Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tracking NIA Asset Classification

by Sharon Everson
July 9, 2020

Tracking NIA Asset Classification

The National Information Assurance (NIA) Policy v2.0 requires that agencies classify their assets. Tenable recommends using the Cyber Exposure Life Cycle model in conjunction with NIAv2 compliance efforts. The first stage (Discovery) of the Cyber Exposure lifecycle includes identifying and mapping assets across computing environments. In order to maintain a standardized method of classification of assets and assess risk on those assets, the risk manager must understand which assets are on to the network and make sure they are appropriately classified. 

Tenable.sc provides multiple methods of classifying assets, such as services detection, operating system detection, hardware detections, and many others. This ARC uses dynamic asset lists to categorize devices. Risk managers are able to view risks based on asset classifications such as Network Devices, Database Servers, Web Servers, Workstations, or Wireless Access Points among others. The policy statements in the ARC show the ratio of assets with a particular classification compared to the total assets of the systems covered by the ARC. Risk managers are able to determine if all expected assets with that classification have been properly identified. Furthermore, drilling down into the results allows the risk manager to focus on vulnerabilities for all assets with that classification.

This ARC uses dynamic asset lists to classify devices. Assets are used to group devices that share common attributes. Tenable.sc supports template-based and custom assets. Custom assets can be created to support NIA’s Asset Classification Model. The policy statements in this ARC can be edited to specify custom assets corresponding to NIA policy.

 

Tenable.sc uses active and passive plugins to collect asset information including asset name, type, IP address, MAC address, location, serial number, and other important information. One method of identifying the device category is using the plugin “Device Type (54615)”.  Plugin 54615 maps operating systems and other asset behaviors to different categories such as a server, router, or firewall. Other methods are also used to identify device categories such as running services or open ports. Tenable.sc provides several scalable approaches to identifying asset types. 

 

The ARC and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment.

The dashboard requirements are:

  • Tenable.sc 5.14.1
  • Nessus 8.10.1
  • Compliance data 

Tenable.sc Continuous View (CV) is the market-defining On-Prem Cyber Exposure Platform. Tenable.sc CV provide the ability to continuously Assess an organization’s adherence to best practice configuration baselines. Tenable.sc provides customers with a full and complete Cyber Exposure platform for completing an effective Information Security Management System program prescribed by the NIA standard.

This ARC includes the following policy statements:

1. Devices classified as Network Devices - This policy statement identifies the ratio of network devices to total assets. The number and assets identified as network devices should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

2. Devices classified as Servers - This policy statement identifies the ratio of servers to total assets. The number and assets identified as servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

3. Devices classified as Database Servers - This policy statement identifies the ratio of Database Servers to total assets. The number and assets identified as Database Servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

4. Devices classified as Web Servers - This policy statement identifies the ratio of Web Servers to total assets. The number and assets identified as Web Servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

5. Devices classified as POP or SMTP Servers - This policy statement identifies the ratio of POP or SMTP servers to total assets. The number and assets identified as POP or SMTP servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

6. Devices classified as Domain Name Servers (DNS) - This policy statement identifies the ratio of Domain Name Servers to total assets. The number and assets identified as Domain Name Servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

7. Devices classified as VPN Servers - This policy statement identifies the ratio of VPN Servers to total assets. The number and assets identified as VPN Servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

 

8. Devices classified as Wireless Access Point - This policy statement identifies the ratio of Wireless Access Points to total assets. The number and assets so identified should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

 

9. Devices classified as VoIP Servers or Voice Infrastructure - This policy statement identifies the ratio of VoIP Servers or Voice Infrastructure to total assets. The number and assets so identified should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

 

10. Devices classified as Hypervisors - This policy statement identifies the ratio of Hypervisors to total assets. The number and assets so identified should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

11. Devices classified as Virtual Machines - This policy statement identifies the ratio of Virtual Machines to total assets. The asset specified in this policy statement uses active plugins to discover hosts that appear to be virtual machines, such as VMWare, VirtualPC, or VirtualBox hosts, Hyper-V, or a virtual management application on a windows host. The number and assets identified as servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

 

12. Devices classified as Workstations - This policy statement identifies the ratio of Workstations to total assets. This number includes devices identified as Apple Computer, Windows, or Linux hosts by Tenable.sc assets. The number and assets so identified should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

10. Devices classified as devices with Web Browsers - This policy statement identifies the ratio of devices with Web Browsers to total assets. The number and assets so identified should correspond to the agency’s expected inventory list. Compliance for this policy is Any.

14. Secure Management: Less than 10% of assets are unclassified - This policy statement identifies the ratio of unclassified assets to total assets. Unclassified assets should be investigated to determine why the asset is not being identified by one of the above policy statements. New policy statements can be added to the ARC for classifications specific to an agency.  Compliance for this policy is fewer than 10% of assets.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.