In the February 18, 2016 Risky Business podcast, Cris Thomas speaks with Patrick Gray about the NIST Cybersecurity Framework.

Gartner recently announced that 30% of all US organizations - both public and private - have adopted the Framework as a yardstick for measuring their security posture. Further, they believe that 50% of all organizations will adopt the Framework by 2020. Why are those numbers surprising? And what is the Framework all about? Listen to the full interview as Cris discusses the Framework - it's purpose, contents, and future.

Listen to the Risky Business podcast

We recently asked our security experts about the top security challenges facing cloud computing today. Most cloud security issues are no different than the security problems in applications that are hosted in physical data centers. However, hybrid environments provide new challenges for security professionals. Diane Garey, Tenable’s Nessus Product Marketing Manager, explains why in this video blog.

Learn how Nessus Cloud combines the power of Nessus vulnerability management with the ease of a cloud-based solution.

It’s natural to assume the most direct impact of a cyberattack within the financial payment system is the stolen data or funds. In reality, the true impact extends to the loss of consumer confidence and the subsequent increase of transactional costs.

Most bankers subscribe to the notion that the payment system is the heart and soul of banking and the financial markets. I believe that the payment system in many ways is the heart and soul of all local and global economies. From retail merchants and global banking entities to local families and individuals who make up our neighborhoods, the tie between banks and retailers is the payment system.

The payment system is under constant attack. Beyond the price of defending payment networks, or beyond the tangible dollar loss associated with a breach, the true cost of a successful cyberattack on the payment system is the erosion of consumer confidence.

The true cost of a successful cyberattack on the payment system is the erosion of consumer confidence

This intricate interconnection of networks that governs the movement of money or credit from the payer to the payee is in many ways paradoxical. The payment system is built to make commerce easier, but it’s incredibly complex in structure. More than just an intricate puzzle of seemingly innocuous payments, the payment system is a careful balance between the transmission of monetary policy, central banks, the delivery of services to financial intermediaries, and the supervision of the larger banking system.

When you overlay a seemingly endless change associated with the disruptive forces of technology what you have is a complex and dynamic, global system filled with gaps and places where cybercriminals can hide, steal and attack.

Certain industries, especially financial services, continue to be most susceptible to high turnover in customers in the aftermath of a data breach.

Certain industries, especially financial services, continue to be most susceptible to high turnover in customers in the aftermath of a data breach. The finance sector on average spends five times more money attracting new customers than retaining their current customers. These two factors are part of what makes cyberattacks so perilous to the financial community.

Payment system vulnerabilities

In many ways, the payment system represents the soft spot in the finance sector. In an effort to retain and attract customers, financial institutions are starting to abandon the brick and mortar branches and embrace digital banking at faster rates.

As a result, payment systems are evolving with new technologies and in a myriad of new channels. For example, a purchase as simple as shoes can involve several payment channels for the customer. The customer can go to the store and use cash, a debit card, a credit card, a prepaid card or even a mobile phone. The customer can also buy the shoes online with a credit card, debit card, PayPal or direct withdrawal from a bank account. And most recently, customers now have the choice of using a mobile app such as Apple Pay or Google Wallet.

On the front end, there are 11 ways which someone can buy a pair of shoes today. The back end of that simple transaction is a jungle of various options and an amazing amount of combinations of different authentication systems, payment systems, intermediaries and technologies.

All of these systems and transactions occur over the foundations of the traditional banking system, which was built in large part by acquisition and the stacking of data silos, or legacy technology that is not integrated with other systems or networks. According to a recent Gartner report, the pace of payment innovations is accelerating, and has not peaked. The key takeaway according to Gartner is that a bank's siloed systems and operations, as well as product development approaches, are unfit to respond to new market requirements.

Payment system solutions

Most banks approach payment system vulnerability issues through a combination of trying to prevent the intruder from entering the system and preventing the intruder’s ability to remove confidential data. While this approach is effective in defending from the majority of attacks, it can often prove ineffective with advanced persistent threats (APT) and the tools and techniques of organized and well funded criminals.

Additionally, smaller banks, community banks and credit unions are often more limited in resources and budget, and often struggle to secure their systems.

One way to accomplish this task is to map the organization by complete line of business and perform a gap analysis to determine information silos or potential areas of cyber vulnerability. For example, if the capital markets team is moving to flash data clusters and integrating big data systems, how do these activities provide potential IT security gaps?

Perform a gap analysis to determine information silos or potential areas of cyber vulnerability

Finally, finding and monitoring legacy systems on your network can help immensely in identifying network vulnerabilities for institutions of any size. For example, the Tenable SecurityCenter Continuous View™ has many tools that can perform a whole host of valuable cybersecurity services, including the ability to detect both primary applications and possible secondary applications running with them. This discovery capability of internal applications that require updates can help keep your financial and payment systems better protected from possible cyberattackers.

I suspect most security practitioners think of weaknesses as primarily being vulnerabilities and misconfigurations. That is understandable because removing vulnerabilities and misconfigurations is an important and constant battle. Besides, we have tons of vulnerability and misconfiguration information; so much information that the MITRE Corporation created the Common Vulnerabilities and Exposures (CVE) dictionary of known information security vulnerabilities and exposures, and a Common Vulnerability Scoring System (CVSS).

But weaknesses are more than vulnerabilities and misconfigurations. They include much more; for example, incomplete knowledge of the hardware and software active on a network, insufficient user training, and careless credential management.

If we don’t want to be impacted tomorrow by weaknesses we failed to address today, we must ask ourselves, “Why does this weakness exist?”

If we don’t want to be impacted tomorrow by weaknesses we failed to address today, we must ask ourselves, “Why does this weakness exist?” In many cases the answer may be simple. In other cases, the answer may look simple, but actually be more complex. I encourage you to ask “Why does this weakness exist?” five times, and drill up, not down, to gain a broad perspective.

Control weaknesses

The goal of drilling up is to identify any control weakness that opened the door for the specific symptom you are investigating. I like ISACA’s definition of a control weakness:

A deficiency in the design or operation of a control procedure (emphasis mine). Control weaknesses can potentially result in risk relevant to the area of activity not being reduced to an acceptable level. Control weaknesses can be material when the design or operation of one or more control procedures does not reduce to a relatively low level the risk that misstatements caused by illegal acts or irregularities may occur and not be detected by the related control procedures.

Asking “why?” may not uncover a control weakness, but if it does, you have hit the jackpot because correcting the control weakness is correcting the root cause that, if uncorrected, could result in a security or compliance incident.

Design vs. operation

Consider an example. Assume that you have detected a privileged account on a financial system; an account that hasn’t been used for thirteen months. You could address the weakness by deleting the account and waiting to see if anyone complains. That would remove the weakness with brute force action. However, what if you asked yourself, “Why do we still have a privileged account that hasn’t been accessed for more than one year?”

