SANS Top 20 Critical Controls Report

SecurityCenter 4
TENABLE NETWORK SECURITY INC., COPYRIGHT 2013
MELCARA - CODY HOME NETWORK
SANS Top 20 Critical

Controls Report
May 7, 2013 at 7:43pm EDT
[cody]
Confidential: The following report contains confidential information. Do not distribute, email, fax,
or transfer via any electronic mechanism unless it has been approved by the recipient company's
security policy. All copies and backups of this document should be saved on protected storage at all
times. Do not share any of the information contained within this report with anyone unless they are
authorized to view the information. Violating any of the previous instructions is grounds for termination.
SANS Top 20 Critical Controls Report
SecurityCenter 4
Table of Contents
SANS Top 20 Overview
........................................................................................................................................................................................
SANS Control 1 - New Devices Detected
.......................................................................................................................................
SANS Control 3 - Secure Configurations
1
2
3
.......................................................................................................................................
PCI Compliance Summary ............................................................................................................................................................................................................... 4
DISA Compliance Summary .............................................................................................................................................................................................................6
CIS Compliance Summary ............................................................................................................................................................................................................... 8
HIPAA Compliance Summary ........................................................................................................................................................................................................ 10
SANS Control 4 - Continuous Vulnerability Scanning
11
SANS Control 5 - Malware Controls
17
.................................................................................................
System Scanned within 30 Days ...................................................................................................................................................................................................13
Systems Scanned Credentials within 7 Days Summary ............................................................................................................................................................ 16
..................................................................................................................................................
Malicious Process Detection ......................................................................................................................................................................................................... 18
Virus Spike .......................................................................................................................................................................................................................................19
Active Virus ......................................................................................................................................................................................................................................20
SANS Control 6 - Web Application Security
............................................................................................................................
SANS Control -7 Wireless Device Control
21
28
.................................................................................................................................
WAP Count .......................................................................................................................................................................................................................................29
SANS Control -7 Wireless Device Control ................................................................................................................................................................................... 30
Vulnerable WAP ...............................................................................................................................................................................................................................31
SANS Control - 10 Secure Configurations for Network Devices
......................................................................
32
Table of Contents
Tenable Network Security
SecurityCenter 4
Cisco Device Audit ......................................................................................................................................................................................................................... 33

Juniper Device Audit ...................................................................................................................................................................................................................... 34
SANS Control 11 - Control of Ports/Protocols/Services
35
SANS Control 12 Controlled Use of Administrator Privileges
47
SANS Control 13 - Boundary Defense
52
SANS Control 14 - Monitoring and Analysis of Logs
62
............................................................................................
Host On Network .............................................................................................................................................................................................................................36
New Services ................................................................................................................................................................................................................................... 39
Port Scanner Identified Services ...................................................................................................................................................................................................42
.......................................................................
User Added ...................................................................................................................................................................................................................................... 48
User Changes .................................................................................................................................................................................................................................. 49
User Removal .................................................................................................................................................................................................................................. 50
New User Creation .......................................................................................................................................................................................................................... 51
............................................................................................................................................
Linked to Bot List ........................................................................................................................................................................................................................... 53
Web Site Linked to Malicious Content ......................................................................................................................................................................................... 54
Threatlist Intrusion .......................................................................................................................................................................................................................... 55
Threatlist Statistics ......................................................................................................................................................................................................................... 56
Firewall Anomaly Statistics ............................................................................................................................................................................................................57
Connection Statistics ......................................................................................................................................................................................................................58
Access Denied Anomaly Statistics ............................................................................................................................................................................................... 60
Login Failure Large Anomaly Statistics ....................................................................................................................................................................................... 61
...................................................................................................
Event Trend Summary .................................................................................................................................................................................................................... 64
Long Term Intrusion Activity .........................................................................................................................................................................................................67
Multiple System Crashes ................................................................................................................................................................................................................68
Long Term DNS Failures ................................................................................................................................................................................................................69
Long Term Error Activity ............................................................................................................................................................................................................... 71
Long Term DOS Activity ................................................................................................................................................................................................................ 72
SANS Control 15 - Controlled Access/Data Leakage
....................................................................................................
73
Table of Contents
ii
SecurityCenter 4
SANS Control 16 - Account Monitoring and Control
76
SANS Control 17 - Data Loss Prevention
87
SANS Control 20 - Penetration Testing/Exploits
92
.....................................................................................................
Login Failure Events .......................................................................................................................................................................................................................77
Password Guessing Intrusion Events .......................................................................................................................................................................................... 80
Successful Password Guessing Events .......................................................................................................................................................................................81
User Account Locked Out Events ................................................................................................................................................................................................ 82
Password Never Expires ................................................................................................................................................................................................................ 83
Passwords Never Changed ............................................................................................................................................................................................................84
Account with Blank Password ...................................................................................................................................................................................................... 85
Windows Administrator Default Password .................................................................................................................................................................................. 86
...................................................................................................................................
Data Leakage ................................................................................................................................................................................................................................... 88
USB Device Usage .......................................................................................................................................................................................................................... 89
Dropbox Software Detection ..........................................................................................................................................................................................................90
BitTorrent Activity ........................................................................................................................................................................................................................... 91
................................................................................................................
Client Side Patch Related Vulnerabilities .....................................................................................................................................................................................93
Mobile Device Passive Vulnerabilities ..........................................................................................................................................................................................94
Web Client Passive Vulnerabilities ............................................................................................................................................................................................... 95
General Passive Vulnerabilities .....................................................................................................................................................................................................97
Port Range 1-1024 Passive Vulnerabilities ................................................................................................................................................................................ 100
Port Range 1025-5000 Passive Vulnerabilities .......................................................................................................................................................................... 101
Port Range 5001-10000 Passive Vulnerabilities ........................................................................................................................................................................ 102
Port Range 10000+ Passive Vulnerabilities ............................................................................................................................................................................... 103
Table of Contents
iii
SecurityCenter 4

