by Sharon Everson
July 9, 2020
The National Information Assurance (NIA) Policy v2.0 requires that agencies classify their assets. Tenable recommends using the Cyber Exposure Life Cycle model in conjunction with NIAv2 compliance efforts. The first stage (Discovery) of the Cyber Exposure lifecycle includes identifying and mapping assets across computing environments. In order to maintain a standardized method of classification of assets and assess risk on those assets, the risk manager must understand which assets are on to the network and make sure they are appropriately classified.
Tenable.sc provides multiple methods of classifying assets, such as services detection, operating system detection, hardware detections, and many others. This ARC uses dynamic asset lists to categorize devices. Risk managers are able to view risks based on asset classifications such as Network Devices, Database Servers, Web Servers, Workstations, or Wireless Access Points among others. The policy statements in the ARC show the ratio of assets with a particular classification compared to the total assets of the systems covered by the ARC. Risk managers are able to determine if all expected assets with that classification have been properly identified. Furthermore, drilling down into the results allows the risk manager to focus on vulnerabilities for all assets with that classification.
This ARC uses dynamic asset lists to classify devices. Assets are used to group devices that share common attributes. Tenable.sc supports template-based and custom assets. Custom assets can be created to support NIA’s Asset Classification Model. The policy statements in this ARC can be edited to specify custom assets corresponding to NIA policy.
Tenable.sc uses active and passive plugins to collect asset information including asset name, type, IP address, MAC address, location, serial number, and other important information. One method of identifying the device category is using the plugin “Device Type (54615)”. Plugin 54615 maps operating systems and other asset behaviors to different categories such as a server, router, or firewall. Other methods are also used to identify device categories such as running services or open ports. Tenable.sc provides several scalable approaches to identifying asset types.
The ARC and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment.
The dashboard requirements are:
- Tenable.sc 5.14.1
- Nessus 8.10.1
- Compliance data
Tenable.sc Continuous View (CV) is the market-defining On-Prem Cyber Exposure Platform. Tenable.sc CV provide the ability to continuously Assess an organization’s adherence to best practice configuration baselines. Tenable.sc provides customers with a full and complete Cyber Exposure platform for completing an effective Information Security Management System program prescribed by the NIA standard.
This ARC includes the following policy statements:
1. Devices classified as Network Devices - This policy statement identifies the ratio of network devices to total assets. The number and assets identified as network devices should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
2. Devices classified as Servers - This policy statement identifies the ratio of servers to total assets. The number and assets identified as servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
3. Devices classified as Database Servers - This policy statement identifies the ratio of Database Servers to total assets. The number and assets identified as Database Servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
4. Devices classified as Web Servers - This policy statement identifies the ratio of Web Servers to total assets. The number and assets identified as Web Servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
5. Devices classified as POP or SMTP Servers - This policy statement identifies the ratio of POP or SMTP servers to total assets. The number and assets identified as POP or SMTP servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
6. Devices classified as Domain Name Servers (DNS) - This policy statement identifies the ratio of Domain Name Servers to total assets. The number and assets identified as Domain Name Servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
7. Devices classified as VPN Servers - This policy statement identifies the ratio of VPN Servers to total assets. The number and assets identified as VPN Servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
8. Devices classified as Wireless Access Point - This policy statement identifies the ratio of Wireless Access Points to total assets. The number and assets so identified should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
9. Devices classified as VoIP Servers or Voice Infrastructure - This policy statement identifies the ratio of VoIP Servers or Voice Infrastructure to total assets. The number and assets so identified should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
10. Devices classified as Hypervisors - This policy statement identifies the ratio of Hypervisors to total assets. The number and assets so identified should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
11. Devices classified as Virtual Machines - This policy statement identifies the ratio of Virtual Machines to total assets. The asset specified in this policy statement uses active plugins to discover hosts that appear to be virtual machines, such as VMWare, VirtualPC, or VirtualBox hosts, Hyper-V, or a virtual management application on a windows host. The number and assets identified as servers should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
12. Devices classified as Workstations - This policy statement identifies the ratio of Workstations to total assets. This number includes devices identified as Apple Computer, Windows, or Linux hosts by Tenable.sc assets. The number and assets so identified should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
10. Devices classified as devices with Web Browsers - This policy statement identifies the ratio of devices with Web Browsers to total assets. The number and assets so identified should correspond to the agency’s expected inventory list. Compliance for this policy is Any.
14. Secure Management: Less than 10% of assets are unclassified - This policy statement identifies the ratio of unclassified assets to total assets. Unclassified assets should be investigated to determine why the asset is not being identified by one of the above policy statements. New policy statements can be added to the ARC for classifications specific to an agency. Compliance for this policy is fewer than 10% of assets.