Now assume that you determined that the account belonged to Susan, a system administrator, who left the organization eleven months ago. Next, you need to drill up and ask, “Why haven’t we removed an account for someone who is no longer with our organization?” This may prompt you to examine your off-boarding process to see if it includes a procedure to remove a departing employee’s accounts. If not, you discovered a deficiency in the design of a control procedure. If the off-boarding process does include a procedure to remove a departing employee’s account, then you have discovered a deficiency in the operation of a control procedure.

Help from security frameworks

I see a growing interest in the adoption of security frameworks, such as the Center for Internet Security’s Critical Security Controls, the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF), and the ISO/IEC 27001 standard for Information Security Management. Adoption of these standards focuses an organization’s security resources on the design and operation of security controls rather than focusing on removing the symptoms resulting from lacking or loosely followed control procedures.

Focus on the design and operation of security controls rather than on removing symptoms.

Each of the above security frameworks includes multiple control objectives/procedures for access control that, if followed, would have precluded the discovery of a privileged account that should have been removed upon an employee’s departure. Their high-level access control objectives are:

• Critical Security Controls: Actively manage the lifecycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
• NIST: CSF: Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
• ISO/IEC 27001:A formal user registration and de-registration process shall be implemented to enable assignment of access rights.

Drill up!

Ask “Why does this weakness exist?” five times, and drill up, not down, to gain a broad perspective.

When you find a vulnerability, misconfiguration, or other weakness that shouldn’t exist on your network, drill up by asking “why?” five times. You may uncover an underlying control design or operation deficiency that is the root cause. Correcting a root cause is always more effective than removing the symptom.

It was over 6 years ago that the wireless keyboard sniffer project known as “Keykeriki” was first demonstrated. The sniffer allowed someone to eavesdrop on what is being typed as each key was pressed on the keyboard. Recently, another vulnerability dubbed “MouseJack” has been discovered in the way some wireless devices, such as the Logitech Unifying Receivers for wireless keyboards process received RF packets, allowing keystroke injection that bypasses encryption. Exploiting this vulnerability involves transmitting RF packets to a vulnerable vendor dongle and requires physical proximity to the target computer. This vulnerability can be remediated by removing the device or updating the firmware on the vendor dongle to only accept encrypted RF keyboard packets.

Searching for affected devices

While USB Device History Auditing has been a long time capability of Nessus®, Tenable has released a local plugin (ID 88905) to detect the presence of affected versions of the Logitech Unifying Receiver. Additional plugins for other affected vendors will be developed by Tenable and this blog entry will be updated. Since the Logitech plugin reports on historical devices, it requires that the scanner reporting mode be set to “Paranoid”.

In this example, we have USB devices with a Vendor ID (VID) 0x046D and Product ID (PID) 0xC52B. I used both http://www.PCIDatabase.com and http://www.linux-usb.org/usb.ids to identify the corresponding VID as Logitech Inc., and the Product is a USB Receiver. The plugin will report if a vulnerable device has been previously utilized by the host and manual validation will need to be performed if the device is still in use.

USB event monitoring

SecurityCenter Continuous View™ and the Log Correlation Engine™ ( LCE®) Windows client can also detect USB device insertions and removals. The logs generated by these events are normalized to the “usb” event type and include the following normalized events:

Windows-LCE_Client_Detected_Attached_Drive: A USB or CD-ROM drive was attached.

Windows-LCE_Client_Detected_Removed_Drive: A USB or CD-ROM drive was removed.

Windows-LCE_Client_Detected_Attached_USB_Device: A USB peripheral was attached.

Windows-LCE_Client_Detected_Removed_USB_Device: A USB peripheral was removed.

The Windows-LCE_Client_Detected_Attached_USB_Device event indicates that the LCE client detected the attachment of a USB device. The event tells us about the device being attached or detached, including the Vendor ID (VID), the Product ID (PID), and the device serial number/Windows unique identifier, allowing users to look up exactly what is being attached to their hosts.

You can use the following query to alert on the presence of the Logitech Unifying Receiver in your environment:

Type = usb; Normalized Event = Windows-LCE_Client_Detected_Attached_USB_Device ; Syslog Text = “046D AND C52B”

To enable USB event monitoring, use one of the two following configuration tags in your LCE Windows Client policy:

<event-log>Volumes</event-log> <!-- Monitors for USB Events --><event-log>all</event-log> <!-- Monitors for all Events including USB -->

Note "Volumes" is a special entry for device monitoring and is not really an event log (or you can also use “all”).

References

MouseJack

Flaws in Wireless Mice and Keyboards Let Hackers Type on Your PC

USB Device History Auditing with Nessus

LCE Windows Client - New USB Events

As pressure grows on the federal government to strengthen cybersecurity in the wake of the OPM attacks, agencies are challenged to find and deploy the best, most efficient security programs to protect private personal information (PPI) and sensitive data. They are also under the gun to demonstrate compliance with standards such as the NIST Cybersecurity Framework, NERC, FISMA and HIPAA.

Government is in Tenable’s DNA

Tenable is no stranger to the government market. Tenable founders have their roots in national security. For example, Ron Gula started his career as a pen tester for the NSA. While government may be a new sector for some of our competitors, Tenable has long been a cybersecurity partner to the federal government.

The National Institute of Standards and Technology (NIST) requires federal agencies to implement continuous diagnostics and mitigation (CDM) programs to protect their organizations from attacks. Tenable pioneered continuous network monitoring with the creation of SecurityCenter Continuous View™ (SecurityCenter CV™) in 2004. SecurityCenter CV is the market defining standard for continuous monitoring, as evidenced by the U.S. Defense Information Security Agency’s 2012 selection of Tenable and HP as the Assured Compliance Assessment Solution (ACAS) for the entire Department of Defense.

Tenable’s expanding federal program

In this era of increasing mobility, virtual systems, cloud applications, and shadow IT, Tenable delivers comprehensive security solutions that provide continuous visibility and critical context, enabling decisive actions to protect government agencies.

That is why Tenable is expanding its federal program to support agencies in their efforts to harden national security, protect PPI, and meet the critical security needs of tomorrow.

Two key leaders have joined Tenable to spearhead this initiative:

• Darron Makrokanis is the new Vice President of Federal Sales. Darron brings a decade of experience with DoD, DHS and intelligence business development. He was also a SWAT/Special Operations Team supervisor and detective for 10 years and is currently an officer in the U.S. Navy Reserves.
• Christopher Cleary is Tenable’s new Federal Director of Business Development and Capture, bringing over 20 years’ experience in government, military, and commercial enterprises. He is also a commander in the U.S. Navy Reserves. 