The 20 Critical Controls are being prioritized for implementation by organizations that understand the evolving risk of cyber attack. Leading adopters include the U.S.
National Security Agency, the British Centre for the Protection of National Infrastructure, and the U.S. Department of Homeland Security Federal Network Security
Program. Ten state governments as well as power generation and distribution companies and defense contractors are among the hundreds of organizations that
have shifted from a compliance focus to a security focus by adopting the Critical Controls.
All of these entities changed over to the Critical Controls in answer to the key question: What needs to be done right now to protect my organization from known
attacks? Adopting and operationalizing the Critical Controls allows organizations to easily document those security processes to demonstrate compliance.
The Critical Controls reflect the consensus of major organizations with a deep understanding of how cyber attacks are carried out in the real world, why the attacks
succeed, and what specific controls can stop them or mitigate their damage. Failure by management to implement the Critical Controls puts an organizations sensitive
data or processes at great risk.
The Critical Controls are regularly updated by an international consortium headed by Tony Sager, who recently served as chief of the NSAs Vulnerability Analysis
and Operations Group (which includes the NSA Red and Blue Teams and other top national cyber talent).
http://www.sans.org/critical-security-controls/

SecurityCenter 4

Reduce the ability of attackers to find and exploit unauthorized and unprotected systems: Use active monitoring and configuration management to maintain an upto-date inventory of devices connected to the enterprise network, including servers, workstations, laptops, and remote devices.
This chapter utilizes Nessus and PVS plugins (active and passive) to report new hosts found in the network over the last 48 hours by recording the network address
and machine names.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6
New Hosts Table

SecurityCenter 4

Prevent attackers from exploiting services and settings that allow easy access through networks and browsers: Build a secure image that is used for all new systems
deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images
in a configuration management system.
The results for this chapter are defined by keywords in vulnerability text that match text contained in several plugins. The chapter sections provide mini-reports for
compliance data against PCI, DISA, CIS, and HIPAA checks.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1
(a), SA-4 (5), SI-7 (3), PM-6

SecurityCenter 4
PCI Compliance Summary
PCI Compliance Severity Summary

SecurityCenter 4
PCI Top 100 Host Table

Score
Total
Info
Med.
High
172.31.100.62
IP Address
NetBIOS Name
sc01.melcara.com
DNS Name
50
172.31.100.63
lce01.melcara.com
50
172.31.100.64
pvs01.melcara.com
50
172.31.100.65
scan01.melcara.com
50
20
20
172.31.100.40
172.31.104.141
UNKNOWN\FAMILY-PC
172.31.100.11
NPROTECT\DC02
10
172.31.100.26
10
172.31.100.29
10
172.31.100.55
10
10
172.31.100.103
10
172.31.100.110
10
172.31.100.102
WORKGROUP\NAS3T
172.31.100.253
dc02.nprotect.int
10
172.31.104.134
NPROTECT\JND-DTP
10
172.31.104.135
UNKNOWN\GRD-LPTP
10
172.31.104.251
10
172.31.104.253
10
172.31.100.56
172.31.104.129
172.31.104.131
172.31.104.133
172.31.104.136
172.31.104.137
172.31.104.139
172.31.104.140
172.31.104.143
172.31.104.130
UNKNOWN\LPTP01

SecurityCenter 4
DISA Compliance Summary
DISA Compliance Severity Summary

SecurityCenter 4
DISA Top 100 Host Table

Score
Total
Info
Med.
High
172.31.100.62
IP Address
NetBIOS Name
sc01.melcara.com
DNS Name
50
172.31.100.63
lce01.melcara.com
50
172.31.100.64
pvs01.melcara.com
50
172.31.100.65
scan01.melcara.com
50
20
20
172.31.100.40
172.31.104.141
UNKNOWN\FAMILY-PC
172.31.100.11
NPROTECT\DC02
10
172.31.100.26
10
172.31.100.29
10
172.31.100.55
10
10
172.31.100.103
10
172.31.100.110
10
172.31.100.102
WORKGROUP\NAS3T
172.31.100.253
dc02.nprotect.int
10
172.31.104.134
NPROTECT\JND-DTP
10
172.31.104.135
UNKNOWN\GRD-LPTP
10
172.31.104.251
10
172.31.104.253
10
172.31.100.56
172.31.104.129
172.31.104.131
172.31.104.133
172.31.104.136
172.31.104.137
172.31.104.139
172.31.104.140
172.31.104.143
172.31.104.130
UNKNOWN\LPTP01

SecurityCenter 4
CIS Compliance Summary
CIS Compliance Severity Summary

SecurityCenter 4
CIS Top 100 Host Table

Score
Total
Info
Med.
High
172.31.100.63
IP Address
NetBIOS Name
lce01.melcara.com
2561
451
190
254
172.31.100.62
sc01.melcara.com
2541
452
193
252
172.31.100.64
pvs01.melcara.com
2521
451
194
250
scan01.melcara.com
2515
452
183
25
244
dc02.nprotect.int
571
162
72
47
43
172.31.100.65
DNS Name
172.31.100.11
NPROTECT\DC02
172.31.104.141
UNKNOWN\FAMILY-PC
545
162
76
45
41
172.31.104.134
NPROTECT\JND-DTP
541
162
75
47
40
172.31.104.135
UNKNOWN\GRD-LPTP
541
162
75
47
40

SecurityCenter 4
HIPAA Compliance Summary
HIPAA Compliance Severity Summary
HIPAA Top 100 Host Table

IP Address
NetBIOS Name
172.31.100.11
NPROTECT\DC02
172.31.104.141
UNKNOWN\FAMILY-PC
DNS Name
dc02.nprotect.int
Score
Total
Info
Med.
High
133
32
18
13
130
32
19
13

