Configuration Audits, Data Leakage, and Compliance

What is an audit?

You can use Tenable Nessus log into Unix and Windows servers, Cisco devices, SCADA systems, IBM iSeries servers, and databases to determine if they have been configured in accordance to the local site security policy. Tenable Nessus can also search the entire hard drive of Windows and Unix systems for unauthorized content.

It is important for your organization to establish a site security policy before performing an audit to ensure assets are appropriately protected. A vulnerability assessment determines if your systems are vulnerable to known exploits but does not determine, for example, if personnel records are being stored on a public server.

There is no absolute standard on security; it is a question of managing risk and this varies between organizations.

For example, consider the password requirements such as minimum/maximum password ages and account lockout policies. There may be good reasons to change passwords frequently or infrequently. There may also be good reasons to lock an account out if there have been more than five login failures, but if this is a mission-critical system, setting something higher might be more prudent or even disabling lockouts altogether.

These configuration settings have much to do with system management and security policy, but not specifically system vulnerabilities or missing patches. Tenable Nessus can perform compliance checks for Unix and Windows servers. Policies can be either simple or complex depending on the requirements of each individual compliance scan.

Audit vs. Vulnerability Scan

Tenable Nessus can perform vulnerability scans of network services as well as log into servers to discover any missing patches. However, a lack of vulnerabilities does not mean the servers are configured correctly or are “compliant” with a particular standard.

The advantage of using Tenable Nessus to perform vulnerability scans and compliance audits is that all of this data can be obtained at one time. Knowing how a server is configured, how it is patched and what vulnerabilities are present can help determine measures to mitigate risk.

At a higher level, if this information is aggregated for an entire network or asset class (as with Tenable Security Center), security and risk can be analyzed globally. This allows auditors and network managers to spot trends in non-compliant systems and adjust controls to fix these on a larger scale.

Audit Reports

When an audit is performed, Tenable Nessus attempts to determine if the host is compliant, non-compliant or if the results are inconclusive.

Compliance results in Nessus are logged as Pass, Fail, and Warning. The Tenable Security Center log results as Info for passed, High for failed, and Medium for inconclusive (for example, a permissions check for a file that is not found on the system).

Unlike a vulnerability check, which only reports if the vulnerability is present, a compliance check always reports something. This way, the data can be used as the basis of an audit report to show that a host passed or failed a specific test, or if it could not be properly tested.