SANS Top 20 Critical Controls Report

8/12/2019 SANS Top 20 Critical Controls Report

1/107

SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT 2013

MELCARA - CODY HOME NETWORK

SANS Top 20 Critical

Controls ReportMay 7, 2013 at 7:43pm EDT[cody]

Confidential: The following report contains confidential information. Do not distribute, email, fax,or transfer via any electronic mechanism unless it has been approved by the recipient company'ssecurity policy. All copies and backups of this document should be saved on protected storage at alltimes. Do not share any of the information contained within this report with anyone unless they areauthorized to view the information. Violating any of the previous instructions is grounds for termination.
http://www.tenablesecurity.com/


2/107


3/107

SANS Top 20 Critical Controls Report SecurityCenter 4TENABLE NETWORK SECURITY INC., COPYRIGHT 2013

Table of Contents

Tenable Network Security ii

Cisco Device Audit ....................... ......................... ........................ ........................ ........................ ......................... ........................ ........................ ........................ 33Juniper Device Audit .................. ........................ ........................ ......................... ........................ ........................ ........................ ........................ ......................... .. 34

SANS Control 11 - Control of Ports/Protocols/Services ............................................................................................35Host On Network ..................... ........................ ........................ ........................ ........................ ......................... ........................ ........................ ........................ .......36New Services ..................... ........................ ......................... ........................ ........................ ........................ ........................ ......................... ........................ ............ 39Port Scanner Identified Services ........................ ........................ ........................ ........................ ......................... ........................ ........................ ........................ ..42

SANS Control 12 Controlled Use of Administrator Privileges .......................................................................47User Added ........................ ........................ ......................... ........................ ........................ ........................ ......................... ........................ ........................ ............ 48User Changes ......................... ........................ ........................ ........................ ......................... ........................ ........................ ........................ ......................... ....... 49User Removal ............................................ ...................................................................................................................................................................................... 50New User Creation .......................................................... ........................ ........................ ......................... ........................ ........................ ........................ ............... 51

SANS Control 13 - Boundary Defense ............................................................................................................................................52Linked to Bot List ......................................................... ........................ ......................... ........................ ........................ ........................ ........................ ................. 53Web Site Linkedto Malicious Content ....................... ........................ ........................ ......................... .........................................................................................54Threatlist Intrusion ....................... ......................... ........................ ........................ ........................ ........................ ......................... ........................ ........................ .55Threatlist Statistics ..................... ........................ ........................ ......................... ........................ ........................ ........................ ......................... ........................ .. 56Firewall Anomaly Statistics ............................................................................................................................................................................................................57Connection Statistics ......................................................................................................................................................................................................................58Access Denied Anomaly Statistics ........................ ........................ ........................ ......................... ........................ ........................ ........................ ...................... 60Login Failure Large Anomaly Statistics .......................................................................................................................................................................................61

SANS Control 14 - Monitoring and Analysis of Logs ................................................................................................... 62Event Trend Summary ....................................................................................................................................................................................................................64Long Term Intrusion Activity ....................... ......................... ........................ .................................................................................................................................67Multiple System Crashes ........ ........................ ........................ ........................ ......................... ........................ ........................ ........................ ......................... ......68Long Term DNS Failures ........................ ........................ ........................ ........................ ......................... ........................ ........................ ........................ ...............69Long Term ErrorActivity ............................................................................................................................................................................................................... 71Long Term DOS Activity .............................. ........................ ........................ ........................ ......................... ........................ ........................ ........................ ......... 72

SANS Control 15 - Controlled Access/Data Leakage .................................................................................................... 73


4/107


Table of Contents

Tenable Network Security iii

SANS Control 16 - Account Monitoring and Control .....................................................................................................76Login Failure Events ................ ......................... ........................ ........................ ........................ ......................... ........................ ........................ ........................ .....77Password Guessing Intrusion Events ........................ ........................ ......................... ........................ ........................ ........................ ......................... ................ 80Successful Password Guessing Events ........................ ........................ ......................... ........................ ........................ ........................ ......................... .............81User Account Locked Out Events ..................... ......................... ........................ ........................ ........................ ......................... ........................ ........................ . 82Password Never Expires .................. ........................ ........................ ........................ ......................... ........................ ........................ ........................ ..................... 83Passwords Never Changed ........ ........................ ......................... ........................ ........................ ........................ ......................... ........................ ........................ ..84Account with Blank Password ....................... ......................... ........................ ........................ ........................ ......................... ........................ ........................ ..... 85Windows Administrator Default Password ........................ ........................ ........................ ......................... ........................ ........................ ........................ ......... 86