10
SecurityCenter 4
SANS Control 4 - Continuous Vulnerability

Scanning
Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all
systems and quickly remediate any vulnerabilities, with critical problems fixed within 48 hours.
This chapter displays the total number of known systems, the number that have been observed over the last 30 days, and the percentage of systems that have had
a credentialed scan completed over the last 30 days. It allows you to determine if vulnerability scanning is occurring against all the systems in the specified range.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls RA-3 (a, b, c, d), RA-5 (a, b, 1, 2, 5, 6)

11
SecurityCenter 4
Total Systems

12
SecurityCenter 4
System Scanned within 30 Days
30 Day Scanned Asset Summary

13
SecurityCenter 4
Top 100 Systems Scanned with 30 Days

IP Address
NetBIOS Name
DNS Name
OS CPE
172.31.104.253
172.31.104.251
cpe:/o:linux:linux_kernel:2.6
172.31.104.146
cpe:/o:microsoft:windows_7::sp1:x86enterprise
172.31.104.144
172.31.104.140
172.31.104.138
172.31.104.137
cpe:/o:apple:mac_os_x:10.8
172.31.104.136
172.31.104.135
UNKNOWN\GRD-LPTP
cpe:/o:microsoft:windows_7:::enterprise
172.31.104.134
NPROTECT\JND-DTP
172.31.104.132
172.31.104.131
172.31.104.130
UNKNOWN\LPTP01
172.31.104.129
172.31.103.253
172.31.102.253
172.31.102.251
cisco-lwapp-controller.nprotect.int
172.31.102.250
172.31.102.222
172.31.102.221
172.31.100.253
172.31.100.102
WORKGROUP\NAS3T
cpe:/o:debian:debian_linux:5.0
172.31.100.65
scan01.melcara.com
cpe:/o:centos:centos:6:update4
172.31.100.64
pvs01.melcara.com
172.31.100.63
lce01.melcara.com
172.31.100.62
sc01.melcara.com
172.31.100.56
cpe:/o:hp:hp-ux:9.05

14
SecurityCenter 4
IP Address
NetBIOS Name
DNS Name
OS CPE
172.31.100.55
172.31.100.40
172.31.100.29
cpe:/o:vmware:esx_server
172.31.100.26
172.31.100.11
NPROTECT\DC02
dc02.nprotect.int
cpe:/
o:microsoft:windows_server_2008:r2:sp1:x64enterprise

15
SecurityCenter 4
Systems Scanned Credentials within 7 Days Summary
Systems Scanned Credentials within 7 Days Summary
Top 100 Systems Scanned Credentials within 7 Days Summary

IP Address
NetBIOS Name
172.31.104.134
NPROTECT\JND-DTP
172.31.100.11
NPROTECT\DC02
DNS Name
OS CPE
dc02.nprotect.int
cpe:/

16
SecurityCenter 4

Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading: Use automated anti-virus and anti-spyware software to
continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-malware tools on all machines on a daily basis. Prevent
network devices from using auto-run programs to access removable media.
This chapter displays results from the Tenable Malicious Process Detection plugin, as well as provides details on virus anomalies, and active virus detection.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6)

17
SecurityCenter 4
Malicious Process Detection
Asset Summary Malicious Process Detection
Top 100 hosts with malicious process detected

18
SecurityCenter 4
Virus Spike
Virus Spike
Top 100 Systems with Virus Spike

19
SecurityCenter 4
Active Virus
ActiveVirus
Top 100 Active Virus Event Summary by Host

20
SecurityCenter 4

Neutralize vulnerabilities in web-based and other application software: Carefully test internally developed and third-party application software for security flaws,
including coding errors and malware. Deploy web application firewalls that inspect all traffic, and explicitly check for errors in all user input (including by size and
data type).
This chapter utilizes PVS and a wide variety of plugins to passively identify application vulnerabilities within web applications, even detecting unsupported or vulnerable
software versions. Included tests are: SQL injections, CGI abuses, Backdoors, XSS, DNS and FTP checks, IMAP, SMTP, and POP checks, Internet Service Checks,
and Web Server checks, sorted by severity.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CM-7, RA-5 (a, 1), SA-3, SA-4 (3), SA-8, SI-3, SI-10
Top 25 Host with Web Vulnerable Activity

21
SecurityCenter 4
Top 100 Web Application Vulnerabilities.

Plugin
Total
Severity
Plugin Name
Family
5824
High
PHP 5.3 < 5.3.6 String To

Double Conversion DoS
6015
High
PHP 5.3 < 5.3.7 Multiple

Vulnerabilities
Web Servers
6017
High
PHP 5.3.7 crypt() MD5

Incorrect Return Value
Web Servers
6021
High
Apache 2.2 < 2.2.20 Multiple

Web Servers
Vulnerabilities
6062
High
Apache 2.2 < 2.2.21

mod_proxy_ajp DoS
Web Servers
6129
High
OpenSSL 0.9.8 < 0.9.8s /

1.x < 1.0.0f Multiple
Vulnerabilities
Web Servers
6263
High
PHP < 5.3.9 Multiple

Vulnerabilities
Web Servers
6302
High

Web Servers
Vulnerabilities
6304
High
PHP 5.3.9
php_register_variable_ex()
Code Execution
Web Servers
6494
High
PHP 5.3.x < 5.3.13

CGI Query String Code
Execution
Web Servers
6495
High
PHP 5.3.x < 5.4.3 Multiple

Vulnerabilities
Web Servers
6530
High
PHP 5.4.x < 5.4.5

_php_sream_scandir
Overflow
Web Servers
6556
High

Vulnerabilities
Web Servers
55976
High
Apache HTTP Server Byte

Range DoS
Web Servers
Web Servers

22
SecurityCenter 4
Plugin
Total
Severity
Plugin Name
Family
3038
High
phpBB < 2.0.16

viewtopic.php Arbitrary Code CGI
Execution
3657
High
TWiki Privilege Escalation
CGI
Apache Tomcat 6.0.x

