Insights to Control Framework Mapping

The lack of outdated desktop browsers indicates effective workstation configurations

The ratio of events of type [Outdated Desktop Browser] by type [Desktop Endpoint] is below 2.5%

Assessment:

Positive

Observations:

Desktop Software

Controls:

4 Secure Configuration of Enterprise Assets and Software

Safeguards:

• 4.1 Establish and Maintain a Secure Configuration Process
• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
• 7.3 Perform Automated Operating System Patch Management
• 7.4 Perform Automated Application Patch Management
• 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients

Controls:

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards:

• 5.1 Establish Secure Configurations
• 5.2 Maintain Secure Images
• 5.3 Securely Store Master Images
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems

The presence of outdated desktop browsers indicates ineffective workstation configurations

The ratio of events of type [Outdated Desktop Browser] by type [Desktop Endpoint] is above 7.5%

Assessment:

Negative

Observations:

Desktop Software

Controls:

4 Secure Configuration of Enterprise Assets and Software

Safeguards:

• 4.1 Establish and Maintain a Secure Configuration Process
• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
• 7.3 Perform Automated Operating System Patch Management
• 7.4 Perform Automated Application Patch Management
• 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients

Controls:

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards:

• 5.1 Establish Secure Configurations
• 5.2 Maintain Secure Images
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems

The presence of services using credential defaults or do not have credentials indicates ineffective access management and authentication

At least one event of the following event types was detected: [Unauthenticated Service]

Assessment:

Negative

Observations:

Open Ports

Controls:

• 4 Secure Configuration of Enterprise Assets and Software
• 5 Account Management

Safeguards:

• 12.6 Use of Secure Network Management and Communication Protocols
• 12.8 Establish and Maintain Dedicated Computing Resources For all Administrative Work
• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
• 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
• 5.2 Use Unique Passwords
• 5.3 Disable Dormant Accounts

Controls:

• 4 Controlled Use of Administrative Privileges
• 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards:

• 4.2 Change Default Passwords
• 4.3 Ensure the Use of Dedicated Administrative Accounts
• 4.4 Use Unique Passwords
• 4.5 Use Multi-Factor Authentication for All Administrative Access
• 5.1 Establish Secure Configurations
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems

Mobile devices appear to be allowed to connect to the network without security policy enforcement

At least one event of the following event types was detected: [Pre-installed Malware] OR At least one system was detected simultaneously with the following indicators [Mobile Compromised System, Outdated Desktop Operating System]

Assessment:

Negative

Observations:

• Botnet Infections
• Potentially Exploited
• Desktop Software

Controls:

1 Inventory and Control of Enterprise Assets

Safeguards:

1.2 Address Unauthorized Assets

Controls:

1 Inventory and Control of Hardware Assets

Safeguards:

• 1.5 Maintain Asset Inventory Information
• 1.6 Address Unauthorized Assets
• 1.7 Deploy Port Level Access Control

The high ratio of outdated mobile devices connected to the Internet from the organization networks indicates ineffective control of allowed mobile devices

The ratio of events of type [Outdated Mobile Device Operating System] by type [Mobile Endpoint] is above 5.0%

Assessment:

Negative

Observations:

Mobile Software

Controls:

• 1 Inventory and Control of Enterprise Assets
• 2 Inventory and Control of Software Assets

Safeguards:

• 1.1 Establish and Maintain Detailed Enterprise Asset Inventory
• 1.2 Address Unauthorized Assets
• 1.3 Utilize an Active Discovery Tool
• 1.5 Use a Passive Asset Discovery Tool
• 2.1 Establish and Maintain a Software Inventory
• 2.2 Ensure Authorized Software is Currently Supported

Controls:

• 1 Inventory and Control of Hardware Assets
• 2 Inventory and Control of Software Assets

Safeguards:

• 1.1 Utilize an Active Discovery Tool
• 1.2 Use a Passive Asset Discovery Tool
• 1.4 Maintain Detailed Asset Inventory
• 1.5 Maintain Asset Inventory Information
• 1.6 Address Unauthorized Assets
• 2.1 Maintain Inventory of Authorized Software
• 2.2 Ensure Software is Supported by Vendor
• 2.3 Utilize Software Inventory Tools
• 2.4 Track Software Inventory Information
• 2.5 Integrate Software and Hardware Asset Inventories

The lack of network devices with administrative interfaces exposed to the Internet indicates effective control and management of network devices

The fraction of endpoints from category [Networking Device] detected with [Remote Admin Service Externally Exposed] is above 1.0%

Assessment:

Positive

Observations:

Open Ports

Controls:

• 4 Secure Configuration of Enterprise Assets and Software
• 12 Network Infrastructure Management

Safeguards:

N/A

Controls:

11 Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Safeguards:

• 11.6 Use Dedicated Machines For All Network Administrative Tasks
• 11.7 Manage Network Infrastructure Through a Dedicated Network

The low ratio of outdated mobile devices connected to the Internet from the organization's network indicates a high level of control over allowed mobile devices

The ratio of events of type [Outdated Mobile Device Operating System] by type [Mobile Endpoint] is below 2.0%

Assessment:

Positive

Observations:

• Open Ports
• Insecure Systems
• Desktop Software
• Mobile Software

Controls:

2 Inventory and Control of Software Assets

Safeguards:

• 1.2 Address Unauthorized Assets
• 1.3 Utilize an Active Discovery Tool
• 1.5 Use a Passive Asset Discovery Tool
• 2.1 Establish and Maintain a Software Inventory
• 2.2 Ensure Authorized Software is Currently Supported
• 2.3 Address Unauthorized Software

Controls:

2 Inventory and Control of Software Assets

Safeguards:

• 1.1 Utilize an Active Discovery Tool
• 1.2 Use a Passive Asset Discovery Tool
• 1.4 Maintain Detailed Asset Inventory
• 1.5 Maintain Asset Inventory Information
• 1.6 Address Unauthorized Assets
• 2.1 Maintain Inventory of Authorized Software
• 2.2 Ensure Software is Supported by Vendor
• 2.3 Utilize Software Inventory Tools
• 2.4 Track Software Inventory Information
• 2.5 Integrate Software and Hardware Asset Inventories
• 2.6 Address Unapproved Software
• 2.7 Utilize Application Whitelisting

The presence of network devices with administrative interfaces exposed to the Internet indicates ineffective control and mismanagement of network devices

The fraction of endpoints from category [Networking Device] detected with [Remote Admin Service Externally Exposed] is above 10.0%

Assessment:

Negative

Observations:

Open Ports

Controls:

• 4 Secure Configuration of Enterprise Assets and Software
• 12 Network Infrastructure Management

Safeguards:

N/A

Controls:

11 Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Safeguards:

• 11.6 Use Dedicated Machines For All Network Administrative Tasks
• 11.7 Manage Network Infrastructure Through a Dedicated Network

The lack DNS Security configuration issues indicates effective control and secure server configurations

The ratio of events of type [DNSSEC Configuration Issues] by type [DNSSEC Configuration Issues, DNSSEC Good Record] is below 10.0%

Assessment:

Positive

Observations:

DNSSEC

Controls:

4 Secure Configuration of Enterprise Assets and Software

Safeguards:

• 4.1 Establish and Maintain a Secure Configuration Process
• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
• 4.9 Configure Trusted DNS Servers on Enterprise Assets

Controls:

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards:

• 5.1 Establish Secure Configurations
• 5.2 Maintain Secure Images
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems

The presence of DNS configuration issues indicates ineffective control and insecure server configurations

The ratio of events of type [DNSSEC Configuration Issues] by type [DNSSEC Configuration Issues, DNSSEC Good Record] is above 20.0%

