3.11.2 has a weight of -5 points
(Risk Assessment Family) 2/3
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified
Video:
Example of System Security Plan (SSP):
System Security Plan (SSP) for Control 3.11.2
-
Purpose: To establish a robust procedure to identify, assess, and manage vulnerabilities within the organization using top-tier software available within the Microsoft GCC High and Azure ecosystems.
-
Scope: This plan encompasses all organizational systems and components, such as network devices, software applications, databases, and connected infrastructure.
-
Responsibilities:
- IT Department: We conduct routine vulnerability scans using Azure Security Center and ensure we implement the necessary patches.
- Security Team: We monitor vulnerability databases within Microsoft GCC High and ensure our scanning tools are current.
- Department Heads: Ensure compliance with this SSP in their respective domains.
-
Vulnerability Scanning Procedures:
- Endpoint Management: We utilize Microsoft Defender for Endpoint integrated within GCC High for continuous vulnerability scans.
- Firewall Management: We use Azure Firewall for continuous scanning of incoming and outgoing traffic.
- SIEM/SOAR Solutions: Azure Sentinel serves as our go-to solution for identifying and alerting on detected vulnerabilities.
-
Additional Scanning Considerations:
- Custom Software: For in-house applications, we use Azure DevOps for static, dynamic, binary analysis, and source code reviews.
- SCAP-Validation: Within Microsoft GCC High, we utilize built-in SCAP tools that employ the OVAL and express vulnerabilities in the CVE naming convention.
- Vulnerability Information Sources: We routinely review the CWE listing and the National Vulnerability Database (NVD) using Azure Policy.
-
Vulnerability Scanning Depth:
- Patch Levels: With the help of Azure Update Management, we ensure our systems are current and patched.
- Unnecessary Functions: We use Azure Network Watcher to scrutinize for unnecessary ports, protocols, services, and functions.
- Flow Control Mechanisms: We leverage Azure Firewall Policies to verify our data flow controls are properly operational.
-
Advanced Vulnerability Assessments:
- Red Team Exercises: We sporadically employ red team exercises using Azure Red Team Tool.
- CVSS: We utilize Azure Security Benchmark to gauge the impact of identified vulnerabilities using the Common Vulnerability Scoring System.
-
Privileged Access: For certain situations demanding in-depth vulnerability scanning or involving highly confidential data, we grant elevated access to selected system components, ensuring thorough scanning while safeguarding the data’s confidentiality.
-
Documentation & Reporting:
- We document all discoveries, patches applied, and open vulnerabilities using Azure Security Center.
- We craft monthly reports for the leadership, detailing vulnerability status, trends, and tasks using Azure Monitor Logs.
-
Continuous Improvement: This SSP is reviewed and updated annually or when there are significant changes to our organization’s infrastructure, software, or relevant regulations.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M)
1. Control Title: 3.12.3 – Scan for Vulnerabilities in Organizational Systems and Applications
2. Issue: Lack of appropriate software tools to identify, assess, and manage vulnerabilities within organizational systems and components.
3. Remediation Actions:
a. Endpoint Management:
- Description: Research, select, and implement an endpoint management solution with antivirus capabilities.
- Potential Solutions: Microsoft Defender for Endpoint, Azure Security Center, Google Endpoint Management.
- Action: Research and integrate the best-suited endpoint solution by [Date].
- Responsible Party: IT Department.
b. Firewall Management:
- Description: Ensure firewall capabilities are optimized within the Microsoft and Google ecosystems.
- Potential Solutions: Azure Firewall, Microsoft Defender for Cloud, Google Cloud Armor.
- Action: Evaluate and enhance firewall configurations by [Date].
- Responsible Party: IT Department.
c. SIEM/SOAR Solutions:
- Description: Explore SIEM/SOAR solutions within Microsoft and Google Cloud ecosystems.
- Potential Solutions: Azure Sentinel, Google Cloud’s Operations Suite (formerly Stackdriver).
- Action: Set up and optimize the chosen SIEM/SOAR solution by [Date].
- Responsible Party: Security Team.
d. Custom Software Vulnerability Analysis:
- Description: Research tools for static, dynamic, binary, and source code review analysis.
- Potential Solutions: GitHub Advanced Security, Google Cloud Security Scanner.
- Action: Implement the selected solution for software vulnerability analysis by [Date].
- Responsible Party: Development and Security Team.
e. SCAP-Validation & Vulnerability Databases:
- Description: Evaluate tools that are compatible with Microsoft and Google platforms.
- Potential Solutions: Microsoft’s compliance tools, Azure Security Benchmark, Google Cloud Security Command Center.
- Action: Integrate and regularly review tools and databases by [Date].
- Responsible Party: Security Team.
f. Network Scanning & Analysis:
- Description: Invest in tools to analyze network configurations and data flow controls.
- Potential Solutions: Azure Network Watcher, Google Cloud’s Network Intelligence Center.
- Action: Set up the selected network analysis tool by [Date].
- Responsible Party: IT & Network Team.
g. Advanced Vulnerability Assessments:
- Description: Plan and implement vulnerability assessments.
- Potential Solutions: Azure Security Center’s advanced threat protection, Google Cloud’s Web Security Scanner.
- Action: Enable the chosen advanced threat protection tool by [Date].
- Responsible Party: Security Team.
h. Documentation & Reporting:
- Description: Research tools for vulnerability documentation and reporting.
- Potential Solutions: Power BI, Azure Policy, Google Data Studio (for reporting).
- Action: Deploy and integrate the chosen documentation and reporting tools by [Date].
- Responsible Party: IT Department & Security Team.
4. Milestones:
- [Date]: Finalize the budget for vulnerability management tools.
- [Date]: Complete research and evaluations of all tools.
- [Date]: Begin tool procurement and deployment.
- [Date]: Complete tool implementation and training.
- [Date]: Conduct the first comprehensive vulnerability scan.
5. Estimated Completion: [Date]
6. Resource Requirements:
- Personnel: Dedicated team for tool research, evaluation, implementation, and management.
- Budget: Estimated budget of $XX,XXX to procure and implement necessary tools.
7. Potential Challenges:
- Ensuring all tools and services align with the regulatory and compliance requirements of both ecosystems.
- Training personnel on new tools and ensuring they follow the new protocols.
- Integration and interoperability challenges between Microsoft and Google tools.
RELEVANT INFORMATION:
Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning. [SP 800-40] provides guidance on vulnerability management.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.