Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ISO/IEC27000: Boundary Defense

by Megan Daudelin
June 20, 2016

Boundary devices within organizations provide the first line of defense against outside threats. Most organizations use firewalls, proxy servers, and border routers for establishing boundary defenses; however, any misconfigured devices can allow for security or data breaches to occur. This Assurance Report Card (ARC) can assist organizations in managing remote access, protecting network segments, and ensuring the confidentiality and integrity of data.

One of the most effective ways to protect a network is by deploying a multi-layered security strategy, so that if one device fails, the organization will remain protected. However, any misconfigurations or vulnerabilities on boundary devices can leave a network vulnerable to malicious attacks. This Assurance Report Card (ARC) aligns with the network and segregation controls of the ISO/IEC 27002 framework, which can help organizations detect network intrusions and other suspicious activity on boundary devices.

Many organizations focus on deploying traditional boundary defense solutions that can consist of firewalls, IDS/IPS, DLP, and anti-virus. With the growth in the number of advanced persistent threats (APTs) and other malicious attacks, security teams are finding that traditional security methods are becoming ineffective. By continuously monitoring the network, organizations will have the targeted information needed to respond, defend, and recover from an incident.

The policy statements included within the ARC can assist an organization in strengthening network boundary controls. Systems are scanned to detect whether hosts are being protected by a firewall policy. Any system not protected by a firewall should be investigated immediately to determine the status. Additionally, systems are scanned to ensure that anti-virus policies are active and up-to-date. Several policy statements will report on detected intrusions or other suspicious activity. Events can include internal and external botnet communications, as well as logins from unusual sources on remote access devices and services. Information provided within this ARC will help organizations to identify points of entry and prevent future attacks.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:

  • Tenable.sc 5.3.1
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Tenable Nessus and passive vulnerability detection with Tenable Nessus Network Monitor (NNM), as well as log correlation with Tenable Log Correlation Engine (LCE). Tenable.sc CV can help an organization continuously monitor and measure the effectiveness of security controls. Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network security posture.

ARC Policy Statements:

At least 90% of systems are protected by a firewall policy: This policy statement displays the number of systems that are protected by a firewall policy to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Firewall policies may be applied to workstations, servers, and other devices that can filter both inbound and outbound traffic. When properly configured, firewalls can help to improve network security and reduce risk to network devices by filtering access to ports and services. Systems that are not covered by a firewall policy can be vulnerable malicious processes or attacks, and should be investigated immediately by the organization.

At least 90% of Windows and Mac OS X systems have active and up-to-date anti-virus protection: This policy statement displays the number of systems with active and up-to-date anti-virus protection to the total number of systems detected on the network for Windows and Mac OS X systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. All systems should have active and up-to-date anti-virus software installed to protect against malware infections. Organization can use this information to identify and resolve anti-virus software issues on systems.

Less than 5% of systems are reporting intrusion activity: This policy statement displays the number of systems with potential intrusion activity to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Intrusion events include password guessing, IDS events, and network sweeps, among other things. Intrusion events could indicate ongoing attacks or hosts that have been compromised. Organizations should investigate intrusion events to determine the scope, impact, and actions needed for remediation.

Less than 15% of systems have detected suspicious network activity: This policy statement displays the number of systems with large network anomalies. The inbound, outbound, and internal connections are tracked by the statistics daemon. Client and server connections are also monitored. Any large anomalies in network traffic events will be reflected within this policy statement. Events may indicate new types of software installations, patching, or instances of malicious activity on the network. Organizations should investigate any suspicious network activity to determine the impact and response needed.

No systems have been detected interacting with known botnets: This policy statement displays the number of systems detected interacting with known botnets to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Tenable.sc receives an updated list of IP addresses and domains that are participating in known botnets daily. Using this information, systems on the network that interact with known botnets can be detected. Any systems interacting with known botnets should be investigated immediately by the organization to minimize security risks.

No unusual VPN activity has been detected: This policy statement displays the number of systems with unusual VPN activity to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement utilizes the LCE event “VPN_Login_From_Unusual_Source”. This event triggers when a VPN login originates from a source IP address that is not part of the same address space as what is normal for the login user ID. Systems that detect unusual VPN activity should be investigated immediately by the organization, as this could indicate possible unauthorized activity.

No unusual Remote Desktop activity has been detected: This policy statement displays the number of systems with unusual Remote Desktop (RDP) activity to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement utilizes the Inbound and Outbound RDP Threatlist session events, which can indicate potential intrusion events, interactions with known bad IP addresses, and long-term events. Organizations should monitor all RDP sessions to prevent unauthorized activity.

No unusual SSH activity has been detected: This policy statement displays the number of systems with unusual SSH activity to the total number of systems detected on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement utilizes the Inbound and Outbound SSH Threatlist session events, which can report on potential attacks and malicious activity. Any systems that are reporting unusual SSH activity should be investigated further to determine the scope and cause.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training