Assessment:

Negative

Observations:

DNSSEC

Controls:

4 Secure Configuration of Enterprise Assets and Software

Safeguards:

• 4.1 Establish and Maintain a Secure Configuration Process
• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
• 4.9 Configure Trusted DNS Servers on Enterprise Assets

Controls:

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards:

• 5.1 Establish Secure Configurations
• 5.2 Maintain Secure Images
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems

The lack of email service misconfigurations indicates effective control and secure email server configurations

The ratio of events of type [DKIM Bad Record, Bad SPF Finding, Bad DMARC Record] by type [DKIM Good Record, Good SPF Finding, Good DMARC Record, DKIM Bad Record, Bad SPF Finding, Bad DMARC Record] is below 10.0%

Assessment:

Positive

Observations:

• SPF Domains
• DKIM Records

Controls:

• 4 Secure Configuration of Enterprise Assets and Software
• 9 Email and Web Browser Protections

Safeguards:

• 4.1 Establish and Maintain a Secure Configuration Process
• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
• 9.5 Implement DMARC
• 9.6 Block Unnecessary File Types

Controls:

• 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
• 7 Email and Web Browser Protections

Safeguards:

• 5.1 Establish Secure Configurations
• 5.2 Maintain Secure Images
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems
• 7.6 Log All URL requester
• 7.7 Use of DNS Filtering Services
• 7.8 Implement DMARC and Enable Receiver-Side Verification
• 7.9 Block Unnecessary File Types
• 7.10 Sandbox All Email Attachments

The presence of email service misconfigurations suggests ineffective control and insecure email server configurations

The ratio of events of type [DKIM Bad Record, Bad SPF Finding, Bad DMARC Record] by type [DKIM Good Record, Good SPF Finding, Good DMARC Record, DKIM Bad Record, Bad SPF Finding, Bad DMARC Record] is above 20.0%

Assessment:

Negative

Observations:

• SPF Domains
• DKIM Records

Controls:

• 4 Secure Configuration of Enterprise Assets and Software
• 9 Email and Web Browser Protections

Safeguards:

• 4.1 Establish and Maintain a Secure Configuration Process
• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
• 9.5 Implement DMARC
• 9.6 Block Unnecessary File Types

Controls:

• 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
• 7 Email and Web Browser Protections

Safeguards:

• 5.1 Establish Secure Configurations
• 5.2 Maintain Secure Images
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems
• 7.4 Maintain and Enforce Network-Based URL Filters
• 7.8 Implement DMARC and Enable Receiver-Side Verification
• 7.9 Block Unnecessary File Types
• 7.10 Sandbox All Email Attachments

The lack of peer-to-peer (P2P) file sharing indicates effective control of workstation software installation

The ratio of events of type [File Sharing in Use] by type [Desktop Endpoint, Mobile Endpoint] is below 0.01%

Assessment:

Positive

Observations:

• Insecure Systems
• Desktop Software
• Mobile Software
• File Sharing

Controls:

• 5 Account Management
• 13 Network Monitoring and Defense

Safeguards:

• 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts
• 5.5 Establish and Maintain an Inventory of Service Accounts
• 13.2 Deploy a Host-Based Intrusion Detection Solution
• 13.3 Deploy a Network Intrusion Detection Solution
• 13.4 Perform Traffic Filtering Between Network Segments
• 13.5 Manage Access Control for Remote Assets
• 13.6 Collect Network Traffic Flow Logs
• 13.7 Deploy a Host-Based Intrusion Prevention Solution
• 13.8 Deploy a Network Intrusion Prevention Solution

Controls:

• 4 Controlled Use of Administrative Privileges
• 12 Boundary Defense

Safeguards:

• 4.1 Maintain Inventory of Administrative Accounts
• 4.3 Ensure the Use of Dedicated Administrative Accounts
• 4.6 Use Dedicated Workstations For All Administrative Tasks
• 4.8 Log and Alert on Changes to Administrative Group Membership
• 4.9 Log and Alert on Unsuccessful Administrative Account Login
• 12.1 Maintain an Inventory of Network Boundaries
• 12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries
• 12.3 Deny Communications With Known Malicious IP Addresses
• 12.4 Deny Communication Over Unauthorized Ports
• 12.5 Configure Monitoring Systems to Record Network Packets
• 12.6 Deploy Network-Based IDS Sensors
• 12.7 Deploy Network-Based Intrusion Prevention Systems
• 12.8 Deploy NetFlow Collection on Networking Boundary Devices
• 12.9 Deploy Application Layer Filtering Proxy Server
• 12.10 Decrypt Network Traffic at Proxy

The presence of peer-to-peer (P2P) file sharing indicates ineffective control of workstation software installation and that users may not be aware of the risks of downloading software from untrusted sources

The ratio of events of type [File Sharing in Use] by type [Desktop Endpoint, Mobile Endpoint] is above 0.1%

Assessment:

Negative

Observations:

• Insecure Systems
• Desktop Software
• Mobile Software
• File Sharing

Controls:

• 5 Account Management
• 13 Network Monitoring and Defense
• 14 Security Awareness and Skills Training

Safeguards:

• 5.2 Use Unique Passwords
• 5.3 Disable Dormant Accounts
• 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts
• 5.5 Establish and Maintain an Inventory of Service Accounts
• 13.2 Deploy a Host-Based Intrusion Detection Solution
• 13.3 Deploy a Network Intrusion Detection Solution
• 13.4 Perform Traffic Filtering Between Network Segments
• 13.5 Manage Access Control for Remote Assets
• 13.6 Collect Network Traffic Flow Logs
• 13.7 Deploy a Host-Based Intrusion Prevention Solution
• 13.8 Deploy a Network Intrusion Prevention Solution
• 14.1 Establish and Maintain a Security Awareness Program
• 14.3 Train Workforce Members on Authentication Best Practices
• 14.4 Train Workforce on Data Handling Best Practices
• 14.5 Train Workforce Members on Causes of Unintentional Data Exposure

Controls:

• 4 Controlled Use of Administrative Privileges
• 12 Boundary Defense
• 17 Implement a Security Awareness and Training Program

Safeguards:

• 4.1 Maintain Inventory of Administrative Accounts
• 4.2 Change Default Passwords
• 4.3 Ensure the Use of Dedicated Administrative Accounts
• 4.4 Use Unique Passwords
• 4.6 Use Dedicated Workstations For All Administrative Tasks
• 4.8 Log and Alert on Changes to Administrative Group Membership
• 4.9 Log and Alert on Unsuccessful Administrative Account Login
• 12.1 Maintain an Inventory of Network Boundaries
• 12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries
• 12.3 Deny Communications With Known Malicious IP Addresses
• 12.4 Deny Communication Over Unauthorized Ports
• 12.5 Configure Monitoring Systems to Record Network Packets
• 12.6 Deploy Network-Based IDS Sensors
• 12.7 Deploy Network-Based Intrusion Prevention Systems
• 12.8 Deploy NetFlow Collection on Networking Boundary Devices
• 12.9 Deploy Application Layer Filtering Proxy Server
• 17.1 Perform a Skills Gap Analysis
• 17.2 Deliver Training to Fill the Skills Gap
• 17.3 Implement a Security Awareness Program
• 17.4 Update Awareness Content Frequently
• 17.5 Train Workforce on Secure Authentication
• 17.7 Train Workforce on Sensitive Data Handling
• 17.8 Train Workforce on Causes of Unintentional Data Exposure
• 17.9 Train Workforce Members on Identifying and Reporting Incidents

The lack of recommended HTTP security headers indicates ineffective and insecure web server configurations