And in support of the federal team for strategy, thought leadership, and partner initiatives, John Chirhart is moving up to the role of Technical Director. Prior to joining Tenable in 2015 and while working with the United States Marine Corps, John paved the way for SecurityCenter to become the de facto standard DoD scanning tool and cornerstone of ACAS.

You’ll be hearing more from Darron, Chris, John, the federal team and partners at key conferences and on the Tenable website.

The Tenable Blog spotlights government issues

Here on the Tenable Blog, we are planning monthly articles that focus on security issues faced by government agencies. Watch for blogs about NIST CSF, state and local government concerns, NIST 800-171, NERC Version 5, and software management guidelines to name just a few. And check out our experts’ recent blogs on government issues and legislation:

• Assessing the State of Cybersecurity in Government
• Improving Cybersecurity in Government Agencies
• Cybersecurity Transparency and the Federal Government
• Lessons to Learn from the OPM Breach

To find blogs that focus on government security issues, click on the Filed Under“Government” keyword at the end of this article.

Outreach

Feel free to contact the federal team for assistance with your security issues at federalsales@tenable.com.

With many states relying on IT systems that are 20 years old or more, government agencies are challenged to secure legacy technology that is no longer supported and often hidden from view.

For the services that directly affect people’s daily lives, citizens rely on their state and local governments. From public safety and trash pickup to highway maintenance and education, state and local governments make our communities livable.

Often, however, the agencies providing these services are relying on outdated IT systems. They are struggling to maintain and secure technology that no longer is supported, is poorly documented and often is not inventoried. As every IT administrator should know, you can’t manage what you can’t see.

The challenge

Of course the ideal solution is to upgrade systems to modern technology supported by vendors. But funding is a major hurdle for this. State and local governments as a rule must maintain balanced budgets, and even in the best of times money is doled out conservatively. Since the economic downturn, budgets are even tighter.

At the same time, administrators are reluctant to take down systems for maintenance that are doing their jobs—in some cases, for decades. The result is a hidden and often unsupported shadow infrastructure.

While IT refresh cycles in the private sector typically are in the three-to-five-year range, the age of many state systems is measured in decades. Consider these figures:

• A 2012 survey by the National Association of State Workforce Agencies found that the majority of IT systems supporting unemployment insurance (UI) programs are old and based on outmoded programming languages. “States developed systems for UI operations generally in the 1970s and 1980s, and many are using the same ‘legacy’ mainframe technology based systems today.” The average age was 22 years, the oldest 42.

• An analysis of 200 IT systems for the state of Colorado found that 77 were more than 15 years old and half were at least 10 years old.

• A 2014 study of legacy systems conducted by the Texas Department of Information Resources found that in 100,000 instances of software supporting 4,130 business applications, 61 percent were classified as legacy—that is, obsolete or inefficient.

Some of these findings are several years old, but given recent financial conditions it is unlikely that the situation has improved. The challenges of maintaining such environments are compounded by the loss of institutional knowledge as veteran personnel who know these systems retire.

Threats

As key personnel move on to other jobs or retire, institutional knowledge of these legacy systems goes with them. The pool of talent available to maintain and protect them shrinks and systems fall further out of date. Many systems are no longer supported by vendors, and some vendors go out of business. Critical updates are not available, vulnerabilities are not patched, and older systems often are not interoperable with more modern platforms.

Some may say that IT systems so out-of-date are undetectable and are unlikely targets for malicious activity. But “security by obscurity” is not good cybersecurity policy. Systems that are out of compliance with sound policy pose a risk to the entire enterprise.

Help is available

Tenable SecurityCenter CV™ has several capabilities that can help with finding and monitoring legacy systems on your network.

The Passive Vulnerability Scanner™ (PVS) detects both primary applications and the secondary applications running with them to enable discovery of internal apps that are not updated. PVS sensors positioned to see traffic in the internal network can provide a way to locate systems that are connected to the network only occasionally.

Nessus® plugin 11936 is a discovery scan that, when used with credentials, can help identify operating systems connected to the network. Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name and sometimes the version of the remote operating system.

Discovering unknown assets and shadow IT with these and other capabilities in SecurityCenter CV is an important first step to bringing these assets into your security program so they aren't a security risk to your organization.

Amazon Web Services (AWS) has become a critical Infrastructure as a Service (IaaS) platform for many companies. Just as cloud environments provide advantages of scalability, elasticity, and performance, they present new challenges to those tasked with securing it. How do you monitor for attacks against the infrastructure from outside, while at the same time watching user accounts for impersonation and misuse? Small changes to configurations and policies within AWS can have a devastating impact to the security of an organization, so continuous monitoring is critical.

SecurityCenter Continuous View™ (CV) now connects directly to AWS for CloudTrail event monitoring via RESTful API, collecting EC2 and IAM logs to pull into your security monitoring program.

Monitoring user accounts and account activities in AWS integrates into your larger account monitoring strategy. Password guessing and other account attacks are detected, as well as known­-malicious hosts attempting access. Permission changes are also captured, and monitored along with the rest of your data for unauthorized changes.

“Detected-change” events provide insight into new or unusual connections into AWS, and isolate IPs that have never communicated before for investigation. Activity trending and anomaly tracking provide deeper insight into the behavior of your AWS environment, as well as the users and administrators who interact with it, alerting you to suspicious activities as they occur.

Drilling into these events shows at a glance who is interacting with AWS, and what they’re up to.

With Amazon, SecurityCenter CV also captures events about the status of your AWS EC2 environment. These instance monitoring logs detail health and status of instances, when instances are added or removed, as well as policy and configuration changes. Just as you monitor critical servers within your organization for changes that could indicate malicious activity, it's time to monitor the cloud in kind.

See the Tenable documentation for more information on how to integrate AWS CloudTrail monitoring into your security program.

Amazon CloudTrail is one of the first platforms supported by SecurityCenter CV for API monitoring. Cloud service monitoring for integrated visibility eliminates blind spots, enabling more informed decision making and improved awareness of security in your organization, no matter where it resides.

For more information on securing IaaS platforms with Tenable, see the following blogs:

• Nessus Amazon AWS Auditing Now Available
• Auditing Microsoft Azure with Nessus v6.5
• Auditing Rackspace Accounts with Nessus

Over the past 20 years, we have seen steady growth in the development and marketing of security solutions. But despite the fact that organizations are investing in sophisticated security, major breaches are still occurring every day.

Layers of information security tools designed to protect our networks are leaving us vulnerable.

The problem is defense in depth. Layers of information security tools designed to protect our networks are leaving us vulnerable. Today’s CISO may deploy up to 100 tools throughout an organization for prevention, detection, and response. The tools may give the appearance of full coverage, but in reality, attackers find gaps in the layering of security solutions – holes that they can easily exploit. While your security investments may be effective individually, they must work together to deliver a comprehensive solution.

