Rapid7 CAG Compliance Guide

Consensus Audit Guidelines (CAG)Compliance Guide

September 2011

Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

What is the CAG?

The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The CAG was developed by a consortium of Federal government agencies and private sector partners, including such notable members as the Department of Defense, Department of Energy, FBI and US-CERT, National Institute of Standards and Technology (NIST) and the SANS Institute. Designed to protect critical IT systems from real-world

attacks, the CAG goes beyond the annual compliance-driven audits and the checklist-focused approach found in the Federal Information Security Management Act (FISMA). The CAG provides Federal agencies with tools to prioritize critical IT security concerns as part of managing system design and operations rather than trying to manage security as an ad-hoc exercise on the side.

The CAG has been mapped to FISMA controls, and has been leveraged by NIST to update the FISMA controls outlined in Special Publication SP 800-53. The CAG is also being used to update FISMA as part of the new U.S. Information and Communications Enhanceme nt (ICE) Act. In the meantime, the consortium that developed the CAG is advising the use of the security controls CAG as a fi rst step towards implementing the controls outlined in NIST’s SP 800-53 guidelines for FISMA compliance. The mapping of CAG security controls to FISMA makes it possible to leverage standardization efforts like SCAP together with repositories of content like the National Vulnerability Database (NVD), enabling organizations to use automated tools for on-going infrastructure monitoring for vulnerabilities, mis-confi gurations and policy violations. This baseline data also helps auditors to perform the additional validation required to meet annual and quarterly compliance requirements.

Using CAG provides a simple fi rst step towards becoming compliant with current FISMA regulations, with the added benefi t of getting aligned with the provisions in the ICE Act. However, the most important benefi t provided by the CAG is real-world tested guidance on how to implement robust, proactive, continuous security control measures. The real goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape.

Who needs the CAG?

The CAG was originally designed to meet the needs of information technology providers for Federal government agencies and departments. However, studies of the cyber security threats to North American critical infrastructure revealed that private sector entities interact with more than 85% of the critical infrastructure in the United States. As a result, President Obama’s former interim Cyber Security Czar, Melissa Hathaway, recommended applying the same security guidelines to both public and private sector entities that utilize, manage, or run critical infrastructures. Critical infrastructure entities outside of the Federal government include organizations in Healthcare Services, Energy, Financial Services, Telecommunications and Transportation. CAG guidelines easily supplement and enhance the security requirements already needed to comply with regulations in these industries, including FISMA, NERC, PCI, GLBA and HIPAA.

How Rapid7 Helps

Rapid7 provides the only unifi ed threat management solution to help organizations understand risk and adopt best practices to optimize their network security, Web application security and database security strategies. Rapid7 has extensive experience partnering with Federal departments and agencies, such as the U.S. Department of


Energy, United States Postal Service (USPS), the National Nuclear Security Administration (NNSA), and the National Telecommunications and Information Administration (NTIA), to help them meet their regulatory requirements. Rapid7 security solutions help thwart real-world attacks by helping organizations apply the CAG’s twenty Critical Security Controls (CSC), also known as the SANS twenty Critical Security Controls. To meet CAG compliance, organizations must demonstrate adherence to the twenty CSCs as outlined below.

Controls suited for automation

Fifteen CSC categories are suited for automated collection, measurement and validation. Rapid7 Nexpose proactively automates the process of monitoring, measuring, validating, and prioritizing security threats for these CSC as follows:

Control Rapid7 SolutionCSC-1Inventory of Authorized and Unauthorized Devices

Enables administrators to build and manage an asset inventory by performing either manual or scheduled discovery scans.

Automates the task of asset discovery and identifi cation by scanning the entire infrastructure for all networked devices.

Assembles an inventory of every system that has an IP address on the network, including databases, desktops, laptops, servers, subnets, network equipment (routers, switches, fi rewalls, etc.), printers, Storage Area Networks, and Voice-over-IP (VoIP) phones.

Enables administrators to confi gure asset scanning and reporting using sites and asset groups based on specifi c criteria such as device type, software type, operating system type, or geographic location.

Provides fully customizable policy scanning to determine presence of unauthorized devices in accordance with policies for whitelisting authorized devices and blacklisting unauthorized devices.

Catalogs all devices in Nexpose as it scans and automatically sends alerts to administrators about any deviations from the expected inventory of assets on the network.


Control Rapid7 SolutionCSC-2Inventory of Authorized and Unauthorized Software

Automates the task of asset discovery and identifi cation by scanning and assembling an inventory of software on all networked devices in every system that has an IP address on the network anywhere in the entire infrastructure including servers, workstations and laptops.

Provides automation in tracking types of operating systems and applications installed on each system, including versions and patch levels.