The ratio of events of type [Ineffective HTTP Security Headers, Missing HTTP Security Headers] by type [HTTP Service, HTTPS Service] is above 50.0%

Assessment:

Negative

Observations:

• Open Ports
• Web Application Headers

Controls:

16 Application Software Security

Safeguards:

• 16.1 Establish and Maintain a Secure Application Development Process
• 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
• 16.3 Perform Root Cause Analysis on Security Vulnerabilities
• 16.4 Establish and Manage an Inventory of Third-Party Software Components
• 16.5 Use Up-to-Date and Trusted Third-Party Software Components
• 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
• 16.9 Train Developers in Application Security Concepts and Secure Coding
• 16.10 Apply Secure Design Principles in Application Architectures
• 16.11 Leverage Vetted Modules or Services for Application Security Components
• 16.12 Implement Code-Level Security Checks
• 16.13 Conduct Application Penetration Testing

Controls:

18 Application Software Security

Safeguards:

• 18.1 Establish Secure Coding Practices
• 18.2 Ensure That Explicit Error Checking is Performed for All In-House Developed Software
• 18.3 Verify That Acquired Software is Still Supported
• 18.4 Only Use Up-to-Date and Trusted Third-Party Components
• 18.5 Use Only Standardized and Extensively Reviewed Encryption Algorithms
• 18.6 Ensure Software Development Personnel are Trained in Secure Coding
• 18.7 Apply Static and Dynamic Code Analysis Tools
• 18.8 Establish a Process to Accept and Address Reports of Software Vulnerabilities
• 18.9 Separate Production and Non-Production Systems
• 18.10 Deploy Web Application Firewalls
• 18.11 Use Standard Hardening Configuration Templates for Databases

The presence of recommended HTTP security headers indicates effective and secure web server configurations

The ratio of events of type [Ineffective HTTP Security Headers, Missing HTTP Security Headers] by type [HTTP Service, HTTPS Service] is below 10.0%

Assessment:

Positive

Observations:

• Open Ports
• Web Application Headers

Controls:

16 Application Software Security

Safeguards:

• 16.1 Establish and Maintain a Secure Application Development Process
• 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
• 16.3 Perform Root Cause Analysis on Security Vulnerabilities
• 16.4 Establish and Manage an Inventory of Third-Party Software Components
• 16.5 Use Up-to-Date and Trusted Third-Party Software Components
• 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
• 16.9 Train Developers in Application Security Concepts and Secure Coding
• 16.10 Apply Secure Design Principles in Application Architectures
• 16.11 Leverage Vetted Modules or Services for Application Security Components
• 16.12 Implement Code-Level Security Checks
• 16.13 Conduct Application Penetration Testing

Controls:

18 Application Software Security

Safeguards:

• 18.1 Establish Secure Coding Practices
• 18.2 Ensure That Explicit Error Checking is Performed for All In-House Developed
Software
• 18.3 Verify That Acquired Software is Still Supported
• 18.4 Only Use Up-to-Date and Trusted Third-Party Components
• 18.5 Use Only Standardized and Extensively Reviewed Encryption Algorithms
• 18.6 Ensure Software Development Personnel are Trained in Secure Coding
• 18.7 Apply Static and Dynamic Code Analysis Tools
• 18.8 Establish a Process to Accept and Address Reports of Software Vulnerabilities
• 18.9 Separate Production and Non-Production Systems
• 18.10 Deploy Web Application Firewalls
• 18.11 Use Standard Hardening Configuration Templates for Databases

The detection of multiple desktop malware families indicates weak control over malicious desktop software

Over 1 distinct event types from: [Desktop Compromised System] were observed

Assessment:

Negative

Observations:

Botnet Infections

Controls:

10 Malware Defenses

Safeguards:

• 9.2 Use DNS Filtering Services
• 9.3 Maintain and Enforce Network-Based URL Filters
• 10.1 Deploy and Maintain Anti-Malware Software
• 10.2 Configure Automatic Anti-Malware Signature Updates
• 10.3 Disable Autorun and Autoplay for Removable Media
• 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
• 10.5 Enable Anti-Exploitation Features
• 10.6 Centrally Manage Anti-Malware Software

Controls:

8 Malware Defenses

Safeguards:

• 8.1 Utilize Centrally Managed Anti-malware Software
• 8.2 Ensure Anti-Malware Software and Signatures Are Updated
• 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
• 8.4 Configure Anti-Malware Scanning of Removable Devices
• 8.5 Configure Devices to Not Auto-Run Content
• 8.6 Centralize Anti-Malware Logging
• 8.7 Enable DNS Query Logging
• 8.8 Enable Command-Line Audit Logging

The detection of multiple mobile malware families indicates weak control over malicious mobile software

Over 1 distinct event types from: [Mobile Compromised System] were observed

Assessment:

Negative

Observations:

Botnet Infections

Controls:

• 1 Inventory and Control of Enterprise Assets
• 10 Malware Defenses

Safeguards:

• 1.2 Address Unauthorized Assets
• 10.2 Configure Automatic Anti-Malware Signature Updates
• 10.6 Centrally Manage Anti-Malware Software

Controls:

• 1 Inventory and Control of Hardware Assets
• 8 Malware Defenses

Safeguards:

• 1.5 Maintain Asset Inventory Information
• 1.6 Address Unauthorized Assets
• 8.1 Utilize Centrally Managed Anti-malware Software
• 8.2 Ensure Anti-Malware Software and Signatures Are Updated

The lack of malware infections indicates effective malware protection or endpoint configurations

The ratio of events of type [Compromised System] by type [Web Browser] is below 0.1%

Assessment:

Positive

Observations:

• Botnet Infections
• Spam Propagation
• Desktop Software
• Mobile Software

Controls:

10 Malware Defenses

Safeguards:

• 9.2 Use DNS Filtering Services
• 9.3 Maintain and Enforce Network-Based URL Filters
• 10.1 Deploy and Maintain Anti-Malware Software
• 10.2 Configure Automatic Anti-Malware Signature Updates
• 10.3 Disable Autorun and Autoplay for Removable Media
• 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
• 10.5 Enable Anti-Exploitation Features
• 10.6 Centrally Manage Anti-Malware Software

Controls:

8 Malware Defenses

Safeguards:

• 8.1 Utilize Centrally Managed Anti-malware Software
• 8.2 Ensure Anti-Malware Software and Signatures Are Updated
• 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
• 8.4 Configure Anti-Malware Scanning of Removable Devices
• 8.5 Configure Devices to Not Auto-Run Content
• 8.6 Centralize Anti-Malware Logging
• 8.7 Enable DNS Query Logging
• 8.8 Enable Command-Line Audit Logging

The presence of Domain Generation Algorithm (DGA) based malware indicates ineffective network filtering or monitoring of network security audit logs

At least one event of the following event types was detected: [Domain Generation Algorithm (DGA) Based Malware]

Assessment:

Negative

Observations:

Botnet Infections

Controls:

• 8 Audit Log Management
• 10 Malware Defenses
• 13 Network Monitoring and Defense

Safeguards:

• 8.1 Establish and Maintain an Audit Log Management Process
• 8.2 Collect Audit Logs
• 8.6 Collect DNS Query Audit Logs
• 8.7 Collect URL Request Audit Logs
• 8.10 Retain Audit Logs
• 8.11 Conduct Audit Log Reviews
• 9.2 Use DNS Filtering Services
• 9.3 Maintain and Enforce Network-Based URL Filters
• 13.1 Centralize Security Event Alerting
• 13.2 Deploy a Host-Based Intrusion Detection Solution
• 13.3 Deploy a Network Intrusion Detection Solution
• 13.4 Perform Traffic Filtering Between Network Segments
• 13.5 Manage Access Control for Remote Assets
• 13.6 Collect Network Traffic Flow Logs
• 13.7 Deploy a Host-Based Intrusion Prevention Solution
• 13.8 Deploy a Network Intrusion Prevention Solution
• 13.10 Perform Application Layer Filtering