And defense in depth is not always effective at protecting newer technologies against threats. Today’s digital enterprise runs borderless technologies—in the cloud, on virtual systems, and on mobile devices—making it hard to stay ahead of new and malicious attacks.

This is why experts now say that it’s not a question of if you will be breached, but when.

It’s time to transform security from a defense in depth model to comprehensive security.

It’s time to transform security from a defense in depth model to comprehensive security. Achieving a holistic solution requires three pillars of security assurance:

• Continuous Visibility into all assets, to meet the challenge of eliminating blind spots
• Critical Context to prioritize threats and weaknesses for response
• Decisive Action to reduce exposure and loss

Tenable is reimagining the security model to deliver comprehensive security for your organization. Our new whitepaper, Transforming Security from Defense in Depth to Comprehensive Security Assurance, explains the principles behind holistic security assurance. Get your copy to better understand how you can identify critical gaps and achieve comprehensive protection.

“Know yourself” is millennia-old advice, yet today’s IT environments almost always violate this principle. With the widespread popularity of mobile devices, cloud services, and virtualized infrastructures, it’s now incredibly easy for employees and others to introduce new devices or applications to the IT environment without the knowledge or consent of IT. Traditional security tools don’t provide visibility into these areas, so these unknown devices, applications, and services expose organizations to risk and probable attacks.

Bringing unknown and shadow assets into the light is a necessary part of a robust and effective security program

Today at the RSA Conference in San Francisco, Tenable announced how our technology helps organizations bring unknown assets and shadow IT into the light with our SecurityCenter Continuous View™ (CV) solution. In this article, I’ll describe some of its unique capabilities that enable complete visibility into your environment.

You need to see IT to secure IT

Peter Drucker famously said, “What gets measured, gets managed.” Similar thinking for IT security is that “You need to see it to secure it.”

To enable you to see the unknowns, SecurityCenter CV collects and analyzes data from a variety of sensors—active scanning, passive listening of network activity and event data, and data feeds from intelligent connectors. For example in the dashboard below, SecurityCenter CV passively listens for network interactions with cloud services and reports back which services it detects and whether those services fit into known profiles that are allowed by the organization.

Get more information about the Cloud Services dashboard.

Gaining visibility into unknown and shadow assets is just the first step. To understand if these assets pose a threat to your environment, SecurityCenter CV profiles them to determine their risk and lets you know if they’re interacting with other known assets. For example, a DropBox account set up by an employee who wants to share materials with a partner might pose a different level of risk than a DropBox account that’s interacting with an internal SAP server.

Taking the right action

Once you know what’s really on your network and the associated risk, then it’s a matter of taking the right action … do you remove assets, investigate them more, simply make them part of your ongoing security programs, or something else? With limited time and resources, it’s about taking the right action. As Peter Drucker also said, “Efficiency is doing things right. Effectiveness is doing the right thing.” Here, SecurityCenter CV offers a number of pre-defined reports and dashboards to help you quickly make sense of all the collected data from unknown and shadow assets. These reports and dashboards drill down into detected vulnerabilities and present them in the context of your greater security program, so you can make informed decisions for effective and rapid response.

For example, one of the metrics displayed in the following Assurance Report Card (ARC) is the number of assets discovered by SecurityCenter CV that are unknown, or unclassified. The ARC displays your organization’s goal (“Less than 20%”) as well as other software and hardware inventory goals. Drilling down provides quick insight into the vulnerabilities associated with the unknown, or unclassified assets, enabling security professionals to quickly see what’s in their environment, what risk is posed and where they should take action.

Learn more about this Assurance Report Card.

Summary

With mobile, virtual and cloud all growing exponentially, stamping out unknown assets and shadow IT may never happen. But with SecurityCenter CV, bringing unknown and shadow assets into the light is not only possible, it’s a necessary part of a robust and effective security program.

For more information, visit our Unknown and Shadow Assets solution page.

At RSA this week, Tenable is announcing a new capability in SecurityCenter Continuous View™ that automates and simplifies adoption of the NIST Cybersecurity Framework.

Adoption of the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) is growing fast as a way to build a defensible security posture. The CSF is just barely two years old, however Gartner predicts, “By 2020, more than 50% of organizations will use the NIST Cybersecurity Framework, up from the current 30% in 2015.”

The CSF, a best practice security framework, is gaining broad acceptance beyond organizations that deliver critical infrastructure. The National Association for Corporate Directors has recommended that “directors set the expectation that management has considered the CSF in developing the company’s cyber-risk defense and response plans.” The above mentioned Gartner report also stated, “Organizations that choose to ignore the framework due to its voluntary nature may be missing a strategic planning opportunity.”

The CSF Core contains five functions to improve security posture. These functions (Identify, Protect, Detect, Respond, and Recover) are the “high level view,” and each function contains numerous categories and subcategories that drive particular security outcomes. These categories and subcategories can be thought of as “controls” or “control objectives” used in other security and compliance frameworks.

There are two control types: administrative and technical. Administrative controls are typically procedural and can be implemented and audited using manual processes. In contrast, technical controls typically deal with huge amounts of fast moving data. Therefore, automation is necessary to implement and audit the technical controls, which account for about half of all of the controls listed in the CSF.

If your organization has adopted CSF or plans to, how will you automate its controls and track your progress and success?

SecurityCenter CV supports over 90% of the CSF technical controls and builds them into an automated control foundation that helps organizations manage risk and achieve their target security profile.

Tenable SecurityCenter CV supports over 90% of the CSF technical controls and builds them into an automated control foundation that helps organizations manage risk and achieve their target security profile. SecurityCenter CV includes 20 new interactive dashboards purpose-built to inform security staff with continuous visibility of control operation. If an unexpected condition is reported by a dashboard, staff can quickly drill down to gain the critical context necessary to prioritize further investigation.

For example, the SecurityCenter CV Asset Discovery Dashboard addresses the Identify: Asset Management-1 control, which instructs that physical devices and systems within the organization should be inventoried. SecurityCenter CV uses multiple technologies, including active scanning, passive monitoring, and integration with other IT systems, to accurately inventory hardware assets. The dashboard pictured below provides visibility of new hardware, hosts, network devices, wireless, and mobile devices to give you continuous visibility of all hardware assets on your network.

Additionally, eight new Assurance Report Cards (ARCs) communicate CSF conformance to business leaders. ARCs can graphically summarize progress towards the attainment of CSF target profiles. All of the dashboards and ARCs are templates that can be easily tailored and applied to specific business services. The ARC below shows high-level CFS conformance that can be communicated to non-technical stakeholders.

Please take a minute to learn more about how SecurityCenter CV can help you automate and simplify CSF adoption.