SANS Control 17 - Data Loss Prevention ...................................................................................................................................87Data Leakage ..................... ........................ ......................... ........................ ........................ ........................ ......................... ........................ ........................ ............ 88USB Device Usage ......................... ......................... ........................ ........................ ........................ ........................ ......................... ........................ ....................... 89Dropbox Software Detection ....... ........................ ......................... ........................ ........................ ........................ ......................... ........................ ........................ .90BitTorrent Activity ........................ ........................ ........................ ........................ ......................... ........................ ........................ ........................ ......................... . 91

SANS Control 20 - Penetration Testing/Exploits ................................................................................................................ 92Client Side Patch Related Vulnerabilities ....................... ........................ ........................ ......................... ........................ ........................ ........................ .............93Mobile Device Passive Vulnerabilities ..................... ........................ ........................ ......................... ........................ ........................ ........................ .................... 94Web Client Passive Vulnerabilities ....................... ....................... ...................... ........................ ........................ ........................ ......................... ........................ .. 95General Passive Vulnerabilities ...................... ......................... ......................................................................................................................................................97Port Range 1-1024 Passive Vulnerabilities ....................... ........................ ........................ ......................... ........................ ........................ ........................ ........ 100Port Range 1025-5000 Passive Vulnerabilities ........................ ........................ ........................ ........................ ........................ ......................... ........................ . 101Port Range 5001-10000 Passive Vulnerabilities ...................... ......................... ........................ ........................ ........................ ......................... ........................ 102Port Range 10000+ Passive Vulnerabilities ........................................ ........................ ........................ ......................... ........................ ........................ .............. 103


5/107


SANS Top 20 Overview

Tenable Network Security 1

SANS Top 20 Overview

The 20 Critical Controls are being prioritized for implementation by organizations that understand the evolving risk of cyber attack. Leading adopters include the U.S.

National Security Agency, the British Centre for the Protection of National Infrastructure, and the U.S. Department of Homeland Security Federal Network Security

Program. Ten state governments as well as power generation and distribution companies and defense contractors are among the hundreds of organizations that

have shifted from a compliance focus to a security focus by adopting the Critical Controls.

All of these entities changed over to the Critical Controls in answer to the key question: What needs to be done right now to protect my organization from known

attacks? Adopting and operationalizing the Critical Controls allows organizations to easily document those security processes to demonstrate compliance.

The Critical Controls reflect the consensus of major organizations with a deep understanding of how cyber attacks are carried out in the real world, why the attacks

succeed, and what specific controls can stop them or mitigate their damage. Failure by management to implement the Critical Controls puts an organizations sensitive

data or processes at great risk.

The Critical Controls are regularly updated by an international consortium headed by Tony Sager, who recently served as chief of the NSAs Vulnerability Analysis

and Operations Group (which includes the NSA Red and Blue Teams and other top national cyber talent).

http://www.sans.org/critical-security-controls/


6/107


SANS Control 1 - New Devices Detected


SANS Control 1 - New Devices Detected

Reduce the ability of attackers to find and exploit unauthorized and unprotected systems: Use active monitoring and configuration management to maintain an up-

to-date inventory of devices connected to the enterprise network, including servers, workstations, laptops, and remote devices.

This chapter utilizes Nessus and PVS plugins (active and passive) to report new hosts found in the network over the last 48 hours by recording the network address

and machine names.

Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6

New Hosts Table


7/107


SANS Control 3 - Secure Configurations



Prevent attackers from exploiting services and settings that allow easy access through networks and browsers: Build a secure image that is used for all new systems

deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images

in a configuration management system.

The results for this chapter are defined by keywords in vulnerability text that match text contained in several plugins. The chapter sections provide mini-reports for

compliance data against PCI, DISA, CIS, and HIPAA checks.

Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1

(a), SA-4 (5), SI-7 (3), PM-6


8/107




PCI Compliance Summary

PCI Compliance Severity Summary


9/107




PCI Top 100 Host Table

IP Address NetBIOS Name DNS Name Score Total Info Med. High

172.31.100.62 sc01.melcara.com 50 5 0 0 5

172.31.100.63 lce01.melcara.com 50 5 0 0 5

172.31.100.64 pvs01.melcara.com 50 5 0 0 5

172.31.100.65 scan01.melcara.com 50 5 0 0 5

172.31.100.40 20 3 1 0 2

172.31.104.141 UNKNOWN\FAMILY-PC 20 2 0 0 2

172.31.100.11 NPROTECT\DC02 dc02.nprotect.int 10 1 0 0 1

172.31.100.26 10 2 1 0 1

172.31.100.29 10 2 1 0 1

172.31.100.55 10 2 1 0 1

172.31.100.102 WORKGROUP\NAS3T 10 2 1 0 1

172.31.100.103 10 2 1 0 1

172.31.100.110 10 2 1 0 1

172.31.100.253 10 2 1 0 1

172.31.104.134 NPROTECT\JND-DTP 10 1 0 0 1

172.31.104.135 UNKNOWN\GRD-LPTP 10 2 1 0 1

172.31.104.251 10 2 1 0 1

172.31.104.253 10 2 1 0 1

172.31.100.56 0 1 1 0 0

172.31.104.129 0 1 1 0 0

172.31.104.130 UNKNOWN\LPTP01 0 1 1 0 0

172.31.104.131 0 1 1 0 0

172.31.104.133 0 1 1 0 0

172.31.104.136 0 1 1 0 0

172.31.104.137 0 1 1 0 0

172.31.104.139 0 1 1 0 0

172.31.104.140 0 1 1 0 0

172.31.104.143 0 1 1 0 0


10/107




DISA Compliance Summary

DISA Compliance Severity Summary


11/107




DISA Top 100 Host Table


172.31.100.62 sc01.melcara.com 50 5 0 0 5

172.31.100.63 lce01.melcara.com 50 5 0 0 5

172.31.100.64 pvs01.melcara.com 50 5 0 0 5

172.31.100.65 scan01.melcara.com 50 5 0 0 5

172.31.100.40 20 3 1 0 2



172.31.100.26 10 2 1 0 1

172.31.100.29 10 2 1 0 1

172.31.100.55 10 2 1 0 1

172.31.100.102 WORKGROUP\NAS3T 10 2 1 0 1

172.31.100.103 10 2 1 0 1

172.31.100.110 10 2 1 0 1

172.31.100.253 10 2 1 0 1

172.31.104.134 NPROTECT\JND-DTP 10 1 0 0 1

172.31.104.135 UNKNOWN\GRD-LPTP 10 2 1 0 1

172.31.104.251 10 2 1 0 1

172.31.104.253 10 2 1 0 1

172.31.100.56 0 1 1 0 0

172.31.104.129 0 1 1 0 0

172.31.104.130 UNKNOWN\LPTP01 0 1 1 0 0

172.31.104.131 0 1 1 0 0

172.31.104.133 0 1 1 0 0

172.31.104.136 0 1 1 0 0

172.31.104.137 0 1 1 0 0

172.31.104.139 0 1 1 0 0

172.31.104.140 0 1 1 0 0

172.31.104.143 0 1 1 0 0


12/107




CIS Compliance Summary

CIS Compliance Severity Summary


13/107




CIS Top 100 Host Table


172.31.100.63 lce01.melcara.com 2561 451 190 7 254

172.31.100.62 sc01.melcara.com 2541 452 193 7 252

172.31.100.64 pvs01.melcara.com 2521 451 194 7 250

172.31.100.65 scan01.melcara.com 2515 452 183 25 244



172.31.104.134 NPROTECT\JND-DTP 541 162 75 47 40

172.31.104.135 UNKNOWN\GRD-LPTP 541 162 75 47 40


14/107




HIPAA Compliance Summary

HIPAA Compliance Severity Summary

HIPAA Top 100 Host Table





15/107


SANS Control 4 - Continuous Vulnerability Scanning


SANS Control 4 - Continuous Vulnerability

Scanning

Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all

systems and quickly remediate any vulnerabilities, with critical problems fixed within 48 hours.