Controls:

• 6 Maintenance, Monitoring and Analysis of Audit Logs
• 8 Malware Defenses
• 12 Boundary Defense

Safeguards:

• 6.5 Central Log Management
• 6.6 Deploy SIEM or Log Analytic Tools
• 6.7 Regularly Review Logs
• 6.8 Regularly Tune SIEM
• 8.7 Enable DNS Query Logging
• 12.1 Maintain an Inventory of Network Boundaries
• 12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries
• 12.3 Deny Communications With Known Malicious IP Addresses
• 12.4 Deny Communication Over Unauthorized Ports
• 12.5 Configure Monitoring Systems to Record Network Packets
• 12.6 Deploy Network-Based IDS Sensors
• 12.7 Deploy Network-Based Intrusion Prevention Systems
• 12.8 Deploy NetFlow Collection on Networking Boundary Devices
• 12.9 Deploy Application Layer Filtering Proxy Server
• 12.10 Decrypt Network Traffic at Proxy

The presence of malware infections from old, abandoned, malware families indicates ineffective malware prevention, intrusion detection, boundary defense, or incident response

At least one event of the following event types was detected: [Abandoned Malware]

Assessment:

Negative

Observations:

Botnet Infections

Controls:

• 10 Malware Defenses
• 13 Network Monitoring and Defense
• 17 Incident Response Management

Safeguards:

• 9.2 Use DNS Filtering Services
• 9.3 Maintain and Enforce Network-Based URL Filters
• 10.1 Deploy and Maintain Anti-Malware Software
• 10.2 Configure Automatic Anti-Malware Signature Updates
• 10.3 Disable Autorun and Autoplay for Removable Media
• 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
• 10.5 Enable Anti-Exploitation Features
• 10.6 Centrally Manage Anti-Malware Software
• 13.2 Deploy a Host-Based Intrusion Detection Solution
• 13.3 Deploy a Network Intrusion Detection Solution
• 13.4 Perform Traffic Filtering Between Network Segments
• 13.5 Manage Access Control for Remote Assets
• 13.6 Collect Network Traffic Flow Logs
• 13.7 Deploy a Host-Based Intrusion Prevention Solution
• 13.8 Deploy a Network Intrusion Prevention Solution
• 17.1 Designate Personnel to Manage Incident Handling
• 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
• 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
• 17.4 Establish and Maintain an Incident Response Process
• 17.6 Define Mechanisms for Communicating During Incident Response

Controls:

• 8 Malware Defenses
• 12 Boundary Defense
• 19 Incident Response and Management

Safeguards:

• 8.1 Utilize Centrally Managed Anti-malware Software
• 8.2 Ensure Anti-Malware Software and Signatures Are Updated
• 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
• 8.4 Configure Anti-Malware Scanning of Removable Devices
• 8.5 Configure Devices to Not Auto-Run Content
• 8.6 Centralize Anti-Malware Logging
• 8.7 Enable DNS Query Logging
• 8.8 Enable Command-Line Audit Logging
• 12.1 Maintain an Inventory of Network Boundaries
• 12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries
• 12.3 Deny Communications With Known Malicious IP Addresses
• 12.4 Deny Communication Over Unauthorized Ports
• 12.5 Configure Monitoring Systems to Record Network Packets
• 12.6 Deploy Network-Based IDS Sensors
• 12.7 Deploy Network-Based Intrusion Prevention Systems
• 12.8 Deploy NetFlow Collection on Networking Boundary Devices
• 12.9 Deploy Application Layer Filtering Proxy Server
• 19.1 Document Incident Response Procedures
• 19.2 Assign Job Titles and Duties for Incident Response
• 19.3 Designate Management Personnel to Support Incident Handling
• 19.4 Devise Organization-wide Standards for Reporting Incidents
• 19.5 Maintain Contact Information For Reporting Security Incidents
• 19.8 Create Incident Scoring and Prioritization Schema

The presence of malware infections indicates ineffective malware protection or endpoint configurations

The ratio of events of type [Compromised System] by type [Web Browser] is above 0.5%

Assessment:

Negative

Observations:

• Botnet Infections
• Spam Propagation
• Desktop Software
• Mobile Software

Controls:

• 9 Email and Web Browser Protections
• 10 Malware Defenses

Safeguards:

• 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients
• 9.2 Use DNS Filtering Services
• 9.3 Maintain and Enforce Network-Based URL Filters
• 9.6 Block Unnecessary File Types
• 9.7 Deploy and Maintain Email Server Anti-Malware Protections
• 10.1 Deploy and Maintain Anti-Malware Software
• 10.2 Configure Automatic Anti-Malware Signature Updates
• 10.3 Disable Autorun and Autoplay for Removable Media
• 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
• 10.5 Enable Anti-Exploitation Features
• 10.6 Centrally Manage Anti-Malware Software

Controls:

• 7 Email and Web Browser Protections
• 8 Malware Defenses

Safeguards:

• 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients
• 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins
• 7.3 Limit Use of Scripting Languages in Web Browsers and Email Clients
• 7.4 Maintain and Enforce Network-Based URL Filters
• 7.5 Subscribe to URL-Categorization Service
• 7.6 Log All URL requester
• 7.7 Use of DNS Filtering Services
• 7.8 Implement DMARC and Enable Receiver-Side Verification
• 7.9 Block Unnecessary File Types
• 7.10 Sandbox All Email Attachments
• 8.1 Utilize Centrally Managed Anti-malware Software
• 8.2 Ensure Anti-Malware Software and Signatures Are Updated
• 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
• 8.4 Configure Anti-Malware Scanning of Removable Devices
• 8.5 Configure Devices to Not Auto-Run Content
• 8.6 Centralize Anti-Malware Logging
• 8.7 Enable DNS Query Logging
• 8.8 Enable Command-Line Audit Logging

The presence of malware on an exposed Internet-of-Things (IoT) device indicates ineffective control of hardware assets on the network

At least one event from all of the following event types were detected: [Internet-of-Things (IoT) System Compromised with Worm, Internet-of-Things (IoT) Service Port]

Assessment:

Negative

Observations:

• Botnet Infections
• Open Ports

Controls:

1 Inventory and Control of Enterprise Assets

Safeguards:

• 1.1 Establish and Maintain Detailed Enterprise Asset Inventory
• 1.2 Address Unauthorized Assets
• 1.3 Utilize an Active Discovery Tool
• 1.5 Use a Passive Asset Discovery Tool

Controls:

1 Inventory and Control of Hardware Assets

Safeguards:

• 1.1 Utilize an Active Discovery Tool
• 1.2 Use a Passive Asset Discovery Tool
• 1.4 Maintain Detailed Asset Inventory
• 1.5 Maintain Asset Inventory Information
• 1.6 Address Unauthorized Assets

The presence of persistent or recurring malware infections indicates ineffective malware protections or incident response

At least one event of the following event types was present for at least 1 month(s)[Compromised System]

Assessment:

Negative

Observations:

• Botnet Infections
• Spam Propagation

Controls:

• 10 Malware Defenses
• 17 Incident Response Management

Safeguards:

• 10.1 Deploy and Maintain Anti-Malware Software
• 10.2 Configure Automatic Anti-Malware Signature Updates
• 10.3 Disable Autorun and Autoplay for Removable Media
• 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
• 10.5 Enable Anti-Exploitation Features
• 10.6 Centrally Manage Anti-Malware Software
• 17.1 Designate Personnel to Manage Incident Handling
• 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
• 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
• 17.4 Establish and Maintain an Incident Response Process
• 17.6 Define Mechanisms for Communicating During Incident Response