< 6.0.35 Multiple
Vulnerabilities
Web Servers
6332
High
12218
Medium
mDNS Detection
Service detection
2810
Medium
Autocomplete Not Disabled

for 'Password' Field
Web Servers
5720
Medium
OpenSSL < 0.9.8q / 1.0.0c

Multiple Vulnerabilities
Web Servers
5782
Medium
OpenSSL < 0.9.8r / 1.0.0d

OCSP Stapling Denial of
Service
Web Servers
5799
Medium
Web Server HttpOnly

Cookies Not In Use
Web Servers
6400
Medium
OpenSSL 0.9.8 < 0.9.8u /

1.0.0 < 1.0.0h Multiple
Vulnerabilities
Web Servers
6576
Medium

Web Servers
Vulnerabilities
6671
Medium
PHP 5.3.x < 5.3.21 cuRL

X.509 Certificate Domain
Name Matching MiTM
Weakness
6701
Medium
Apache 2.2 < 2.2.24

Multiple Cross-Site Scripting Web Servers
Vulnerabilites
6707
Medium

Vulnerabilities
Web Servers
10678
Medium
Apache mod_info /serverinfo Information Disclosure
Web Servers
55640
Medium
SQL Dump Files Disclosed

via Web Server
CGI abuses
Web Servers

23
SecurityCenter 4
Plugin
Total
Severity
Plugin Name
Family
57640
Medium
Web Application Information

CGI abuses
Disclosure
57792
Medium
Apache HTTP Server

httpOnly Cookie Information
Disclosure
Web Servers
3703
Medium
Recursive DNS Server

Detection
DNS Servers
20007
Medium
SSL Version 2 (v2) Protocol

Detection
Service detection
3223
Medium
Twiki rev Parameter

Arbitrary Shell Command
Execution
CGI
5789
Medium
Apache Tomcat 6.0.x

< 6.0.30 Multiple
Vulnerabilities
Web Servers
5790
Medium
Apache Tomcat 6.0.x <

6.0.32 Denial of Service
Vulnerability
Web Servers
6018
Medium
Apache Tomcat 6.0.x

< 6.0.33 Multiple
Vulnerabilities
Web Servers
6657
Medium
Apache Tomcat 6.0.x

< 6.0.36 Multiple
Vulnerabilities
Web Servers
10079
Medium
Anonymous FTP Enabled
FTP
11411
Medium
Backup Files Disclosure
CGI abuses
19782
Medium
FTP Writable Directories
FTP
CGI abuses : XSS
CGI abuses : XSS
39466
Medium
CGI Generic Cross-Site

Scripting (quick test)
49067
Medium
CGI Generic HTML

Injections (quick test)
55903
Medium
CGI Generic Cross-Site

CGI abuses : XSS
Scripting (extended patterns)
4666
Low
Internal IP Address
Disclosure
Web Servers

24
SecurityCenter 4
Plugin
Total
Severity
Plugin Name
Family
26194
Low
Web Server Uses Plain Text

Web Servers
Authentication Forms
1134
Low
Web Server SSLv2

Detection
Web Servers
1724
Low
Microsoft Web Server

Detection
Web Servers
10663
Low
DHCP Server Detection
Service detection
FTP
34324
Low
FTP Supports Clear Text

Authentication
22964
70
Info
Service Detection
Service detection
25221
56
Info
Remote listeners
enumeration (Linux / AIX)
Service detection
11111
26
Info
RPC Services Enumeration
Service detection
1442
15
Info
Web Server Detection
Web Servers
Service detection
10267
10
Info
SSH Server Type and

Version Information
5273
10
Info
YouTube Usage Detection
Internet Services
Service detection
Web Servers
10884
Info
Network Time Protocol

(NTP) Server Detection
3830
Info
Web Server Detection on

Port Other Than TCP/80
24260
Info
HyperText Transfer Protocol

Web Servers
(HTTP) Information
10107
Info
HTTP Server Type and

Version
Web Servers
49704
Info
External URLs
Web Servers
Web Servers
6479
Info
HTTP Server Insecure

Authentication (Basic)
43111
Info
HTTP Methods Allowed (per

Web Servers
directory)
10281
Info
Telnet Server Detection
Service detection
Info
Service Detection (GET

request)
Service detection
17975

25
SecurityCenter 4
Plugin
Total
Severity
Plugin Name
Family
20301
Info
VMware ESX/GSX Server

detection
23777
Info
SLP Server Detection (TCP) Service detection
23778
Info
SLP Server Detection (UDP) Service detection
50845
Info
OpenSSL Detection
Service detection
20870
Info
LDAP Server Detection
Service detection
57396
Info
VMware vSphere Detect
Service detection
4667
Info
Persistent Cookie Utilization
Web Servers
10662
Info
Web mirroring
Web Servers
Web Servers
Service detection
11032
Info
Web Server Directory

Enumeration
11419
Info
Web Server Office File

Inventory
CGI abuses
33817
Info
CGI Generic Tests Load

Estimation (all tests)
CGI abuses
39470
Info
CGI Generic Tests Timeout
CGI abuses
CGI abuses
40773
Info
Web Application Potentially

Sensitive CGI Parameter
Detection
40984
Info
Browsable Web Directories
CGI abuses
42057
Info
Web Server Allows

Password Auto-Completion
Web Servers
47830
Info
CGI Generic Injectable

Parameter
CGI abuses
57323
Info
OpenSSL Version Detection Web Servers
11153
Info
Service Detection (HELP