This chapter displays the total number of known systems, the number that have been observed over the last 30 days, and the percentage of systems that have had

a credentialed scan completed over the last 30 days. It allows you to determine if vulnerability scanning is occurring against all the systems in the specified range.

Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls RA-3 (a, b, c, d), RA-5 (a, b, 1, 2, 5, 6)


16/107




Total Systems


17/107




System Scanned within 30 Days

30 Day Scanned Asset Summary


18/107




Top 100 Systems Scanned with 30 Days

IP Address NetBIOS Name DNS Name OS CPE

172.31.104.253

172.31.104.251 cpe:/o:linux:linux_kernel:2.6

172.31.104.146

172.31.104.144cpe:/o:microsoft:windows_7::sp1:x86-enterprise

172.31.104.140

172.31.104.138

172.31.104.137 cpe:/o:apple:mac_os_x:10.8

172.31.104.136

172.31.104.135 UNKNOWN\GRD-LPTP cpe:/o:microsoft:windows_7:::enterprise

172.31.104.134 NPROTECT\JND-DTPcpe:/o:microsoft:windows_7::sp1:x64-

enterprise

172.31.104.132

172.31.104.131 cpe:/o:apple:mac_os_x:10.8

172.31.104.130 UNKNOWN\LPTP01 cpe:/o:apple:mac_os_x:10.8

172.31.104.129

172.31.103.253

172.31.102.253

172.31.102.251 cisco-lwapp-controller.nprotect.int cpe:/o:linux:linux_kernel:2.6

172.31.102.250

172.31.102.222

172.31.102.221

172.31.100.253

172.31.100.102 WORKGROUP\NAS3T cpe:/o:debian:debian_linux:5.0

172.31.100.65 scan01.melcara.com cpe:/o:centos:centos:6:update4

172.31.100.64 pvs01.melcara.com cpe:/o:centos:centos:6:update4

172.31.100.63 lce01.melcara.com cpe:/o:centos:centos:6:update4

172.31.100.62 sc01.melcara.com cpe:/o:centos:centos:6:update4

172.31.100.56 cpe:/o:hp:hp-ux:9.05


19/107





172.31.100.55

172.31.100.40 cpe:/o:linux:linux_kernel:2.6

172.31.100.29 cpe:/o:vmware:esx_server172.31.100.26 cpe:/o:vmware:esx_server

172.31.100.11 NPROTECT\DC02 dc02.nprotect.int

cpe:/

o:microsoft:windows_server_2008:r2:sp1:x64-

enterprise


20/107




Systems Scanned Credentials within 7 Days Summary

Systems Scanned Credentials within 7 Days Summary

Top 100 Systems Scanned Credentials within 7 Days Summary


172.31.104.134 NPROTECT\JND-DTPcpe:/o:microsoft:windows_7::sp1:x64-

enterprise

172.31.100.11 NPROTECT\DC02 dc02.nprotect.int

cpe:/

o:microsoft:windows_server_2008:r2:sp1:x64-

enterprise


21/107


SANS Control 5 - Malware Controls



Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading: Use automated anti-virus and anti-spyware software to

continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-malware tools on all machines on a daily basis. Prevent

network devices from using auto-run programs to access removable media.

This chapter displays results from the Tenable Malicious Process Detection plugin, as well as provides details on virus anomalies, and active virus detection.

Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6)


22/107




Malicious Process Detection

Asset Summary Malicious Process Detection

Top 100 hosts with malicious process detected


23/107




Virus Spike

Virus Spike

Top 100 Systems with Virus Spike


24/107




Active Virus

ActiveVirus

Top 100 Active Virus Event Summary by Host


25/107


SANS Control 6 - Web Application Security



Neutralize vulnerabilities in web-based and other application software: Carefully test internally developed and third-party application software for security flaws,

including coding errors and malware. Deploy web application firewalls that inspect all traffic, and explicitly check for errors in all user input (including by size and

data type).