Controls:

• 8 Malware Defenses
• 19 Incident Response and Management

Safeguards:

• 8.1 Utilize Centrally Managed Anti-malware Software
• 8.2 Ensure Anti-Malware Software and Signatures Are Updated
• 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
• 8.4 Configure Anti-Malware Scanning of Removable Devices
• 8.5 Configure Devices to Not Auto-Run Content
• 8.6 Centralize Anti-Malware Logging
• 19.1 Document Incident Response Procedures
• 19.2 Assign Job Titles and Duties for Incident Response
• 19.3 Designate Management Personnel to Support Incident Handling
• 19.4 Devise Organization-wide Standards for Reporting Incidents
• 19.5 Maintain Contact Information For Reporting Security Incidents
• 19.6 Publish Information Regarding Reporting Computer Anomalies and Incidents
• 19.7 Conduct Periodic Incident Scenario Sessions for Personnel
• 19.8 Create Incident Scoring and Prioritization Schema

The lack of mobile application development vulnerabilities indicates effective control of the Secure Application Development Life Cycle (SDLC)

The ratio of events of type [Mobile Application Vulnerability] by type [Good Mobile Application Security Finding] is below 12.0%

Assessment:

Positive

Observations:

Mobile Application Security

Controls:

16 Application Software Security

Safeguards:

• 16.1 Establish and Maintain a Secure Application Development Process
• 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
• 16.3 Perform Root Cause Analysis on Security Vulnerabilities
• 16.4 Establish and Manage an Inventory of Third-Party Software Components
• 16.5 Use Up-to-Date and Trusted Third-Party Software Components
• 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
• 16.9 Train Developers in Application Security Concepts and Secure Coding
• 16.10 Apply Secure Design Principles in Application Architectures
• 16.11 Leverage Vetted Modules or Services for Application Security Components
• 16.12 Implement Code-Level Security Checks
• 16.13 Conduct Application Penetration Testing

Controls:

18 Application Software Security

Safeguards:

• 18.1 Establish Secure Coding Practices
• 18.2 Ensure That Explicit Error Checking is Performed for All In-House Developed Software
• 18.3 Verify That Acquired Software is Still Supported
• 18.4 Only Use Up-to-Date and Trusted Third-Party Components
• 18.5 Use Only Standardized and Extensively Reviewed Encryption Algorithms
• 18.6 Ensure Software Development Personnel are Trained in Secure Coding
• 18.7 Apply Static and Dynamic Code Analysis Tools
• 18.8 Establish a Process to Accept and Address Reports of Software Vulnerabilities
• 18.9 Separate Production and Non-Production Systems
• 18.10 Deploy Web Application Firewalls
• 18.11 Use Standard Hardening Configuration Templates for Databases

The presence of mobile application development vulnerabilities indicates ineffective control of the Secure Application Development Life Cycle (SDLC)

The ratio of events of type [Mobile Application Vulnerability] by type [Good Mobile Application Security Finding] is above 20.0%

Assessment:

Negative

Observations:

Mobile Application Security

Controls:

16 Application Software Security

Safeguards:

• 16.1 Establish and Maintain a Secure Application Development Process
• 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
• 16.3 Perform Root Cause Analysis on Security Vulnerabilities
• 16.4 Establish and Manage an Inventory of Third-Party Software Components
• 16.5 Use Up-to-Date and Trusted Third-Party Software Components
• 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
• 16.9 Train Developers in Application Security Concepts and Secure Coding
• 16.10 Apply Secure Design Principles in Application Architectures
• 16.11 Leverage Vetted Modules or Services for Application Security Components
• 16.12 Implement Code-Level Security Checks
• 16.13 Conduct Application Penetration Testing

Controls:

18 Application Software Security

Safeguards:

• 18.1 Establish Secure Coding Practices
• 18.2 Ensure That Explicit Error Checking is Performed for All In-House Developed Software
• 18.3 Verify That Acquired Software is Still Supported
• 18.4 Only Use Up-to-Date and Trusted Third-Party Components
• 18.5 Use Only Standardized and Extensively Reviewed Encryption Algorithms
• 18.6 Ensure Software Development Personnel are Trained in Secure Coding
• 18.7 Apply Static and Dynamic Code Analysis Tools
• 18.8 Establish a Process to Accept and Address Reports of Software Vulnerabilities
• 18.9 Separate Production and Non-Production Systems
• 18.10 Deploy Web Application Firewalls
• 18.11 Use Standard Hardening Configuration Templates for Databases

Having an unnecessarily large attack surface of exposed services on the network perimeter indicates ineffective control of network services

The ratio of events of type [Unnecessarily Exposed Port] by type [Open Port] is above 1.0%

Assessment:

Negative

Observations:

Open Ports

Controls:

N/A

Safeguards:

• 4.4 Implement and Manage a Firewall on Servers
• 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Controls:

9 Limitation and Control of Network Ports, Protocols, and Services

Safeguards:

• 9.1 Associate Active Ports, Services, and Protocols to Asset Inventory
• 9.2 Ensure Only Approved Ports, Protocols, and Services Are Running
• 9.3 Perform Regular Automated Port Scans
• 9.4 Apply Host-Based Firewalls or Port-Filtering

The lack of unnecessarily exposed services on the network perimeter indicates effective control of network services

The ratio of events of type [Unnecessarily Exposed Port] by type [Open Port] is below 0.001%

Assessment:

Positive

Observations:

Open Ports

Controls:

N/A

Safeguards:

• 4.4 Implement and Manage a Firewall on Servers
• 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Controls:

9 Limitation and Control of Network Ports, Protocols, and Services

Safeguards:

• 9.1 Associate Active Ports, Services, and Protocols to Asset Inventory
• 9.2 Ensure Only Approved Ports, Protocols, and Services Are Running
• 9.3 Perform Regular Automated Port Scans
• 9.4 Apply Host-Based Firewalls or Port-Filtering

The presence of cleartext remote protocols over the Internet indicates ineffective network boundary defense and a lack of network data integrity

At least one event of the following event types was detected: [Cleartext Protocol]

Assessment:

Negative

Observations:

Open Ports

Controls:

• 3 Data Protection
• 6 Access Control Management
• 13 Network Monitoring and Defense

Safeguards:

• 4.6 Securely Manage Enterprise Assets and Software
• 4.7 Manage Default Accounts on Enterprise Assets and Software

Controls:

• 12 Boundary Defense
• 13 Data Protection
• 14 Controlled Access Based on the Need to Know

Safeguards:

• 12.4 Deny Communication Over Unauthorized Ports
• 13.3 Monitor and Block Unauthorized Network Traffic
• 14.4 Encrypt All Sensitive Information in Transit

The presence of outbound network scanning activity indicates ineffective control of the network boundary

At least one event of the following event types was detected: [Outbound Network Scanning Activity]

Assessment:

Negative

Observations:

Unsolicited Communications

Controls:

13 Network Monitoring and Defense

Safeguards:

• 13.2 Deploy a Host-Based Intrusion Detection Solution
• 13.3 Deploy a Network Intrusion Detection Solution
• 13.4 Perform Traffic Filtering Between Network Segments
• 13.5 Manage Access Control for Remote Assets
• 13.6 Collect Network Traffic Flow Logs
• 13.7 Deploy a Host-Based Intrusion Prevention Solution
• 13.8 Deploy a Network Intrusion Prevention Solution

Controls:

12 Boundary Defense

Safeguards:

• 12.1 Maintain an Inventory of Network Boundaries
• 12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries
• 12.3 Deny Communications With Known Malicious IP Addresses
• 12.4 Deny Communication Over Unauthorized Ports
• 12.5 Configure Monitoring Systems to Record Network Packets
• 12.6 Deploy Network-Based IDS Sensors
• 12.7 Deploy Network-Based Intrusion Prevention Systems
• 12.8 Deploy NetFlow Collection on Networking Boundary Devices
• 12.9 Deploy Application Layer Filtering Proxy Server

The detection of multiple Potentially Unwanted Programs (PUP) indicates ineffective control of workstation software installation

Over 1 distinct event types from: [Potentially Unwanted Program (PUP)] were observed

Assessment:

Negative

Observations:

• Potentially Exploited
• Desktop Software
• Mobile Software

Controls:

• 5 Account Management
• 10 Malware Defenses

Safeguards:

• 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts
• 5.5 Establish and Maintain an Inventory of Service Accounts
• 9.2 Use DNS Filtering Services
• 9.3 Maintain and Enforce Network-Based URL Filters
• 10.1 Deploy and Maintain Anti-Malware Software
• 10.2 Configure Automatic Anti-Malware Signature Updates
• 10.3 Disable Autorun and Autoplay for Removable Media
• 10.4 Configure Automatic Anti-Malware Scanning of Removable Media
• 10.5 Enable Anti-Exploitation Features
• 10.6 Centrally Manage Anti-Malware Software

Controls:

• 4 Controlled Use of Administrative Privileges
• 8 Malware Defenses

Safeguards:

• 4.1 Maintain Inventory of Administrative Accounts
• 4.3 Ensure the Use of Dedicated Administrative Accounts
• 4.5 Use Multi-Factor Authentication for All Administrative Access
• 4.6 Use Dedicated Workstations For All Administrative Tasks
• 4.8 Log and Alert on Changes to Administrative Group Membership
• 4.9 Log and Alert on Unsuccessful Administrative Account Login
• 8.1 Utilize Centrally Managed Anti-malware Software
• 8.2 Ensure Anti-Malware Software and Signatures Are Updated
• 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
• 8.4 Configure Anti-Malware Scanning of Removable Devices
• 8.5 Configure Devices to Not Auto-Run Content
• 8.6 Centralize Anti-Malware Logging
• 8.7 Enable DNS Query Logging
• 8.8 Enable Command-Line Audit Logging

The lack of observations of potentially unwanted software indicates effective control of workstation software installation

The ratio of events of type [Potentially Unwanted Program (PUP)] by type [Desktop Endpoint, Mobile Endpoint] is below 0.01%

Assessment:

Positive

Observations:

• Potentially Exploited
• Desktop Software
• Mobile Software

Controls:

5 Account Management

Safeguards:

• 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts
• 5.5 Establish and Maintain an Inventory of Service Accounts

Controls:

4 Controlled Use of Administrative Privileges

Safeguards:

• 4.6 Use Dedicated Workstations For All Administrative Tasks
• 4.8 Log and Alert on Changes to Administrative Group Membership
• 4.9 Log and Alert on Unsuccessful Administrative Account Login

The presence of Potentially Unwanted Software (PUP), typically bundled with software downloaded from untrusted sources, indicates ineffective control of workstation software installation

The ratio of events of type [Potentially Unwanted Program (PUP)] by type [Desktop Endpoint, Mobile Endpoint] is above 0.1%

Assessment:

Negative

Observations:

• Potentially Exploited
• Desktop Software
• Mobile Software

Controls:

5 Account Management

Safeguards:

• 5.2 Use Unique Passwords
• 5.3 Disable Dormant Accounts
• 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts
• 5.5 Establish and Maintain an Inventory of Service Accounts

Controls:

4 Controlled Use of Administrative Privileges

Safeguards:

• 4.1 Maintain Inventory of Administrative Accounts
• 4.2 Change Default Passwords
• 4.3 Ensure the Use of Dedicated Administrative Accounts
• 4.4 Use Unique Passwords
• 4.5 Use Multi-Factor Authentication for All Administrative Access
• 4.6 Use Dedicated Workstations For All Administrative Tasks
• 4.7 Limit Access to Script Tools
• 4.8 Log and Alert on Changes to Administrative Group Membership
• 4.9 Log and Alert on Unsuccessful Administrative Account Login

The presence of software unrelated to office productivity indicates ineffective control of software installation on endpoints

The ratio of events of type [Media and Entertainment Software, Sideloaded Mobile App, File Sharing in Use, Potentially Unwanted Program (PUP)] by type [Desktop Endpoint, Mobile Endpoint] is above 1.0%

Assessment:

Negative

Observations:

• Potentially Exploited
• Insecure Systems
• Desktop Software
• Mobile Software
• File Sharing

Controls:

2 Inventory and Control of Software Assets

Safeguards:

• 2.1 Establish and Maintain a Software Inventory
• 2.2 Ensure Authorized Software is Currently Supported
• 2.3 Address Unauthorized Software
• 2.5 Allowlist Authorized Software

Controls:

2 Inventory and Control of Software Assets

Safeguards:

• 2.1 Maintain Inventory of Authorized Software
• 2.2 Ensure Software is Supported by Vendor
• 2.3 Utilize Software Inventory Tools
• 2.4 Track Software Inventory Information
• 2.6 Address Unapproved Software
• 2.7 Utilize Application Whitelisting

A configuration management system was detected, indicating effective software configurations

At least one event of the following event types was detected: [Configuration Management System in Use]

Assessment:

Positive

Observations:

Insecure Systems

Controls:

2 Inventory and Control of Software Assets

Safeguards:

N/A

Controls:

2 Inventory and Control of Software Assets

Safeguards:

2.3 Utilize Software Inventory Tools

The lack of abandoned software indicates effective control of managing and discontinuing software products

At least one event of the following event types was detected: [Configuration Management System in Use]

Assessment:

Positive

Observations:

• Open Ports
• Insecure Systems
• Desktop Software
• Mobile Software

Controls:

2 Inventory and Control of Software Assets

Safeguards:

• 2.1 Establish and Maintain a Software Inventory
• 2.2 Ensure Authorized Software is Currently Supported
• 2.3 Address Unauthorized Software

Controls:

2 Inventory and Control of Software Assets

Safeguards:

• 2.1 Maintain Inventory of Authorized Software
• 2.2 Ensure Software is Supported by Vendor
• 2.6 Address Unapproved Software

The presence of abandoned software indicates ineffective control of managing and discontinuing software products

The ratio of events of type [Abandoned Software] by type [Desktop Endpoint, Mobile Endpoint, Open Port] is above 0.01%

Assessment:

Negative

Observations:

• Open Ports
• Insecure Systems
• Desktop Software
• Mobile Software

Controls:

2 Inventory and Control of Software Assets

Safeguards:

• 2.1 Establish and Maintain a Software Inventory
• 2.2 Ensure Authorized Software is Currently Supported
• 2.3 Address Unauthorized Software

Controls:

2 Inventory and Control of Software Assets

Safeguards:

• 2.1 Maintain Inventory of Authorized Software
• 2.2 Ensure Software is Supported by Vendor
• 2.3 Utilize Software Inventory Tools
• 2.6 Address Unapproved Software

The presence of unsupported server software indicates ineffective control of network assets and the software life cycle

The ratio of events of type [Unsupported Server Software] by type [HTTP Service, HTTPS Service] is above 10.0%

Assessment:

Negative

Observations:

• Open Ports
• Server Software

Controls:

2 Inventory and Control of Software Assets

Safeguards:

• 2.1 Establish and Maintain a Software Inventory
• 2.2 Ensure Authorized Software is Currently Supported
• 2.3 Address Unauthorized Software