Request)
Service detection
22227
Info
RMI Registry Detection
Service detection
53513
Info
Link-Local Multicast Name

Resolution (LLMNR)
Detection
Service detection
20285
Info
HP Integrated Lights-Out
Detection
Service detection

26
SecurityCenter 4
Plugin
Total
Severity
Plugin Name
Family
45555
Info
Alert Standard Format /

Remote Management and
Control Protocol Detection
Service detection
5721
Info
Stuxnet Traffic Detection
Backdoors
10147
Info
Nessus Server Detection
Service detection
10666
Info
Apple Filing Protocol Server

Detection
Service detection
25240
Info
Samba Server Detection
Service detection
6484
Info
Dropbox Software Detection Internet Services
11819
Info
TFTP Daemon Detection
Service detection
1762
Info
Web Server JavaScript File

(.js) Copyright Information
Web Servers
1804
Info
FTP Server Detection (Port

21)
FTP Servers
10092
Info
FTP Server Detection
Service detection
18261
Info
Apache Banner Linux

Distribution Disclosure
Web Servers
40406
Info
CGI Generic Tests HTTP

Errors
CGI abuses
49705
Info
Web Server Harvested Email

Web Servers
Addresses
52703
Info
vsftpd Detection
FTP

27
SecurityCenter 4

Protect the security perimeter against unauthorized wireless access: Allow wireless devices to connect to the network only if they match an authorized configuration
and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management
tools. Configure scanning tools to detect wireless access points.
This chapter utilizes Active and Passive checks for Wireless Access Point Detection to report on the total number of WAP devices found, as well as a check to report
the number that have appeared over the last 7 days, and if they have any known vulnerabilities.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-17, AC-18 (1, 2, 3, 4), SC-9 (1), SC-24, SI-4 (14, 15)

28
SecurityCenter 4
WAP Count
WAP Count Chart
WAP Count Table

IP Address
172.31.104.129
MAC Address
OS CPE
00:15:99:a0:ba:51

29
SecurityCenter 4
New AP within the Last 7 days

30
SecurityCenter 4
Vulnerable WAP
Vulnerable WAP
Vulnerable WAP Table

31
SecurityCenter 4
SANS Control - 10 Secure Configurations for

Network Devices
Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments: Compare firewall, router, and
switch configurations against standards for each type of network device. Ensure that any deviations from the standard configurations are documented and approved
and that any temporary deviations are undone when the business need abates.
The results for this chapter are defined by keywords in vulnerability text that match text contained in several plugins. The sections report of the compliance status
of Cisco IOS and Juniper devices.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-4 (7, 10, 11, 16), CM-1, CM-2 (1), CM-3 (2), CM-5 (1, 2, 5), CM-6 (4), CM-7 (1, 3),
IA-2 (1, 6), IA-5, IA-8, RA-5, SC-7 (2, 4, 5, 6, 8, 11, 13, 14, 18), SC-9

32
SecurityCenter 4
Cisco Device Audit
Cisco Severity Summary
Cisco Top 100 Host/Vulnerability Table

IP Address
OS CPE
Total
Info
Low
Med.
High
Crit.
172.31.102.250
11
172.31.100.253
172.31.102.253
172.31.103.253
172.31.104.253

33
SecurityCenter 4
Juniper Device Audit
Juniper Severity Summary

34
SecurityCenter 4
SANS Control 11 - Control of Ports/

Protocols/Services
Allow remote access only to legitimate users and services: Apply host-based firewalls and port-filtering and scanning tools to block traffic that is not explicitly allowed.
Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation
of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes.
This chapter utilizes Nessus and PVS to identify host and services active on the network. New services detected with 24 hours are also identified allowing you to
rapidly locate and identify newly opened or vulnerable ports.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CM-6 (a, b, d, 2, 3), CM-7 (1), SC-7 (4, 5, 11, 12)

35
SecurityCenter 4
Host On Network
Total Host Asset Summary

36
SecurityCenter 4
IP Address
NetBIOS Name
DNS Name
OS CPE
172.31.104.253
172.31.104.251
172.31.104.146
172.31.104.144
172.31.104.140
172.31.104.138
172.31.104.137
172.31.104.136
172.31.104.135
UNKNOWN\GRD-LPTP
cpe:/o:microsoft:windows_7:::enterprise
172.31.104.134
NPROTECT\JND-DTP
172.31.104.132
172.31.104.131
172.31.104.130
UNKNOWN\LPTP01
172.31.104.129
172.31.103.253
172.31.102.253
172.31.102.251
cisco-lwapp-controller.nprotect.int
172.31.102.250
172.31.102.222
172.31.102.221
172.31.100.253
172.31.100.102
WORKGROUP\NAS3T
cpe:/o:debian:debian_linux:5.0
172.31.100.65
scan01.melcara.com
172.31.100.64
pvs01.melcara.com
172.31.100.63
lce01.melcara.com
172.31.100.62
sc01.melcara.com
172.31.100.56
cpe:/o:hp:hp-ux:9.05
172.31.100.55
172.31.100.40

37
SecurityCenter 4
IP Address
NetBIOS Name
DNS Name
OS CPE
172.31.100.29
172.31.100.26
172.31.100.11
NPROTECT\DC02
dc02.nprotect.int
cpe:/

38
SecurityCenter 4
New Services
New Port Service Summary

39
SecurityCenter 4
New Port Detail Summary

Score
Total
443
Port
15
80
15
22
11
23
3389
445
139
135
8080
427
53
9100
9000
8194
8193
8192
8100
8000
5989
5200
5001
3689
3269
3268
2638
2030
2020
1099
902

