Subcontrol 3.2

[adammontville]

Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.

Measures

None provided

Metrics

None provided

[adammontville]

Question for Controls Team:

• Is this subcontrol necessary?
  • It's basically saying, don't use unauthenticated scans, and it seems pretty difficult to accurately measure, because it requires detailed knowledge of a given vulnerability scanning solution's architecture. Until vulnerability scanning tools make that information known, it seems difficult to pull off.
  • Why are we asking for this subcontrol to be met? We need to answer this to understand the desired outcome.

[apiperCIS]

Initially, the UNCC proposal was a boolean, authenticated or not. They said you can't get this data from netflow; instead you'd need a snort rule to grab a field from the traffic to confirm that authentication took place.

There was also discussion centering around - if a vuln scanner is certified as SCAP-compliant as measured in 3.1, whether you can get much of 3.2 for free by virtue of using the certified scanner (CIS-CAT Assessor example: using Assessor logs here). While UNCC understandably doesn't want to "trust the tool", there was discussion of whether you are really trusting the certification process here, not just the tool itself.

[wmunyan]

I'll add a note that I just thought of in reference to SCAP compliance. The current active SCAP validation program (1.2 or 1.3) only validates for an "authenticated configuration scanner", and allows the addition of the "CVE option" in the validation.

Does that suffice for this subcontrol? If a tool is an "authenticated configuration scanner with CVE option" does that meet the measure for this?

[adammontville]

NOTE: This seems to require three things: 1) the list of scanning tools, 2) knowledge of which of those tools are authenticated scanners, and 3) verification that they're being used (i.e. scans have been run). Also note that UNCC's measures are centered on inspecting network traffic to determine whether a scanner is authenticated.

Inputs:

• List of deployed vulnerability scanning tools
• List of authenticated vulnerability scanners
• Time threshold for last use of vulnerability scanner

Operations:

• For each deployed vulnerability scanner, check whether it is in the list of authenticated vulnerability scanners
• For each deployed vulnerability scanner, verify that it has been used within time threshold

Measures:

• M1 - Number of deployed vulnerability scanning tools
• M2 - Count of unauthenticated vulnerability scanning tools
• M3 - Count of authenticated vulnerability scanning tools
• M4 - Count of vulnerability scanning tools recently used

Metrics:

• (M1 - M3) / M1 - percentage of authenticated vulnerability scanning tools (100% is desired)
• (M1 - M4) / M1 - percentage of vulnerability scanning tools recently used

[adammontville]

Mapping component:

• For each auth vuln scanner
  • Enumerate endpoints covered
  • Check config for auth scanning on each endpoint

Goal: Get a coverage metric out of the above.

[adammontville]

NOTE: This seems to require three things: 1) the list of scanning tools, 2) knowledge of which of those tools are authenticated scanners, and 3) verification that they're being used (i.e. scans have been run). Also note that UNCC's measures are centered on inspecting network traffic to determine whether a scanner is authenticated.

Inputs:

• List of deployed vulnerability scanning tools
• List of authenticated vulnerability scanners
• Time threshold for last use of vulnerability scanner

Operations:

• For each deployed vulnerability scanner, check whether it is in the list of authenticated vulnerability scanners
• For each deployed vulnerability scanner, verify that it has been used within time threshold
• For each authorized vulnerability scanner
  • Enumerate endpoints covered
  • Check configuration for authenticated scanning on each endpoint
• Aggregate number of endpoints covered (becomes M5)
• Aggregate correct configuration (becomes M6)

Measures:

• M1 - Number of deployed vulnerability scanning tools
• M2 - Count of unauthenticated vulnerability scanning tools
• M3 - Count of authenticated vulnerability scanning tools
• M4 - Count of vulnerability scanning tools recently used
• M5 - Count of endpoints covered by authenticated vulnerability scanners
• M6 - Count of endpoints scanned in an authenticated manner

Metrics:

• (M1 - M3) / M1 - percentage of authenticated vulnerability scanning tools (100% is desired)
• (M1 - M4) / M1 - percentage of vulnerability scanning tools recently used
• M6 / M5 = Authenticated scanning coverage