Protecting your network against attackers is only part of the equation. You have probably seen the statistics. Research tells us that attackers spend an average of 200 days inside a network before being discovered. Prevention isn’t enough. Even with expert staff and sophisticated security solutions in place, can you confidently answer the question, “Am I compromised?” You need a way to proactively hunt for attackers who may have eluded your protective defenses.

Tenable is best recognized for our protective security solutions; those focused on eliminating vulnerabilities, misconfigurations, and malware. But SecurityCenter Continuous View™ (SecurityCenter CV™) is also a great solution for threat hunting, as announced at RSA this week. Rather than being consumed reacting to alerts, you can use SecurityCenter CV to efficiently take action; to reduce your exposure and risk by proactively hunting for compromises and addressing them before they become breaches.

SecurityCenter CV is the only solution that collects data from five sensors: active scanning, passive network monitoring, intelligent connectors to third-party management and security products, agents and host data. These technologies combine to deliver deep insight into network and system state, and continuous visibility of network and user activity.

Data collected from across your environment is enhanced with indicators of compromise from leading commercial threat intelligence vendors to help you identify threats in real-time – without additional licensing and configuration costs.

SecurityCenter CV baselines “normal” behavior for your network and then identifies and measures divergence from normal activity patterns across all types of collected event data. It also correlates chains of potentially suspicious events to uncover complex or advanced threat conditions. For example, the screenshot below shows many suspicious activities, including long-term port scanning, followed by Windows system errors, followed by long-term intrusion activity.

A challenge faced by many organizations is that they barely have enough staff to ensure that preventive security measures are in place. Often, dedicating staff resources to detective measures, such as threat hunting, is very difficult. There is no silver bullet. Threat hunting takes time. However, SecurityCenter CV includes interactive dashboards that highlight the most suspicious indicators and allow you to prioritize your actions and then quickly drill in to investigate. For example, the red items shown in the Malware Hunter dashboard below indicate high priority items that need immediate investigation.

Another challenge faced by organizations getting started with threat hunting is that their disparate tools require significant care and feeding. Tenable addresses this challenge head on. Our security experts are essentially an extension of your security staff. They continuously develop integrations, normalization rules, and correlation rules to gather and analyze data. Additionally, they maintain an expanding library of report, dashboard, and Assurance Report Card templates that you can use out-of-the-box or tailor to display security information in actionable formats. The result: you can focus your valuable resources on action to reduce exposure and risk.

Please check out our threat hunting resources to see how Tenable can help you learn if you have ever been compromised.

The annual RSA Conferences are the best way to learn about the latest trends and technologies in information security. This year’s RSA USA conference took place in San Francisco February 29 – March 4, 2016. Tenable had a strong presence at the conference, where we introduced a new comprehensive security assurance model and several new solutions for shadow IT, threat hunting, and the NIST Cybersecurity Framework.

Our experts were there delivering presentations, talking with analysts, meeting customers at our booths, and listening for news and trends. If you missed the conference, we gathered six of our pros to summarize the key takeaways from RSA 2016. Listen as they share with you the latest buzz and themes that dominated their conference experiences, from threat intelligence to cloud security, from partnering to comprehensive security.

No matter which product you have, Nessus®, SecurityCenter™, SecurityCenter CV™, or Passive Vulnerability Scanner™, Tenable can determine if you are at risk of “drowning.”

The DROWN CVE-2016-0800 vulnerability is a cross protocol vulnerability that enables an attacker to decrypt TLS connections between up-to-date clients and servers by sending packets to any server that supports SSLv2 using the same private key.

The DROWN vulnerability’s impact is made worse by two additional OpenSSL implementation vulnerabilities:

• CVE-2015-3197, which allows a DROWN attacker to connect to the server with disabled SSLv2 ciphersuites, provided that support for SSLv2 itself is enabled
• CVE-2016-0703, which greatly reduces the time of carrying out the DROWN attack

According to drownattack.com, at the time of vulnerability publication on March 1, 33% of all HTTPs sites were affected by this vulnerability. More information on DROWN severity is available in the OpenSSL advisory issued on March 1.

The Tenable Response

Nessus

Impacted operating system vendors are making updates available, and Tenable has released a new Nessus scan policy template specifically for DROWN.

We have also issued a series of local and remote Nessus^® plugins to detect the presence of affected versions of OpenSSL:

SecurityCenter

We have released a customized SecurityCenter™ dashboard to monitor, track and remediate critical assets affected by CVE-2016-0800. This dashboard is automatically available via the feed to provide insight on the impact to your environment and the progress of your efforts to remediate this vulnerability.

Passive Vulnerability Scanner

The following plugins address DROWN:

This year marked the twenty-fifth anniversary of the RSA USA Conference. Personally, this marked my eighth RSA in seventeen years. Now held in the Moscone Center in San Francisco, things have come a long way since being held in the San Jose convention center. RSA now includes 16 keynotes, over 100 talks, over 350 vendors, 700,000 square feet of expo space and 33,000 attendees.

Most years, we see one new buzzword, technology, or incident dominating the conference environment. We usually see one topic that everyone is talking about. That didn't seem to happen this year. Instead, there seemed to be quite a mix of different topics on people's minds, as part of the messaging of various booths, and in hallway conversations.

FBI and Apple

While the request by the FBI to gain access to one Apple iPhone was at the top of the daily news cycle and the topic in more than one conference session, it did not seem to enter into too many conversations—at least not into the conversations I was having. Prior to the start of the show, I really thought the Apple/FBI controversy would be the main topic of this year’s conference; however, the topic seems to have played a more peripheral or background role this year.

Threat intelligence

Beyond Apple/FBI, one of the more prominent topics this year seemed to be a holdover from last year, as more than one vendor was promoting “Threat Intelligence.” The recent implosion in that part of the industry seemed to have let a lot of air out of the sails of threat intel. But at least one person I spoke with thought this might be a good thing for threat intelligence as a whole. According to her, the recent events will put vendors on notice that their threat intelligence products need to deliver on their promises. I guess time will tell.

Phishing

More than one vendor on the RSA show floor was promoting solutions for phishing. Considering how effective phishing is for attackers, that makes perfect sense. Solutions for access control, application code reviews, and incident response also seem to have their fair share of vendors promoting single point solutions.

Hardware

One thing I saw more of than I expected was hardware—and quite a bit of it: everything from two factor authentication tokens to rack equipment locks to physical hard drive destruction. Of course, there were quite a few secure networking products as well. There is usually at least some hardware at RSA, but this year I saw more than usual.

Internet of Things

Despite all the recent hype around Internet of Things security, there seemed a severe lack of any companies promoting solutions in this space at RSA this year. The few companies I did notice doing IoT security were all involved in the auto industry—which arguably needs all the help it can get.