Provides fully customizable policy scanning to establish baseline confi gurations to test the effectiveness of security measures, and determine presence of unauthorized software and services in accordance with policies for whitelisting authorized software and blacklisting unauthorized software.

Catalogs all software as it scans, including any malicious software, by using the latest fi ngerprinting technologies to identify systems, services, and installed applications.

Sends alerts automatically to administrators for any deviations from the expected inventory of assets on the network.

CSC-3 Secure Confi gurations for Hardware and Software on Laptops, Workstations, and Servers

Provides the ability to establish baseline confi gurations to validate the effectiveness of security policies in both test environments and production environments against the baseline condition by checking for presence of unauthorized devices in accordance with policies for whitelisting authorized devices and blacklisting unauthorized devices.

Provides fully customizable Nexpose scanning templates to allow for policy scanning for Windows, Oracle and IBM systems.

Provides fl exible, customizable policy scanning to detect misconfi gurations, identify missing patches against mitigating control policies, and apply risk scoring to measure violations against established desktop and server confi guration management policies on servers, workstations, laptops, handheld devices, multiple classes of Web applications, and database applications including MS SQL Server, Oracle, MySQL, and DB2.

Enables administrators to validate and report on adherence to confi guration policies within the asset inventory by performing either manual or scheduled policy confi guration scans.


Control Rapid7 SolutionCSC-4Secure Confi gurations for Network Devices such as Firewalls, Routers, and Switches

Provides fully customizable policy scanning to detect misconfi gurations, locate unnecessary services, fi nd default accounts, identify missing patches against mitigating control policies, and apply risk scoring to measure violations against established confi guration management policies for network devices, including fi rewalls, routers and switches.

Provides fully customizable Nexpose scanning templates to allow for policy scanning in order to validate Windows fi rewall settings.

Provides the ability to establish baseline confi gurations to validate the effectiveness of security policies in both test environments and production environments against the baseline condition by checking for presence of unauthorized network device confi guration in accordance with policies for fi rewall rules, router access control lists, and IDS/IPS detection.

CSC-5Boundary Defense

Provides fully customizable policy compliance framework to setup automated monitoring of port access policies.

Provides fully customizable risk scoring, policy auditing, and vulnerability scanning to alert you of policy violations or misconfi gurations, including validation of up-to-date fi rewalls, and IDS/IPS system patches.

Includes option to use either a hosted scan engine through Rapid7’s Managed PCI Compliance Services, or your own external distributed scan engine outside your DMZ to perform external perimeter vulnerability scanning.

CSC-6Maintenance, Monitoring, and Analysis of Security Audit Logs

Provides fully customizable policy compliance framework to setup automated monitoring of security audit log policies.


Control Rapid7 SolutionCSC-7Application Software Security

Provides ability to perform on-going scheduled and ad-hoc scanning of Web applications for XSS and SQL injection. Enables Web form scanning using form-based authentication.

Provides the ability to establish baseline confi gurations to validate the effectiveness of security policies after Web application changes in both test environments and production environments against the baseline condition by checking for security violations in Web applications, as well as in underlying database servers, including MS SQL Server, Oracle, MySQL, and DB2.

Provides comprehensive unifi ed vulnerability scanning of all vital systems to evaluate potential risks to operating systems, Web applications, databases, enterprise applications, and custom applications.

Provides fully customizable policy compliance framework to setup automated monitoring of software policy settings, including Web browser patching levels, and confi guration settings for Web applications, including their underlying database servers.

Provides fully customizable risk scoring, policy auditing, and vulnerability scanning to alert you of policy violations or misconfi gurations.

CSC-8 Controlled Use of Administrative Privileges

Provides ability to segregate administrative privileges using role based access control to limit vulnerability information to appropriate parties.

Provides access to Rapid7 Risk Assessment Services to identify gaps in your security program, determine if security policies are being followed in actual day-to-day operations (i.e. policies for maintaining least privilege, segregation of duties, and patching on databases containing private data), and provide guidance on developing missing control policies and procedures required to secure private data from external threats.

CSC-9 Controlled Access Based on Need to Know

Provides ability to test servers to ensure access policies they are confi gured with the proper level of access control, including separation of duties for default and new accounts and confi gurations of servers to ensure they have been locked down to a least level of privilege.


Control Rapid7 SolutionCSC-10Continuous Vulnerability Assessment and Remediation

Provides ad-hoc scans of newly introduced vulnerabilities so that you can immediately:

o Scan for new vulnerabilities

o View a report of all vulnerabilities found

o View a records of new vulnerabilities added

Provides the ability to defi ne scan frequency , including the option to use randomized scanning, and high-speed parallel scanning (2-4 times faster than competitors), which enhances security by providing capacity for more frequent scans so your security team always has access to the most current data.

Enables authenticated scanning in applications as well as in Web forms.

