Comments (6)
Question for Controls Team:
- Is this subcontrol necessary?
- It's basically saying, don't use unauthenticated scans, and it seems pretty difficult to accurately measure, because it requires detailed knowledge of a given vulnerability scanning solution's architecture. Until vulnerability scanning tools make that information known, it seems difficult to pull off.
- Why are we asking for this subcontrol to be met? We need to answer this to understand the desired outcome.
from cis-controls-71-measures.
Initially, the UNCC proposal was a boolean, authenticated or not. They said you can't get this data from netflow; instead you'd need a snort rule to grab a field from the traffic to confirm that authentication took place.
There was also discussion centering around - if a vuln scanner is certified as SCAP-compliant as measured in 3.1, whether you can get much of 3.2 for free by virtue of using the certified scanner (CIS-CAT Assessor example: using Assessor logs here). While UNCC understandably doesn't want to "trust the tool", there was discussion of whether you are really trusting the certification process here, not just the tool itself.
from cis-controls-71-measures.
I'll add a note that I just thought of in reference to SCAP compliance. The current active SCAP validation program (1.2 or 1.3) only validates for an "authenticated configuration scanner", and allows the addition of the "CVE option" in the validation.
Does that suffice for this subcontrol? If a tool is an "authenticated configuration scanner with CVE option" does that meet the measure for this?
from cis-controls-71-measures.
NOTE: This seems to require three things: 1) the list of scanning tools, 2) knowledge of which of those tools are authenticated scanners, and 3) verification that they're being used (i.e. scans have been run). Also note that UNCC's measures are centered on inspecting network traffic to determine whether a scanner is authenticated.
Inputs:
- List of deployed vulnerability scanning tools
- List of authenticated vulnerability scanners
- Time threshold for last use of vulnerability scanner
Operations:
- For each deployed vulnerability scanner, check whether it is in the list of authenticated vulnerability scanners
- For each deployed vulnerability scanner, verify that it has been used within time threshold
Measures:
- M1 - Number of deployed vulnerability scanning tools
- M2 - Count of unauthenticated vulnerability scanning tools
- M3 - Count of authenticated vulnerability scanning tools
- M4 - Count of vulnerability scanning tools recently used
Metrics:
- (M1 - M3) / M1 - percentage of authenticated vulnerability scanning tools (100% is desired)
- (M1 - M4) / M1 - percentage of vulnerability scanning tools recently used
from cis-controls-71-measures.
Mapping component:
- For each auth vuln scanner
- Enumerate endpoints covered
- Check config for auth scanning on each endpoint
Goal: Get a coverage metric out of the above.
from cis-controls-71-measures.
NOTE: This seems to require three things: 1) the list of scanning tools, 2) knowledge of which of those tools are authenticated scanners, and 3) verification that they're being used (i.e. scans have been run). Also note that UNCC's measures are centered on inspecting network traffic to determine whether a scanner is authenticated.
Inputs:
- List of deployed vulnerability scanning tools
- List of authenticated vulnerability scanners
- Time threshold for last use of vulnerability scanner
Operations:
- For each deployed vulnerability scanner, check whether it is in the list of authenticated vulnerability scanners
- For each deployed vulnerability scanner, verify that it has been used within time threshold
- For each authorized vulnerability scanner
- Enumerate endpoints covered
- Check configuration for authenticated scanning on each endpoint
- Aggregate number of endpoints covered (becomes M5)
- Aggregate correct configuration (becomes M6)
Measures:
- M1 - Number of deployed vulnerability scanning tools
- M2 - Count of unauthenticated vulnerability scanning tools
- M3 - Count of authenticated vulnerability scanning tools
- M4 - Count of vulnerability scanning tools recently used
- M5 - Count of endpoints covered by authenticated vulnerability scanners
- M6 - Count of endpoints scanned in an authenticated manner
Metrics:
- (M1 - M3) / M1 - percentage of authenticated vulnerability scanning tools (100% is desired)
- (M1 - M4) / M1 - percentage of vulnerability scanning tools recently used
- M6 / M5 = Authenticated scanning coverage
from cis-controls-71-measures.
Related Issues (20)
- Subcontrol 20.7 HOT 1
- Subcontrol 20.8 HOT 2
- Subcontrol 5.4 HOT 3
- Subcontrol 12.10 HOT 1
- Review measures for sub-control dependencies HOT 3
- Consider identifying all input variables for global reuse HOT 3
- Superfluous, but useful information HOT 2
- Add Field to Indicate if Sub-Control is Automated HOT 1
- Verify that Recommended Numbers are Provided for IG1 Proposals
- Guiding Principles
- Ensure metrics are presented in postive frame
- Ensure non-compliant lists are included in each set of measures
- Ensure measures are well-defined
- Notation update
- Consider adding front matter to describe structure and philosophy HOT 1
- Define CAS Versioning HOT 1
- Add CC By-NC-SA 4.0 License to Document HOT 2
- Define GH branching strategy for releases HOT 1
- Remove "STATUS" Section HOT 1
- Disable PDF Export HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cis-controls-71-measures.