Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ISO/IEC27000: Vulnerability Management

by Cody Dumont
June 20, 2016

Not all vulnerability scans will obtain the most accurate results when detecting vulnerabilities, as many organizations have network devices that connect intermittently. Many of these transient devices can present additional security risks and no assurance of being fully patched or free from malware. This Assurance Report Card (ARC) will report on existing vulnerabilities across all active and passively detected devices, which can be used to measure and improve current vulnerability scanning and patch management efforts across the organization

Vulnerability scans often include large amounts of information on existing vulnerabilities, which can be difficult to prioritize. Information can include recommendations to disable unused services and user accounts, along with applying hotfixes and patching software. An effective vulnerability management strategy should also contain an effective asset management program. Together, this will allow organizations to obtain complete visibility into their current risk profile and ensure that vulnerabilities on all systems and devices are remediated in a timely manner. This ARC aligns with the vulnerability management controls of the ISO/IEC 27002 framework, which can be used to strengthen existing vulnerability management policies.

Many vulnerability scanning tools perform active scanning, which will only account for systems and devices that are currently connected to the network, and do not account for transient systems that connected to the network for a short amount of time. Using Tenable Passive Vulnerability Scanner (NNM), organizations will be able to fill the gap left by intermittent vulnerability scanning, and identify vulnerabilities on systems in real-time. Along with Tenable's Tenable.sc Continuous View (Tenable.sc CV), Tenable Nessus will actively scan the network for vulnerabilities, and provide an accurate snapshot of existing risks. Additionally, deploying Nessus Agents on systems will eliminate the need for scanning systems with credentials. Having a complete picture into existing vulnerabilities on the network will enable organizations to detect and respond faster to potential threats before critical systems are impacted.

Information presented within this ARC will report on how often systems are being scanned for vulnerabilities. Several policies will detect exploitable vulnerabilities across Windows, Linux, and Mac OS X systems. Attackers frequently target and exploit unpatched software to gain access and compromised internal systems. Organizations should take appropriate measures to patch exploitable vulnerabilities immediately. Additional policy statements focus on vulnerabilities that have been detected on scanned systems and mobile devices. Any delay in patching vulnerabilities could provide attackers the opportunity to exploit vulnerabilities, gain control over critical systems, and obtain access to confidential data.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:

  • Tenable.sc 5.3.2
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable Log Correlation Engine (LCE) performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure. Tenable Nesuss Network Monitor (NNM) provides deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities. Tenable Nessus is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. Tenable.sc  CV, which includes Nessus, LCE, and NNM, scales to meet future demand of monitoring virtualized systems, cloud services, and the proliferation of devices.

ARC Policy Statements:

At least 90% of Windows, Mac OS X, and Linux/UNIX detected systems have been scanned in the past seven days: This policy statement displays the number of Windows, Mac OS X, and Linux/UNIX systems that have been detected within the past seven days to the total number of Windows, Mac OS X, and Linux/UNIX systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement will alert organizations to any new or existing systems that have been detected passively by NNM and actively by Nessus. Organizations should scan the network on a continual basis to ensure that every system is properly identified and evaluated.

Less than 25% of systems scanned have critical and high severity vulnerabilities: This policy statement displays the number of systems that have critical and high severity vulnerabilities to total number of systems with vulnerabilities. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Information within this policy statement includes detected vulnerabilities by critical, high, and medium severity levels. Continuous vulnerability scanning can help an organization identify weaknesses throughout the enterprise. Information provided within this policy statement can help organizations identify and reduce the number of vulnerabilities on the network.

Less than 5% of systems have unpatched vulnerabilities where a patch was published over 30 days ago: This policy statement displays the number of systems with unpatched vulnerabilities with a patch published over 30 days ago to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Unpatched vulnerabilities leave systems exposed to exploitation and should be patched as soon as possible.

No scanned mobile devices have vulnerabilities: This policy statement displays the number of systems with scanned mobile devices with vulnerabilities to the total number of scanned mobile devices. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Scanned mobile devices detected within this policy statement are considered unmanaged/non-MDM mobile devices. Unmanaged mobile devices often remain unpatched for long periods of time, and can present serious security risks for an organization. Organizations should monitor all scanned mobile devices to ensure that the device is authorized and up-to-date.

Less than 5% of systems are running unsupported software with exploitable vulnerabilities: This policy statement displays the number of systems running unsupported software with exploitable vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on unsupported software can expose the network to malware, malicious users, and attacks. Information provided within this policy can be used to quickly target and remediate exploitable vulnerabilities.

Less than 10% of Windows systems have exploitable vulnerabilities: This policy statement displays the number of Windows systems with exploitable vulnerabilities to total Windows systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Windows is the most widely used operating systems within organizations and is frequently targeted by attackers. Exploitable vulnerabilities on Windows systems can expose the network to malicious code, intruders, and attacks. Information provided within this policy can be used to quickly target and remediate exploitable vulnerabilities.

Less than 10% of Linux systems have exploitable vulnerabilities: This policy statement displays the number of Linux-based systems with exploitable vulnerabilities to total Linux systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. The majority of Linux distributions are considered relatively secure. However, Linux systems are not immune from exploitable vulnerabilities or attacks. Exploitable vulnerabilities on Linux-based systems can expose the network to malicious software, intruders, and attacks. Information provided within this policy can be used to quickly target and remediate exploitable vulnerabilities.

Less than 10% of Mac OS X systems have exploitable vulnerabilities: This policy statement displays the number of Mac OS X systems with exploitable vulnerabilities to total Mac OS X systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Although Mac OS X is a relatively secure operating system, it is not immune from exploitable vulnerabilities or attacks. Exploitable vulnerabilities on Mac OS X systems can expose the network to malicious software, intruders, and attacks. Information provided within this policy can be used to quickly target and remediate exploitable vulnerabilities.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training