly to the network. Policy statements are included that report on systems that have been recently scanned, hosts that do not have a FQDN, and when software was last inventoried on hosts. Systems without a FQDN are not identified within DNS, which could indicate the presence of unknown or rogue devices. Systems with outdated, unsupported, or unauthorized software can leave an organization exposed to malicious attacks. Additional policy statements are included to measure organizational compliance for communication among internal hosts and hosts that accept external connections. Both internal and external communications on systems should be continuously monitored, as hosts may become an entry point for attackers to gain access to the network and move laterally through it. Scanning for use of cloud-based services can provide visibility into what services are being used by whom, to help ensure that data remains confidential.

The information provided in this ARC can assist in measuring the effectiveness of an organization's asset management program and identify whether the current policies that are being enforced are effective. Policy statements can be customized as needed to meet organizational requirements.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:

• Tenable.sc 5.2.0
• Nessus 8.5.1
• LCE 6.0.0
• NNM 5.9.0

Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Nessus Network Monitor (NNM), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network assets, connections, and services.

ARC Policy Statements:

At least 80% of actively and passively detected systems have been scanned in the last 14 days: This policy statement compares the number of systems that have been scanned in the last 14 days to total actively and passively detected systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems on the network are detected both passively by NNM and actively by Nessus. To ensure that every system is properly identified and evaluated, all systems should be actively scanned by Nessus regularly and often.

At least 80% of actively and passively detected systems have been categorized:  This policy statement compares the number of systems that have been categorized by operating system and type of device to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems on the network are detected both passively by NNM and actively by Nessus. Categories include Windows, Linux, and Mac hosts, firewalls, routers, switches, VPN devices, and mobile devices. Most of the systems on the network should fall into one of these categories. Any system that does not fall into one of the above categories should be further investigated. 

At least 70% of systems are registered in DNS: This policy statement compares the number of systems that have a Fully Qualified Domain Name (FQDN) in DNS to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red.  Systems on the network are detected both passively by NNM and actively by Nessus. Any detected device without a FQDN discovered in DNS could be an unknown or rogue device and should be further investigated. 

At least 70% of systems have had software inventoried within last 90 days: This policy statement compares the number of systems have been recently scanned with an appropriate software enumeration plugin to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. The software enumeration results are monitored to determine when software was last inventoried. Software enumeration is supported on Windows, Linux, Mac OS X, and Solaris. If software is not inventoried on a regular basis, an organization will not know if unauthorized or outdated software is in use on the network. Hosts with outdated, unpatched, or unauthorized software can expose an organization to malicious attacks.

Less than 5% of systems are running unsupported software: This policy statement compares the number of systems with unsupported software installed to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Software on a network that is no longer supported by the vendor can present serious security risks for an organization, as any software vulnerabilities will no longer be patched. This software may include outdated operating systems, applications, browsers, or other software. Unsupported software should be monitored regularly to determine whether the software should be updated or removed, or other compensating mitigations put in place.

Less than 10% of systems have other hosts connecting to them: This policy statement compares the number of systems that have other internal hosts connecting to them to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy monitors internal host connections on a network.  Within an organization, most hosts likely should be communicating though a small number of servers and not be talking directly to each other. Internal hosts should be monitored continuously to ensure that connections are authorized.

Less than 10% of systems accept external connections: This policy statement compares the number of systems that are accepting external connections to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy monitors external connections to internal hosts. While some systems require external connections for business purposes, unauthorized external connections could introduce security risks. External connections are defined as connections from IP addresses that are not included within the monitored network range configured in the Nessus Network Monitor (NNM). 

Systems are using only authorized cloud services (Salesforce, Netsuite, Webex): This policy statement compares the number of systems that are interacting with authorized Cloud services to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. The predefined authorized services are Salesforce, Netsuite, and Webex. Each organization should determine the cloud services that are authorized based on their own needs. Additional authorized cloud services can be added in this policy statement by adding appropriate plugins to the "Hosts Using Authorized Cloud Services" asset list. Use of unauthorized cloud services can put data at risk for exposure. Scanning for cloud-based services can identify potential security gaps by detecting what services are being used and by whom.