Provides fl exible, customizable policy scanning to detect misconfi gurations, identify missing patches against mitigating controls or compensating control policies, and apply risk scoring to measure violations to establish trends against established baselines for all networked devices and software.

Provides customizable policy scanning to establish baseline confi gurations, test effectiveness of security measures, and provide both executive and detailed analyst reports. The fi ndings will include what authorized and unauthorized devices were discovered based on Nexpose templates confi gured to identify whitelist (authorized) and blacklist (unauthorized) devices.

Provides customizable, prioritized risk scoring to customize severity levels for more accurate remediation reporting suited for your environment.

Enables an easy integration of vulnerability and compliance management into existing business processes and IT systems such as GRC solutions like Archer, help desk, asset management and other security solutions via pre-built integrations and Rapid7’s Nexpose API.

CSC-11Account Monitoring and Control

Enforces password policies through regular scheduled scanning and reporting. Uses our customized policy compliance framework to setup automated monitoring of passwords policies (including number of login attempts, password length, allowable special characters etc.).

Provides monitoring software installation policies, and reports on illegal software installed on users’ system.


Control Rapid7 SolutionCSC-12 Malware Defenses

Catalogs all software as it scans, including any malicious software.

CSC-13 Limitation and Control of Network Ports, Protocols, and Services

Provides fully customizable policy scanning to monitor policy violations or misconfi gurations of network ports, protocols, and services.

CSC-14Wireless Device Control

Provides fully customizable policy scanning to monitor policy violations or misconfi gurations of network ports, protocols, and services.

Provides access to Rapid7 Wireless Audit Consulting Services to evaluate your wireless security controls on all wireless access points, identify gaps in your security program, determine if security policies are being followed in actual day-to-day operations, and provide guidance on developing missing control policies and procedures required to secure private data from unauthorized access.

CSC-15Data Loss Prevention

Provides HIPAA scan template which detects PII data, or Social Security numbers, on Web pages for better patient privacy in medical institutions. To further enhance the HIPAA audit, the scan template can be confi gured to allow fi le searching so that if Nexpose gains access to an asset’s fi le system in the scanning process, it can search for, and retrieve, fi les in that system. For example medical offi ces cannot store patient data on local drives due to HIPAA regulations, so fi le searching can be useful for that purpose.

Provides ability to confi gure custom scan templates to search for specifi c data pattern in Web applications that indicate presence of PII that would lead to security violations.

Provides automated mechanisms that increase the availability of incident response related information by providing details on potential vulnerabilities that were exploited, as well as remediation steps to prevent future exploits

Provides continuous logging of historical scan data for use in disaster recovery and auditing.

Provides access to Rapid7 Risk Assessment Services to provide guidance on development of incident management and disaster recovery program best practices for protecting personal information by evaluating security controls for modifi cation of access rights, and providing guidance on developing missing control policies.


Controls not directly supported by automation

Five CSC categories are not directly supported by automation. Rapid7’s Consulting Services has security experts to assist you in measuring and validating these CSC categories as follows:

Control Rapid7 SolutionCSC-16Secure Network Engineering

Provides access to Rapid7 Risk Assessment Services to evaluate your security controls, identify gaps in your security program, and provide guidance on incorporating secure network engineering best practices.

CSC-17Penetration Tests and Red Team Exercises

Provides access to Rapid7 Penetration Testing Services to evaluate your security controls, perform internal and external testing, perform social engineering, identify gaps in your security program, and provide an actionable remediation plan.

Provides access to Rapid7 Security Experts to determine if security policies are being followed in actual day-to-day operations, and provides guidance on developing missing control policies and procedures required to secure information systems and data from external threats.

CSC-18 Incident Response Capability

Provides automated end-to-end security solution to automatically document all security incidents and subsequent effects of vulnerability remediation to establish historical audit log record, including fully confi gurable automated notifi cations and ticketing system for customizable case escalation, ticket creation, and notifi cation, including ability to integrate with third-party ticketing systems.

Provides access to Rapid7 Security Experts to determine if security policies are being followed in actual day-to-day operations, and provides guidance on developing missing control policies and procedures required to secure information systems and data from external threats.

CSC-19 Data Recovery Capability

Provides access to Rapid7 Risk Assessment Services to evaluate if data recovery capabilities have been adequately embedded into security controls, and identify gaps in your security program.

CSC-20 Security Skills Assessment and Appropriate Training to Fill Gaps

Provides access to Rapid7 Risk Assessment Services to determine need for holistic vulnerability management security training by evaluating security awareness during penetration testing and social engineering exercises, followed by recommendations for security awareness training required as part of an integrated security management program.

Contact us to fi nd out more about how Rapid7 can help you incorporate the twenty CSCs of the CAG into your on-going, prioritized, unifi ed security management program.

To see how Rapid7’s IT Security Risk Management suite can benefi t your organization, visit Rapid7.com.