This chapter utilizes PVS and a wide variety of plugins to passively identify application vulnerabilities within web applications, even detecting unsupported or vulnerable

software versions. Included tests are: SQL injections, CGI abuses, Backdoors, XSS, DNS and FTP checks, IMAP, SMTP, and POP checks, Internet Service Checks,

and Web Server checks, sorted by severity.

Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CM-7, RA-5 (a, 1), SA-3, SA-4 (3), SA-8, SI-3, SI-10

Top 25 Host with Web Vulnerable Activity


26/107




Top 100 Web Application Vulnerabilities.

Plugin Total Severity Plugin Name Family

5824 2 HighPHP 5.3 < 5.3.6 String To

Double Conversion DoSWeb Servers

6015 2 HighPHP 5.3 < 5.3.7 Multiple

VulnerabilitiesWeb Servers

6017 2 HighPHP 5.3.7 crypt() MD5

Incorrect Return ValueWeb Servers

6021 2 HighApache 2.2 < 2.2.20 MultipleVulnerabilities

Web Servers

6062 2 HighApache 2.2 < 2.2.21mod_proxy_ajp DoS

Web Servers

6129 2 HighOpenSSL 0.9.8 < 0.9.8s /1.x < 1.0.0f Multiple

Vulnerabilities

Web Servers

6263 2 High PHP < 5.3.9 MultipleVulnerabilities

Web Servers

6302 2 HighApache 2.2 < 2.2.22 MultipleVulnerabilities

Web Servers

6304 2 HighPHP 5.3.9php_register_variable_ex()

Code Execution

Web Servers

6494 2 HighPHP 5.3.x < 5.3.13CGI Query String Code

Execution

Web Servers

6495 2 HighPHP 5.3.x < 5.4.3 Multiple


6530 2 High PHP 5.4.x < 5.4.5_php_sream_scandir

Overflow

Web Servers

6556 2 HighPHP 5.3.x < 5.3.15 Multiple


55976 2 HighApache HTTP Server Byte

Range DoSWeb Servers


27/107





3038 1 High

phpBB < 2.0.16

viewtopic.php Arbitrary Code

Execution

CGI

3657 1 High TWiki Privilege Escalation CGI

6332 1 HighApache Tomcat 6.0.x< 6.0.35 Multiple

Vulnerabilities

Web Servers

12218 2 Medium mDNS Detection Service detection

2810 2 MediumAutocomplete Not Disabled

for 'Password' FieldWeb Servers

5720 2 MediumOpenSSL < 0.9.8q / 1.0.0c

Multiple VulnerabilitiesWeb Servers

5782 2 Medium

OpenSSL < 0.9.8r / 1.0.0d

OCSP Stapling Denial ofService

Web Servers

5799 2 MediumWeb Server HttpOnlyCookies Not In Use

Web Servers

6400 2 Medium

OpenSSL 0.9.8 < 0.9.8u /

1.0.0 < 1.0.0h MultipleVulnerabilities

Web Servers

6576 2 MediumApache 2.2 < 2.2.23 MultipleVulnerabilities

Web Servers

6671 2 Medium

PHP 5.3.x < 5.3.21 cuRL

X.509 Certificate DomainName Matching MiTM

Weakness

Web Servers

6701 2 Medium

Apache 2.2 < 2.2.24

Multiple Cross-Site Scripting

Vulnerabilites

Web Servers

6707 2 MediumPHP 5.3.x < 5.3.22 Multiple


10678 2 MediumApache mod_info /server-

info Information DisclosureWeb Servers

55640 2 MediumSQL Dump Files Disclosed

via Web ServerCGI abuses


28/107





57640 2 MediumWeb Application Information

DisclosureCGI abuses

57792 2 Medium

Apache HTTP Server

httpOnly Cookie InformationDisclosure

Web Servers

3703 1 MediumRecursive DNS Server

DetectionDNS Servers

20007 1 MediumSSL Version 2 (v2) Protocol

DetectionService detection

3223 1 MediumTwiki rev ParameterArbitrary Shell Command

Execution

CGI

5789 1 Medium

Apache Tomcat 6.0.x

< 6.0.30 Multiple

Vulnerabilities

Web Servers

5790 1 MediumApache Tomcat 6.0.x

Documents

SANS Top 20 Critical Controls Report