40
SecurityCenter 4
Port
Score
Total
636
631
593
548
515
464
389
111
88
49
21

41
SecurityCenter 4
Port Scanner Identified Services
Port Scanner Identified Services

42
SecurityCenter 4
Top 100 Port Scanner Identified Services

Port
Total
443
45
80
45
22
43
62078
32
111
18
23
18
3389
12
445
12
139
12
135
12
427
10
631
49152
49154
8060
123
53
8194
8193
8192
8100
8080
8000
5989
902
464
389
88
49157

43
SecurityCenter 4
Port
Total
49155
49153
9100
5200
3269
3268
1099
636
593
515
49158
9000
8834
5355
4500
3689
2638
2030
2020
1900
1243
601
548
500
138
137
49
49206
49205
49190

44
SecurityCenter 4
Port
Total
49187
49156
47001
31300
9389
5353
1241
68
65370
65152
64756
64548
64547
63405
62636
61204
60901
60493
60208
60183
60050
60049
59640
59007
57700
56032
55984
55263
54791
54579

45
SecurityCenter 4
Port
Total
54189
54185
54158
53676
52768
52767
52555
52500
52452
52430
51720

46
SecurityCenter 4
SANS Control 12 Controlled Use of

Administrator Privileges
Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious email, attachment, or file, or to visit a malicious website; and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust
passwords that follow Federal Desktop Core Configuation (FDCC) standards.
This chapter provides an indication of change in user's accounts by utilizing LCEs ability to trend user creation, modification, and removals over the last 72 hours.
Various deployments of software often include the creation of, and many times the subsequent removal of temporary accounts, all of which will also be detected.
Other items under SANS Critical Control 12, such as the password requirements are bundled in Control-16, which covers Account Monitoring.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-6 (2, 5), AC-17 (3), AC-19, AU-2 (4)

47
SecurityCenter 4
User Added
Asset Summary of New Users
New User Detailed Report

48
SecurityCenter 4
User Changes
Asset Summary of Usere Changes
User Change Detailed Report

49
SecurityCenter 4
User Removal
Asset Summary of Usere Changes
User Change Detailed Report

50
SecurityCenter 4
New User Creation
Asset Summary of New Users
New User Detailed Report

51
SecurityCenter 4

Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines: Establish multilayered boundary
defenses by relying on firewalls, proxies, demilitarized zone (DMZ) perimeter networks, and other network-based tools. Filter inbound and outbound traffic, including
through business partner networks (extranets).
This chapter focuses on common anomalies that may indicate unwanted activity against internal systems. The chapter displays devices that are identified as remote
hosts listed in public botnet databases, websites that contain links that are listed in public malware databases, threat-list intrusion events and threat-list statistics.
Also indicated are spikes in large firewall statistical anomalies, connections, denial of access events as well as authentication failures.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-17 (1), AC-20, CA-3, IA-2 (1, 2), IA-8, RA-5, SC-7 (1, 2, 3, 8, 10, 11, 14), SC-18,
SI-4 (c, 1, 4, 5, 11), PM-7

52
SecurityCenter 4
Linked to Bot List
Asset to Bot List Summary
Top 100 Host Linked to Bot List

53
SecurityCenter 4
Web Site Linked to Malicious Content
Asset Summary Web Site Links to Malicious Content
Top 100 Hosts with Web Site Links to Malicious Content

54
SecurityCenter 4
Threatlist Intrusion

55
SecurityCenter 4
Threatlist Statistics
Top 100 Host Threatlist Statistics

56
SecurityCenter 4
Firewall Anomaly Statistics

57
SecurityCenter 4
Connection Statistics
Asset Connection Statistics

58
SecurityCenter 4
Top 100 Connection Statistics

IP Address
LCE
Count
172.31.104.146
lce01
40
172.31.104.131
lce01
26
172.31.104.141
lce01
22
172.31.100.65
lce01
16
172.31.100.11
lce01
12
172.31.104.143
lce01
12
172.31.104.138
lce01
12
172.31.104.144
lce01
172.31.102.221
lce01
172.31.104.142
lce01
172.31.104.132
lce01
172.31.104.137
lce01
172.31.104.134
lce01
172.31.104.135
lce01
172.31.104.130
lce01
172.31.100.62
lce01
172.31.100.110
lce01
172.31.104.157
lce01
172.31.104.136
lce01
172.31.104.129
lce01
172.31.102.223
lce01

59
SecurityCenter 4
Access Denied Anomaly Statistics
Access Denied Anomaly Statistics
Top 100 - Access Denied Anomaly Statistics

60
SecurityCenter 4
Login Failure Large Anomaly Statistics
Asset Login Failure Large Anomaly Statistics
Top 100 - Login Failure Large Anomaly Statistics

61
SecurityCenter 4
SANS Control 14 - Monitoring and Analysis

of Logs
Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines: Generate
standardized logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information
about each packet and/or transaction. Store logs on dedicated servers, and run biweekly reports to identify and document anomalies.
This chapter displays a detailed log analysis. First a 48 hour event summary is provided. Followed by logs that report intrusion, system failures, DNS problems,
long term error trends, and denial of service activity.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-17 (1), AC-19, AU-2 (4), AU-3 (1,2), AU-4, AU-5, AU-6 (a, 1, 5), AU-8, AU-9 (1,
2), AU-12 (2), SI-4 (8)

62
SecurityCenter 4
48 Hour Total Event Summary

63
SecurityCenter 4
Event Trend Summary

64
SecurityCenter 4
Event Trend Analysis

Event Type
Count
application
39
connection
143043
continuous
268
data-leak
60
detected-change
331
dns
314758
error
968
firewall
144355
intrusion
lce
1991
login
16747
login-failure
42
May 5, 2013 19:43:34
to
May 7, 2013 19:43:34

65
SecurityCenter 4
Event Type
Count
logout
8990
nbs
network
46682160
process
social-networks
139
stats
562
system
997
unnormalized
71793
web-access
474388
May 5, 2013 19:43:34
to
May 7, 2013 19:43:34