Government

Several US government agencies had booths on the show floor this year. That in and of itself isn't a new thing; the FBI, for one, has maintained a presence on the floor for at least the last five years. But this year, we also saw the NSA and DHS as well as NIST, the Federal Reserve and even the Office of the Comptroller of the Currency. It is good to see government agencies with a strong interest in security expending some budget to have a presence at RSA.

The RSA 2017 call for papers will be here in just a few short months and then we will all make our annual pilgrimage to the Moscone Center to see what new and exciting buzzwords will arise next year.

Tenable

Tenable introduced several new solutions at RSA 2016. Check out our new whitepaper and solution stories:

• Transforming Security from Defense in Depth to Comprehensive Security Assurance
• Unknown and Shadow Assets
• NIST Cybersecurity Framework
• Threat Hunting

Higher education provides a treasure chest of high value in formation for cyberattackers. With everything from Social Security numbers and medical records to financial data and intellectual property within a single institution, it’s imperative that institutions protect critical infrastructures by anticipating, recognizing, and mitigating attacks.

Higher education databases contain some of the most sought after data that attackers are looking to steal

Cybercriminals have the higher education sector in their crosshairs. According to some estimates, higher education accounts for 17 percent of all data breaches where personal information is stolen, with only the medical sector being victimized at a higher rate. And why not? Higher education databases contain some of the most sought after data that attackers are looking to steal. Everything from Social Security numbers to medical records to financial data and intellectual property could all be contained at one facility. Hackers know this, which is why Symantec’s 2015 Internet Security Threat Report ranked education third overall among the top ten most-attacked and breached sectors.

If we humanize the issue, the personally identifiable information (PII) at risk is often that of young adults who in many cases are just laying the foundation for their careers and personal lives. Imagine if your Social Security number was stolen at the age of 18. How could that hinder your ability to buy a car, pass a credit check to help find a good job or get into a good school? What would happen 10 or 15 years later when you tried to buy your first home?

According to an EdTech magazine report, 1.35 million personal identities were exposed to hackers in the education sector in 2015. The full impact of these breaches on the victims will not be fully realized for years.

1.35 million personal identities were exposed to hackers in the education sector in 2015

What makes these breaches more alarming is that many of them are easily preventable. According to the same EdTech article, nearly a third of these breaches, 30 percent, were the result of “unintentional disclosure” like phishing attacks, improper use of social media, and so forth. Only 36 percent were the result of actual hacking.

We need to do a better job not only of bolstering network defenses against cyberattacks, but also of raising awareness of basic cybersecurity hygiene among the full spectrum of IT users: staff, faculty and students. This is especially important in education where those types of serious cybersecurity considerations have been sometimes overlooked, making education a softer target than many other sectors like finance which puts a lot of effort into cybersecurity.

This student body, with its own devices, applications and expectations, poses a significant challenge in protecting sensitive and critical information

Many corporations spend large amounts of money on continuing cybersecurity awareness and training programs for employees. That task is magnified at institutions of higher learning, where there is a large population of students with little or no professional experience who must be accommodated in addition to faculty and staff. This student body, with its own devices, applications and expectations, poses a significant challenge in protecting sensitive and critical information.

Higher education is particularly vulnerable because, in contrast to many other high-value targets, college and university computer networks have historically been as open and inviting as their campuses, says Fred Cate, a senior fellow at the Indiana University Center for Applied Cybersecurity Research. “We want our faculty and our students and our public and our donors to connect pretty easily to us,” says Cate, who also is vice president for research at IU.

Solving the problem

In addition to better cybersecurity education, the need for more robust tools, tactics and procedures also is apparent.

Three simple steps that can help improve an institution’s cybersecurity posture are:

• Access Control Policies: Authentication should go beyond simple user-name and password to include additional factors where appropriate, such as Multi-Factor Authentication (MFA), which can go a long way to better securing a network. Additionally, authorization must be managed on a least-privilege basis. Directories and privileges must be kept up-to-date.
• Data protection: Sensitive information should be encrypted both at rest and in transit.

• The flow of information: Colleges need to also consider the safest way to share data. “One policy should be prohibiting staff from using popular services like Dropbox to transfer student records and other sensitive information,” says Jonathan Rajewski, assistant professor of digital forensics at Champlain College in Vermont.

  Finally, beyond the sharing of data, organizations need to be mindful of the flowing out of data. As we recently covered in a separate Tenable blog, networks that seem to be bleeding data are often experiencing symptoms of potentially malicious activity.

An essential first step in improving cybersecurity in education is first assessing the current cybersecurity posture. By deploying a comprehensive security assurance solution such as SecurityCenter Continuous View™, higher education organizations can inventory, scan and audit their current environment. This is particularly valuable for an organization with a significant number of mobile users where assets may not always be connected to, or managed within, the enterprise. To learn more about tracking rogue devices and systems, see the Tenable solution, Unknown and Shadow Assets.

Higher education provides a treasure chest of high-value information for cyber attackers. But with the right approach, tools and training, organizations can take large steps toward reducing the number of compromised networks and stolen data. Then they can concentrate on what they do best, educating today’s best and brightest.

The federal government has produced a body of standards and guidelines—including the NIST Cybersecurity Framework—that can help the private sector as well as government agencies improve information security. Automation can help you take full advantage of these standards.

The U.S. Department of Defense (DOD) now requires contractors holding sensitive government information on their IT systems to comply with federal cybersecurity guidelines spelled out in Special Publication 800-171 from the National Institute of Standards and Technology (NIST) by the end of 2017.

The DOD mandate reflects what a department spokesperson called the “urgent need to increase cybersecurity requirements.” The guidelines are crafted specifically for the private sector and provide a path to security for contractors using government controlled unclassified information (CUI).

This is an example of how government standards are shaping private sector cybersecurity.

The trend toward standardized security

Corporate enterprises increasingly are taking advantage of security standards developed by and for the federal government. With the recognition that private sector cybersecurity is essential to national security and the national economy, NIST is helping to create a foundation of standards, best practices and guidance that can be applied across the nation’s information infrastructure.

Some efforts, such as the Security Content Automation Protocols (SCAP), have already had a major impact. The requirement that government agencies use tools that comply with the SCAP open security standards has resulted in the availability of a wide range of commercial products that also help companies automate security monitoring and scanning. Other programs are being crafted specifically for the private sector, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the Cybersecurity Framework (CSF).

The core of NIST security guidance is the extensive catalog of security controls contained in SP 800-53. These controls, together with industry standards and best practices, are used to produce flexible, interoperable guidelines that can be adapted to fit the needs of organizations of almost any type and size. Because of this integration and flexibility, organizations can easily find the appropriate security controls for meeting the requirements of their own security policies, and to comply with industry or government regulation.

As a result, government security standards and guidance are finding wide adoption in the private sector. Adoption of guidance such as the Cybersecurity Framework is becoming viewed as a best practice, helping organizations move beyond mere regulatory compliance to effective risk management. A Gartner study estimated that 30 percent of U.S. organizations were using the CSF in 2015 and predicted that it would be 50 percent by 2020.