Controls:

2 Inventory and Control of Software Assets

Safeguards:

• 2.1 Maintain Inventory of Authorized Software
• 2.2 Ensure Software is Supported by Vendor
• 2.3 Utilize Software Inventory Tools
• 2.4 Track Software Inventory Information
• 2.6 Address Unapproved Software

Certificates can generally be validated against a trusted root Certificate Authority (CA), indicating effective control and management of TLS/SSL configurations

The ratio of events of type [Untrusted TLS/SSL Certificate] by type [Untrusted TLS/SSL Certificate, TLS/SSL Certificate Good Record] is below 10.0%

Assessment:

Positive

Observations:

• TLS/SSL Certificates
• TLS/SSL Configurations

Controls:

4 Secure Configuration of Enterprise Assets and Software

Safeguards:

• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
• 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure

Controls:

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards:

• 5.1 Establish Secure Configurations
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems

The lack of TLS/SSL certificates with insecure parameters indicates effective control and management of TLS/SSL configurations

The ratio of events of type [Insecure TLS/SSL Certificate Settings] by type [Insecure TLS/SSL Certificate Settings, TLS/SSL Certificate Good Record] is below 10.0%

Assessment:

Positive

Observations:

• DKIM Records
• TLS/SSL Certificates
• TLS/SSL Configurations

Controls:

4 Secure Configuration of Enterprise Assets and Software

Safeguards:

• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices
• 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure

Controls:

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards:

• 5.1 Establish Secure Configurations
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems

The presence of self-signed TLS/SSL certificates exposed to the Internet indicates ineffective and insecure server configurations

At least one event of the following event types was detected: [Self-Signed TLS/SSL Certificate]

Assessment:

Negative

Observations:

TLS/SSL Certificates

Controls:

4 Secure Configuration of Enterprise Assets and Software

Safeguards:

• 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices

Controls:

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards:

• 5.1 Establish Secure Configurations
• 5.2 Maintain Secure Images
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems

The presence of TLS/SSL certificates that cannot be validated against a trusted root certificate authority (CA) indicates ineffective control and management of TLS/SSL configurations

The ratio of events of type [Untrusted TLS/SSL Certificate] by type [Untrusted TLS/SSL Certificate, TLS/SSL Certificate Good Record] is above 20.0%

Assessment:

Negative

Observations:

• TLS/SSL Certificates
• TLS/SSL Configurations

Controls:

4 Secure Configuration of Enterprise Assets and Software

Safeguards:

• 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices

Controls:

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards:

• 5.1 Establish Secure Configurations
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems

The presence of TLS/SSL certificates with insecure parameters indicates ineffective control and mismanagement of TLS/SSL configurations

The ratio of events of type [Insecure TLS/SSL Certificate Settings] by type [Insecure TLS/SSL Certificate Settings, TLS/SSL Certificate Good Record] is above 20.0%

Assessment:

Negative

Observations:

• DKIM Records
• TLS/SSL Certificates
• TLS/SSL Configurations

Controls:

4 Secure Configuration of Enterprise Assets and Software

Safeguards:

• 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
• 4.10 Enforce Automatic Device Lockout on Portable End-User Devices

Controls:

5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Safeguards:

• 5.1 Establish Secure Configurations
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems

The presence of applications using cleartext authentication indicates ineffective controls of user accounts and credentials

The ratio of events of type [Cleartext Credential Transmission] by type [Open Port] is above 2.0%

Assessment:

Negative

Observations:

• Open Ports
• Web Application Headers

Controls:

6 Access Control Management

Safeguards:

• 4.6 Securely Manage Enterprise Assets and Software
• 4.7 Manage Default Accounts on Enterprise Assets and Software

Controls:

14 Controlled Access Based on the Need to Know

Safeguards:

• 14.4 Encrypt All Sensitive Information in Transit
• 14.6 Protect Information Through Access Control Lists
• 14.7 Enforce Access Control to Data Through Automated Tools
• 14.8 Encrypt Sensitive Information at Rest

Detected confirmed vulnerabilities were not fixed for over one month. This indicates that continuous vulnerability management is ineffective and may be failing

The ratio of events of type [Confirmed Vulnerability in Exposed Third Party Product] present for at least 1 month(s) by type [Open Port] is above 10.0%

Assessment:

Negative

Observations:

• Open Ports
• Patching Cadence

Controls:

• 7 Continuous Vulnerability Management
• 17 Incident Response Management
• 18 Penetration Testing

Safeguards:

• 7.1 Establish and Maintain a Vulnerability Management Process
• 7.2 Establish and Maintain a Remediation Process
• 7.3 Perform Automated Operating System Patch Management
• 7.4 Perform Automated Application Patch Management
• 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
• 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
• 7.7 Remediate Detected Vulnerabilities
• 17.1 Designate Personnel to Manage Incident Handling
• 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
• 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
• 17.4 Establish and Maintain an Incident Response Process
• 17.6 Define Mechanisms for Communicating During Incident Response
• 18.1 Establish and Maintain a Penetration Testing Program
• 18.2 Perform Periodic External Penetration Tests
• 18.3 Remediate Penetration Test Findings
• 18.4 Validate Security Measures
• 18.5 Perform Periodic Internal Penetration Tests

Controls:

• 33 Continuous Vulnerability Management
• 19 Incident Response and Management
• 20 Penetration Tests and Red Team Exercises

Safeguards:

• 3.1 Run Automated Vulnerability Scanning Tools
• 3.2 Perform Authenticated Vulnerability Scanning
• 3.4 Deploy Automated Operating System Patch Management Tools
• 3.5 Deploy Automated Software Patch Management Tools
• 19.1 Document Incident Response Procedures
• 19.2 Assign Job Titles and Duties for Incident Response
• 19.3 Designate Management Personnel to Support Incident Handling
• 19.5 Maintain Contact Information For Reporting Security Incidents
• 20.1 Establish a Penetration Testing Program
• 20.2 Conduct Regular External and Internal Penetration Tests
• 20.3 Perform Periodic Red Team Exercises
• 20.4 Include Tests for Presence of Unprotected System Information and Artifacts
• 20.5 Create Test Bed for Elements Not Typically Tested in Production
• 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert

The lack of confirmed vulnerabilities for over a month indicates effective continuous vulnerability management

The ratio of events of type [Confirmed Vulnerability in Exposed Third Party Product] present for at least 1 month(s) by type [Open Port] is below 2.5%

Assessment:

Positive

Observations:

• Open Ports
• Patching Cadence

Controls:

• 7 Continuous Vulnerability Management
• 17 Incident Response Management
• 18 Penetration Testing

Safeguards:

• 7.1 Establish and Maintain a Vulnerability Management Process
• 7.2 Establish and Maintain a Remediation Process
• 7.3 Perform Automated Operating System Patch Management
• 7.4 Perform Automated Application Patch Management
• 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
• 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
• 7.7 Remediate Detected Vulnerabilities
• 17.1 Designate Personnel to Manage Incident Handling
• 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
• 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
• 17.4 Establish and Maintain an Incident Response Process
• 17.6 Define Mechanisms for Communicating During Incident Response
• 18.1 Establish and Maintain a Penetration Testing Program
• 18.2 Perform Periodic External Penetration Tests
• 18.3 Remediate Penetration Test Findings
• 18.4 Validate Security Measures
• 18.5 Perform Periodic Internal Penetration Tests

Controls:

• 3 Continuous Vulnerability Management
• 19 Incident Response and Management
• 20 Penetration Tests and Red Team Exercises

Safeguards:

• 3.1 Run Automated Vulnerability Scanning Tools
• 3.4 Deploy Automated Operating System Patch Management Tools
• 3.5 Deploy Automated Software Patch Management Tools
• 19.1 Document Incident Response Procedures
• 19.2 Assign Job Titles and Duties for Incident Response
• 19.3 Designate Management Personnel to Support Incident Handling
• 19.4 Devise Organization-wide Standards for Reporting Incidents
• 19.5 Maintain Contact Information For Reporting Security Incidents
• 19.7 Conduct Periodic Incident Scenario Sessions for Personnel
• 19.8 Create Incident Scoring and Prioritization Schema
• 20.1 Establish a Penetration Testing Program
• 20.2 Conduct Regular External and Internal Penetration Tests
• 20.3 Perform Periodic Red Team Exercises
• 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert

The lack of basic security hygiene issues indicates effective processes to detect, respond, and remediate security issues are in place

The ratio of events of type [Cleartext Credential Transmission, Inadvisable Service Exposed on Open Port, Unnecessarily Exposed Port, Unauthenticated Service] by type [Open Port] is below 1.0%

Assessment:

Positive

Observations:

• Open Ports
• Web Application Headers

Controls:

• 7 Continuous Vulnerability Management
• 17 Incident Response Management
• 18 Penetration Testing

Safeguards:

• 7.1 Establish and Maintain a Vulnerability Management Process
• 7.2 Establish and Maintain a Remediation Process
• 7.3 Perform Automated Operating System Patch Management
• 7.4 Perform Automated Application Patch Management
• 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
• 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
• 7.7 Remediate Detected Vulnerabilities
• 17.1 Designate Personnel to Manage Incident Handling
• 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
• 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
• 17.4 Establish and Maintain an Incident Response Process
• 17.6 Define Mechanisms for Communicating During Incident Response
• 18.1 Establish and Maintain a Penetration Testing Program
• 18.2 Perform Periodic External Penetration Tests
• 18.3 Remediate Penetration Test Findings
• 18.4 Validate Security Measures
• 18.5 Perform Periodic Internal Penetration Tests

Controls:

• 3 Continuous Vulnerability Management
• 19 Incident Response and Management
• 20 Penetration Tests and Red Team Exercises

Safeguards:

• 3.1 Run Automated Vulnerability Scanning Tools
• 3.2 Perform Authenticated Vulnerability Scanning
• 3.4 Deploy Automated Operating System Patch Management Tools
• 3.5 Deploy Automated Software Patch Management Tools
• 3.7 Utilize a Risk-Rating Process
• 19.1 Document Incident Response Procedures
• 19.2 Assign Job Titles and Duties for Incident Response
• 19.3 Designate Management Personnel to Support Incident Handling
• 19.4 Devise Organization-wide Standards for Reporting Incidents
• 19.5 Maintain Contact Information For Reporting Security Incidents
• 20.1 Establish a Penetration Testing Program
• 20.2 Conduct Regular External and Internal Penetration Tests
• 20.3 Perform Periodic Red Team Exercises
• 20.4 Include Tests for Presence of Unprotected System Information and Artifacts
• 20.5 Create Test Bed for Elements Not Typically Tested in Production
• 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert
• 20.7 Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards
• 20.8 Control and Monitor Accounts Associated with Penetration Testing

The lack of vulnerabilities in network devices indicates effective control, patching, and mismanagement of network devices

The fraction of endpoints from category [Networking Device] detected with [Confirmed Vulnerability in Exposed Third Party Product] is above 1.0%

Assessment:

Positive

Observations:

• Open Ports
• Patching Cadence

Controls:

• 4 Secure Configuration of Enterprise Assets and Software
• 12 Network Infrastructure Management

Safeguards:

• 12.1 Ensure Network Infrastructure is Up-to-Date
• 12.2 Establish and Maintain a Secure Network Architecture
• 12.3 Securely Manage Network Infrastructure

Controls:

11 Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Safeguards:

• 11.1 Maintain Standard Security Configurations for Network Devices
• 11.2 Document Traffic Configuration Rules
• 11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
• 11.4 Install the Latest Stable Version of Any Security-Related Updates on All Network Devices
• 11.5 Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions
• 11.6 Use Dedicated Machines For All Network Administrative Tasks
• 11.7 Manage Network Infrastructure Through a Dedicated Network

The presence of basic security hygiene issues indicates the processes to detect, respond, and remediate security issues are ineffective and may be failing

The ratio of events of type [Cleartext Credential Transmission, Inadvisable Service Exposed on Open Port, Unnecessarily Exposed Port, Unauthenticated Service] by type [Open Port] is above 2.0%

Assessment:

Negative

Observations:

• Open Ports
• Web Application Headers

Controls:

• 7 Continuous Vulnerability Management
• 17 Incident Response Management
• 18 Penetration Testing

Safeguards:

• 7.1 Establish and Maintain a Vulnerability Management Process
• 7.2 Establish and Maintain a Remediation Process
• 7.3 Perform Automated Operating System Patch Management
• 7.4 Perform Automated Application Patch Management
• 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
• 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
• 7.7 Remediate Detected Vulnerabilities
• 17.1 Designate Personnel to Manage Incident Handling
• 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
• 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
• 17.4 Establish and Maintain an Incident Response Process
• 17.6 Define Mechanisms for Communicating During Incident Response
• 18.1 Establish and Maintain a Penetration Testing Program
• 18.2 Perform Periodic External Penetration Tests
• 18.3 Remediate Penetration Test Findings
• 18.4 Validate Security Measures
• 18.5 Perform Periodic Internal Penetration Tests

Controls:

• 3 Continuous Vulnerability Management
• 19 Incident Response and Management
• 20 Penetration Tests and Red Team Exercises

Safeguards:

• 3.1 Run Automated Vulnerability Scanning Tools
• 3.2 Perform Authenticated Vulnerability Scanning
• 3.3 Protect Dedicated Assessment Accounts
• 3.4 Deploy Automated Operating System Patch Management Tools
• 3.5 Deploy Automated Software Patch Management Tools
• 3.7 Utilize a Risk-Rating Process
• 19.1 Document Incident Response Procedures
• 19.2 Assign Job Titles and Duties for Incident Response
• 19.3 Designate Management Personnel to Support Incident Handling
• 19.4 Devise Organization-wide Standards for Reporting Incidents
• 19.5 Maintain Contact Information For Reporting Security Incidents
• 20.1 Establish a Penetration Testing Program
• 20.2 Conduct Regular External and Internal Penetration Tests
• 20.3 Perform Periodic Red Team Exercises
• 20.4 Include Tests for Presence of Unprotected System Information and Artifacts
• 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert

The presence of vulnerabilities in network devices indicates ineffective control, patching, and mismanagement of network devices

The fraction of endpoints from category [Networking Device] detected with [Confirmed Vulnerability in Exposed Third Party Product] is above 5.0%

Assessment:

Negative

Observations:

• Open Ports
• Patching Cadence

Controls:

• 4 Secure Configuration of Enterprise Assets and Software
• 12 Network Infrastructure Management

Safeguards:

• 12.1 Ensure Network Infrastructure is Up-to-Date
• 12.2 Establish and Maintain a Secure Network Architecture
• 12.3 Securely Manage Network Infrastructure

Controls:

11 Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Safeguards:

• 11.1 Maintain Standard Security Configurations for Network Devices
• 11.2 Document Traffic Configuration Rules
• 11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
• 11.4 Install the Latest Stable Version of Any Security-Related Updates on All Network Devices
• 11.5 Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions
• 11.6 Use Dedicated Machines For All Network Administrative Tasks
• 11.7 Manage Network Infrastructure Through a Dedicated Network