66
SecurityCenter 4
Long Term Intrusion Activity

67
SecurityCenter 4
Multiple System Crashes
Multiple System Crashes
Top 100 Multiple System Crashes

68
SecurityCenter 4
Long Term DNS Failures
Long Term DNS Failures

69
SecurityCenter 4
Top 100 Long Term DNS Failures

IP Address
LCE
Count
172.31.100.11
lce01
241
172.31.104.134
lce01
112
172.31.104.132
lce01
43
172.31.104.137
lce01
28
172.31.104.143
lce01
22
172.31.104.141
lce01
13
172.31.104.135
lce01
11
172.31.104.146
lce01
172.31.100.65
lce01
172.31.100.110
lce01
172.31.104.142
lce01

70
SecurityCenter 4
Long Term Error Activity
Long Term Error Activity
Top 100 Long Term Error Activity

71
SecurityCenter 4
Long Term DOS Activity
Long Term DOS Activity
Top 100 Long Term DOS Activity

72
SecurityCenter 4
SANS Control 15 - Controlled Access/Data

Leakage
Prevent attackers from gaining access to highly sensitive data: Carefully identify and separate critical data from information that is readily available to internal network
users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to nonpublic
data and files.
This chapter focuses on Nessus vulnerability data, sorted by severity, that may lead to the exfiltration of sensitive data, as well as utilizing PVSs ability to capture
sensitive data in transit. A handful of the triggers are: Peer to Peer File Sharing, IM, FTP, and PVSs Data Leakage plugins.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-1, AC-2 (b, c), AC-3 (4), AC-4, AC-6, MP-3, RA-2 (a)

73
SecurityCenter 4
Asset Summary Controlled Access/Data Leakage

74
SecurityCenter 4
Top 100 - Controlled Access/Data Leakage

Total
Severity
10079
Plugin
Medium
Anonymous FTP Enabled
Plugin Name
FTP
Family
19782
Medium
FTP Writable Directories
FTP
2406
Low
Skype Detection (Host)
Internet Messengers
1273
Low
Yahoo! Messenger Detection Internet Messengers
5980
Low
Yahoo! Messenger Detection Internet Messengers
34324
Low
FTP Supports Clear Text

Authentication
3963
Info
.pdf Document File Detection Data Leakage
4672
Info
Possible User ID and

Password Sent Within a
Web Form (POST)
Data Leakage
4673
Info
Possible User ID and

Password Sent Within a
Web Form (GET)
Data Leakage
5214
Info
XML Request Possible

userID / password Cleartext
Remote Disclosure
Data Leakage
4570
Info
Jabber Client Detection
Internet Messengers
52703
Info
vsftpd Detection
FTP
FTP

75
SecurityCenter 4
SANS Control 16 - Account Monitoring and

Control
Keep attackers from impersonating legitimate users: Review all system accounts and disable any that are not associated with a business process and owner.
Immediately revoke system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such
accounts. Use robust passwords that conform to FDCC standards.
This chapter displays several different account event anomalies that have appeared on the defined network over the last 48 hours, such as login failures, account
lockout events password guessing and successful password guessing. Also displayed are eventss showing account related settings found by active scanning such
as, passwords that are set to never expire, have never been changed, are blank and that are set to default.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-2 (e, f, g, h, j, 2, 3, 4, 5), AC-3

76
SecurityCenter 4
Login Failure Events
Asset Login Failure Summary

77
SecurityCenter 4
Top 100 - User Login Failure

User
Count
administrator
21
aevauzac
bykwalcs
cewlmzfy
donbsgym
dpscwvne
dquwthgx
dyhozudz
ebcluxwf
ecnzuwju
May 5, 2013 19:43:34
to
May 7, 2013 19:43:34
Top 100 - Host Login Failure

IP Address
172.31.100.11
LCE
lce01
Count
42

78
SecurityCenter 4
IP Address
172.31.100.65
LCE
lce01
Count
42

79
SecurityCenter 4
Password Guessing Intrusion Events
Asset Password Never Expires
Top 100 Hosts - Password Guessing Intrusion

IP Address
Count
172.31.100.11
172.31.100.65

80
SecurityCenter 4
Successful Password Guessing Events
Asset Summary Successful Password Guessing Events
Top 100 host with successful password guessing events.

81
SecurityCenter 4
User Account Locked Out Events
Assets User Account Locked Out Summary
Top 100 users with accounts locked out.
Top 100 Systems with user account lockout events.

82
SecurityCenter 4
Password Never Expires
Asset Password Never Expires
Top 100 hosts with user account that have passwords that don't expire.
IP Address
NetBIOS Name
172.31.100.11
NPROTECT\DC02
172.31.104.141
UNKNOWN\FAMILY-PC
DNS Name
dc02.nprotect.int
OS CPE
cpe:/

83
SecurityCenter 4
Passwords Never Changed
Asset Password Never Change
Top 100 hosts with user account that have never changed passwords.
IP Address
NetBIOS Name
172.31.100.11
NPROTECT\DC02
172.31.104.134
NPROTECT\JND-DTP
172.31.104.141
UNKNOWN\FAMILY-PC
DNS Name
dc02.nprotect.int
OS CPE
cpe:/

84
SecurityCenter 4
Account with Blank Password
Asset Account with Blank Password Summary
Top 100 hosts with user account that have never changed passwords.

85
SecurityCenter 4
Windows Administrator Default Password
Asset Windows Administrator Default Password Summary
Top 100 hosts with administrators with the default password.