Automation helps leverage standards-based security

Although the Cybersecurity Framework was created to adapt to the needs of organizations of all sizes, implementing it is not necessarily easy when IT budgets and resources are stretched thin. Manual assessment, configuration and validation of controls and settings can be time consuming and resource intensive. Automation can replace manual processes to help ease the adoption of the CSF and other standards.

SecurityCenter™ from Tenable Network Security was validated for compliance with SCAP 1.2 in 2015. At RSA Conference 2016, Tenable also announced a new solution making it easier for companies and government agencies to ensure conformance with CSF. SecurityCenter Continuous View™ (SecurityCenter CV™) includes the industry’s first CSF dashboards to provide a unified view of the organization’s IT landscape. It replaces manual processes by automating:

• Conformance assessments to evaluate the technical controls in place and validate that they are operating effectively.
• Continuous monitoring across both industrial control systems and IT networks, including physical and virtual infrastructure, cloud, and mobile environments.
• CSF-specific customizable Assurance Report Cards (ARCs) and dashboards to provide a unified view of conditions.
• Comparison of current security posture to a target security profile to identify gaps and create a roadmap to a defensible security program.

To learn more about how SecurityCenter CV can help you take advantage of the Cybersecurity Framework, visit Tenable Network Security.

In November 2015, Tenable released the inaugural Global Cybersecurity Assurance Report Card, with research conducted by CyberEdge Group. The report tallied responses from more than 500 security professionals from six different countries and across seven industry verticals to assess the overall confidence levels of organizations in detecting and mitigating risk. The full report can be downloaded on our 2016 Global Cybersecurity Assurance Report Card page, and a high-level summary can be found on our blog. Earlier this year we broke down the report by industry vertical and also took a deep dive into the results for government organizations. Today, we’ll look at one pain point revealed by security practitioners in the report that affects nearly every country, government and industry — mobile device security.

A mobile world, a mobile workforce

Our phones have become an extension of ourselves. According to a new study by the Pew Research Center, 90% of US smartphone owners use their devices to get location-based directions or recommendations and 33% use their phones to watch streaming services such as Netflix or Hulu. The cellphone has also become a productive and convenient workplace tool. Employees can check email, access company data and search the Internet throughout their work day. However, as each new mobile device is brought onto the corporate network, the more vulnerable the organization becomes. In fact, MobileIron recently found that over 50% of enterprises have at least one non-compliant device (jailbroken, rooted, disabled PIN protection, lost device, out-of-date policies, etc.). The reality is that mobile phones aren’t going anywhere, so the question becomes, how prepared are organizations to effectively secure them?

The answer? Not as prepared as they’d like.

Mobile device scores

In terms of global risk assessment, IT security professionals across the globe graded mobile device security a startling 65%, or D and no country scored above Canada’s 79%, or C+.

IT security professionals across the globe graded mobile device security a startling 65% or D

Organizations were asked to report their ability to assess cybersecurity risks across 10 key IT infrastructure components, including cloud, datacenters, desktops, laptops, network perimeter, web applications and network infrastructure. Mobile devices ranked among the bottom three alongside cloud and cloud infrastructure. Although disturbing, it’s not surprising. These are rapidly evolving technologies.

While there’s not yet an industry standard, the need for improvement became apparent in our research when breaking down the results by industry. No sector ranked its ability to assess risk in mobile devices above a C. Education, Healthcare and Government came in at the bottom of the list, all scoring disheartening Fs. It’s particularly interesting to see Financial Services come in with an unimpressive 70%, or C-, especially as mobile banking becomes a new norm. If IT security practitioners in one of the most data breach-susceptible industries lack confidence in their ability to assess mobile device risk, how can industries with slower adoption rates keep pace?

All is not lost though. Organizations feel much more optimistic in their security investments.

Organizations feel they have the right tools in place to convey security assurance

Security Assurance refers to an organization’s ability to mitigate threats by investing in security infrastructure, i.e the security tools professionals use to keep their networks secure. It only makes sense then that one of the biggest challenges cited in the report was the ability to detect transient devices, earning a global score of 75%, or C. Canada again scored highest with a B, with the US coming in above average at 79% (C+). It’s interesting to note that in general, organizations feel they have the right tools in place to convey security assurance, but lack the confidence to properly assess the risks on their network. Perhaps it’s a resource issue. Our research revealed that IT teams are not only troubled by the sheer volume of threats but are also stretched thin when it comes to recruiting top talent. More than 66% of security professionals cited an overwhelming threat environment as the greatest challenge, followed by a sense of low security awareness among employees (67%) and a shortage of qualified workers (60%).

The ability to detect transient devices earned a global score of 75% or C

Setting confidence in risk assessment aside, Financial Services felt their ability to detect transient devices was strong, scoring an 84%, or B, as did the Telecom and Technology industry, giving themselves an 86% (B). Healthcare and Government, however, remained consistent in their lack of confidence in both risk assessment and security assurance, earning a D- and F, respectively.

The path forward

As mobile and cloud continue to revolutionize the industry, how can organizations secure employee devices, mitigate security risks and boost overall security assurance? One term comes to mind — visibility. While the industry continues to remain highly distributed and complex, it’s critical for organizations to lay the groundwork for a resilient security program by understanding what devices are on the network. You can’t secure what you can’t see, and it would be advantageous for organizations to invest in a comprehensive security solution that exposes those blind spots.

You can’t secure what you can’t see

The best way to secure unknown and shadow assets, such as the mobile device, is to adopt a cybersecurity strategy that gives you the continuous visibility and critical context necessary to take decisive action against incoming threats. If employees are using rogue cloud applications or transient devices, the IT security team needs to log and assess each device passing through the network. It is also imperative to update outdated legacy systems, as we’ve seen with last year’s OPM breach, and to stay up-to-date on industry trends and best practices.

More information

For more information on assessing and securing mobile devices, check out Tenable’s newly announced Unknown and Shadow Assets solution story. You can also check out the on-demand webinar about the Global Cybersecurity Assurance Report Card report findings for the US and Canada, EMEA, or APAC (but think twice about streaming it from your mobile while on the clock!). Be sure to stay tuned for the 2017 report in November 2016 for the newest data.

Security is top of mind for every organization, and in today’s complex IT environment, it can be a challenge for CISOs to ensure their security programs are performing efficiently and effectively. Over the years numerous security frameworks, guidelines and regulations have been created to help organizations stay on track. This week Tenable Network Security released results from the Trends in Security Framework Adoption Survey to better understand adoption patterns for widely used security frameworks, based on research conducted by Dimensional Research of more than 300 IT and security professionals in the U.S.

Overwhelming adoption rates

84% of organizations across a wide range of sizes and industries already leverage some type of security framework

The survey reveals that 84% of organizations across a wide range of sizes and industries already leverage some type of security framework. The most widely used frameworks include the U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), Payment Card Industry Data Security Council Standard (PCI DSS), Center for Internet Security Critical Security Controls (CIS) and the ISO/IEC 27001/27002 (ISO).

The industries most reliant on security frameworks include Banking and Finance with 88% adopting at least one framework, Information Technology (87%), Government (86%) and Manufacturing (83%). Only 77% of Education and 61% of Healthcare respondents report having a security framework in place. Results also show that 44% of organizations use more than one security framework.

NIST CSF emerging as best practice

Following a security framework engenders confidence in an organization’s security posture. According to the survey results, 29% of organizations leverage the NIST Cybersecurity Framework (CSF) and overall security confidence is higher for those using this framework. Additionally, more than 70% of respondents who have adopted or plan to adopt the NIST CSF view it as an industry best practice. It’s also the most likely security framework to be adopted by organizations over the next year.

More than 70% of respondents who have adopted or plan to adopt the NIST CSF view it as an industry best practice

Industries already using the NIST CSF are the Government (14%) and Banking and Finance (18%). Even though NIST CSF consists of standards, guidelines, and practices designed to promote the protection of critical infrastructure, it has emerged as one of the most thorough and reliable cybersecurity frameworks available to organizations of all types and sizes.

While the survey indicates larger organizations (5,000 employees or more) are more likely to adopt the NIST CSF (37%), 17% of smaller organizations surveyed (100 to 1,000 employees) also rely on this framework to maintain their security posture. Larger organizations may be more likely to have a security framework in place if they have more staff and a bigger budget to secure a larger network.

Adoption barriers

Despite the overwhelmingly positive feedback on the NIST Cybersecurity Framework, there are still barriers standing in the way of its full adoption. Organizations that have already adopted the NIST CSF cite a lack of regulatory requirements and a perceived large investment as obstacles preventing them from implementing all of the recommended controls.

Regulatory requirements and a perceived large investment are obstacles preventing implementation of all the CSF recommended controls

In fact, 64% of respondents from organizations currently using the NIST CSF implement some of the NIST recommended controls, but not all of them. Similarly, 83% of organizations that plan to adopt the NIST CSF in the next year report they will adopt some, but not all of the CSF controls. This is potentially unsettling; if organizations only conform to some suggested security controls, that could leave them vulnerable to gaps in network protection, inviting compromise and breaches. Comprehensive security is the best way to ensure CISOs won’t be left in the dark.

A Tenable solution

Tenable makes it easier for businesses and government organizations to adopt and benefit from the NIST Cybersecurity Framework. We recently introduced the industry’s first and only solution for automating the assessment of more than 90% of the NIST CSF technical controls. Using the NIST Cybersecurity Framework dashboards and reports built into SecurityCenter Continuous View™, you can rapidly evaluate, measure and report on conformance with the framework. Tenable also enables effective communication of the NIST CSF technical controls in business language that executives and boards of directors can understand, using built-in Assurance Report cards (ARCs).

More information

Want to know more? Check out these resources:

• Tune in for Tenable’s Automate Simplify and Communicate NIST CSF Conformance webinar at 2 p.m. ET on April 8, 2016 to further explore the automation and measurement capabilities of Tenable’s NIST Cybersecurity Framework dashboards.
• View the Trends in Security Framework Adoption Survey executive summary to learn more about which framework is the best for for your organization’s security needs.
• Read Tenable’s NIST Cybersecurity Framework Solution Story to learn how Tenable’s CSF solution can help you conform to NIST best practices.

You can’t secure and protect devices or data you aren’t even aware of. It’s a simple premise, but one that has become more and more relevant in recent years. It’s challenging enough to just keep up with identifying, managing, and resolving the vulnerabilities you know about, but it’s crucial to be able to detect and identify those unknown and shadow IT assets as well.

You can’t secure and protect devices or data you aren’t even aware of

The explosion of mobile devices, cloud services, and virtualization tools make it very easy for employees to connect to and use unauthorized technologies that IT is not aware of. All of your effort to manage vulnerabilities and protect the network can be undone by one attacker exploiting a vulnerability on an unknown device or service connected to your network. When users introduce technologies and applications without IT consent, they expose the company to unnecessary risk and handicap IT’s ability to effectively protect the network.

Lurking in the shadows

You can’t be confident in your security posture if you can’t be sure you’re identifying and remediating vulnerabilities in all of the devices and applications on your network. You might achieve some false sense of security by checking a box for resolving the vulnerabilities you’re aware of, but shadow IT can still leave you weak and defenseless.

Unknown mobile devices on your network expose you to significant risk. A report from the end of 2015 found that an average mobile app has nine vulnerabilities—and more than a third of those are critical or high vulnerabilities. The report revealed that more than a quarter of the mobile app vulnerabilities result in personal or sensitive information leakage, and nearly a quarter are related to authentication and authorization.

An average mobile app has nine vulnerabilities

Another place where risk lurks in the shadows is with cloud services and virtualization. Users just sign up for services like Dropbox or an unsanctioned CRM tool, and with the push of a button your network and data are exposed to vulnerabilities you don’t know about. Cloud providers average 18 vulnerabilities per asset. It takes on average 103 days for a typical organization to remediate a security vulnerability. Cloud providers are faster than many other industries when it comes to addressing vulnerabilities, but whether it’s 30 days or 300 days you can’t address or mitigate the risk because you don’t even know you’re exposed.

Turn on the lights

There’s a Chinese proverb that goes, “Better to light a candle than to curse the darkness.” You don’t need to fear unknown and shadow IT. You just need to accept that it exists and have the right tools in place to deal with it.

The traditional approach to vulnerability management isn’t good enough. Conducting periodic scans only provides a snapshot in time. The scan may not identify new or unknown assets. Even if it does, it will miss devices and services that are not connected or enabled at the time of the scan, leaving you exposed again until the next periodic scan.

Conducting periodic scans only provides a snapshot in time

Tenable SecurityCenter Continuous View™ (CV) provides comprehensive visibility of all assets on your network. SecurityCenter CV™ enables you to detect and identify transient laptops, personal mobile devices, and rogue cloud applications. It combines active and passive monitoring tools to detect unknown devices and applications, and identify associated vulnerabilities so that shadow IT doesn’t expose you to unknown risk.

Unknown assets and shadow IT are part of today’s IT reality. You need to make sure you have policies and tools in place to ensure you have complete visibility combined with relevant context so you can take decisive action to protect your network and data.

For more information, read about Tenable’s Unknown and Shadow Assets solution. And watch the Tenable Blog this month for more articles about Shadow IT.