86
SecurityCenter 4

Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically
and physically, to minimize the exposure to attackers. Monitor people, processes, and systems using a centralized management framework.
From PVSs Data Leakage family of plugins to Nessus active scanning plugins that report USB device usage, this chapter reports on events that could potentially
be data leakage events. Dropbox usage and BitTorrent activity are also reported.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7

87
SecurityCenter 4
Data Leakage
Asset Data Leakage Summary
Top 100 how with data leakage vulnerabilities.

IP Address
172.31.100.65
172.31.102.223
NetBIOS Name
DNS Name
scan01.melcara.com
Score
OS CPE
Total
Info
Low
Med.
High
Crit.
cpe:/
o:centos:centos:6:update4
cpe:/
2
o:canonical:ubuntu_linux:11.04

88
SecurityCenter 4
USB Device Usage
USB Device Usage
IP Address
172.31.104.134
NetBIOS Name
NPROTECT\JND-DTP
DNS Name
Score
0
OS CPE

89
SecurityCenter 4
Dropbox Software Detection
Asset Dropbox Software Detection Summary
Top 100 hosts with dropbox software detection.

90
SecurityCenter 4
BitTorrent Activity
Asset BitTorrent Detection Summary
Top 100 hosts with BitTorrent detection.

91
SecurityCenter 4
SANS Control 20 - Penetration Testing/

Exploits
Use simulated attacks to improve organizational readiness: Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and
gauge the potential damage. Use periodic red team exercisesall-out attempts to gain access to critical data and systems to test existing defenses and response
capabilities.
Just as penetration testing seeks out vulnerabilities and attempts exploits, this chapter focuses on exploitable vulnerabilities found by active and passive scanning.
Active scan results based on patching levels are analyzed and if any active exploits exist against the vulnerabilities. the report also covers mobile devices and web
clients that are passively monitored by PVS using many active and passive plugins.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CA-2 (1, 2), CA-7 (1, 2), RA-3, RA-5 (4, 9), SA-12 (7)

92
SecurityCenter 4
Client Side Patch Related Vulnerabilities
Asset Summary Client Side Patch Related Vulnerabilities
Top 100 hosts with client side patch related vulnerabilities.

93
SecurityCenter 4
Mobile Device Passive Vulnerabilities
Asset Summary Mobile Device Passive Vulnerabilities
Top 100 mobile devices with client side passive vulnerabilities.

94
SecurityCenter 4
Web Client Passive Vulnerabilities
Asset Summary Web Client Passive Vulnerabilities

95
SecurityCenter 4
Top 100 mobile devices with client side passive vulnerabilities.

IP Address
NetBIOS Name
DNS Name
Score
Total
Info
Low
Med.
High
Crit.
cpe:/
o:apple:mac_os_x:10.8
30
cpe:/
172.31.100.110
30
172.31.104.131
30
172.31.104.133
OS CPE
172.31.104.135
UNKNOWN\GRDLPTP
20
cpe:/
2
o:microsoft:windows_7:::enterprise
172.31.104.134
NPROTECT\JNDDTP
10
cpe:/
o:microsoft:windows_7::sp1:x64-1
enterprise

96
SecurityCenter 4
General Passive Vulnerabilities
Asset Summary General Passive Vulnerabilities

97
SecurityCenter 4
Top 100 host with general passive vulnerabilities

IP Address
NetBIOS Name
DNS Name
Score
Total
Info
Low
Med.
High
Crit.
172.31.104.144
cpe:/
o:microsoft:windows_7::sp1:x86-2
enterprise
172.31.104.143
cpe:/
o:freebsd:freebsd:6.0
172.31.104.140
172.31.104.139
172.31.104.138
172.31.104.137
172.31.104.253
172.31.104.251
172.31.104.157
172.31.104.142
172.31.104.141
UNKNOWN\FAMILYPC
172.31.104.136
OS CPE
cpe:/
o:linux:linux_kernel:2.6
cpe:/
cpe:/
cpe:/
3
o:microsoft:windows_7:::enterprise
172.31.104.133
cpe:/
172.31.104.132
172.31.104.135
0
UNKNOWN\GRDLPTP
172.31.104.131
172.31.104.130
UNKNOWN\LPTP01
cpe:/
cpe:/
172.31.104.129
24
172.31.103.253
172.31.102.253

98
SecurityCenter 4
IP Address
NetBIOS Name
DNS Name
cisco-lwapp-controller.
nprotect.int
172.31.102.251
Score
0
OS CPE
Total
Info
Low
Med.
High
Crit.
cpe:/
67
o:canonical:ubuntu_linux:11.04
16
22
27
cpe:/
172.31.102.250
172.31.102.223
338
172.31.100.253
172.31.100.110
cpe:/
o:debian:debian_linux:5.0
172.31.100.102
WORKGROUP\
NAS3T
172.31.100.65
scan01.melcara.com
cpe:/
172.31.100.64
pvs01.melcara.com
cpe:/
172.31.100.63
lce01.melcara.com
cpe:/
172.31.100.62
sc01.melcara.com
cpe:/
172.31.100.40
cpe:/
172.31.100.29
10
cpe:/
o:vmware:esx_server
cpe:/
9
5
172.31.100.11
NPROTECT\DC02
dc02.nprotect.int

99
SecurityCenter 4
Port Range 1-1024 Passive Vulnerabilities
Asset Summary Port Range 1-1024 Passive Vulnerabilities
Top 100 Hosts Port Range 1-1024 Passive Vulnerabilities

100
SecurityCenter 4

101
SecurityCenter 4

102
SecurityCenter 4
Port Range 10000+ Passive Vulnerabilities
Asset Summary Port Range 10000 Passive Vulnerabilities
Top 100 Hosts Port Range 10000+ Passive Vulnerabilities

103

SANS Top 20 Critical Controls Report

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SANS Top 20 Critical Controls Report

Uploaded by

Copyright:

Available Formats

SecurityCenter 4

TENABLE NETWORK SECURITY INC., COPYRIGHT 2013

MELCARA - CODY HOME NETWORK