Identifying Risks
Risk and Warnings are generated using Policies and Requirements located in the Policy Manager. NP policies and requirements are automatically assigned to all devices when they are imported and run when network device configuration changes are identified.
The following default policies are provided for all Compliance modules:
- NP-Parser Policy – triggers from device configuration files
- NP Path Policy – triggers from the results of the path analysis
- NP Rule Policy – triggers from access rules
CiS Benchmarks are provides as part of the Best Practices Module
- CiS Benchmark for Check Point
- CiS Benchmark for Cisco
- CiS Benchmark for Palo Alto
Policy Management
Each policy is broken down into a set of requirements that are used to identify potential network risks.
By clicking on a specific Policy and Requirement, the details and Regex logic for the requirement is displayed.
Policies and Requirements are global in nature and changes made when within one workspace apply to all workspaces. For example, if a Policy, Requirement or Device is deactivated in one workspace, that update applies to all workspaces. Default policies and requirements can be “Enabled or Disabled” by clicking the blue bubble and “Run” by clicking the “Run” button. Default policies and requirements cannot be edited or deleted.
Default Policies and Requirements
Policy | Requirement | Risk Severity |
NP Parser Policy | Unnecessary EIGRP Network | Low |
Broadcast traffic permission | Low | |
Traffic to multicast group | Low | |
Empty Field | Low | |
Unused ACL's | Low | |
Unused group | Low | |
Mixed any and not any | Low | |
Unassigned interface | Low | |
Missing interfaces | Low | |
Rule following schedule | Low | |
NP Path Policy | Any protocol path | Medium |
NP Rule Policy | Any protocol path | High |
Any to any IP | Medium | |
Any source IP | High | |
Any destination IP | Medium | |
Any protocol | Medium | |
Any destination port | Medium |
CiS Benchmark
In addition to the NP-Policies, portions of the CiS Benchmark has been provided for several manufacturers. CiS Benchmarks provide a power set of secondary policies to help identify risk within your network. CiS Benchmarks are disabled by default and must manually be enabled and assigned to devices. As noted above, changes to Policies, Requirements or Devices apply to all workspaces. CiS Benchmark Policies and Requirements can be deactivated but not edited or deleted.
CiS Benchmark for Check Point
Requirement | Risk Severity |
Ensure 'Login Banner' is set | Low |
Ensure CLI session timeout is set to less than or equal to 10 minutes | Low |
Ensure Check for Password Reuse is selected and History Length is set to 12 or more | Low |
Ensure DHCP is disabled | Low |
Ensure DNS server is configured | Low |
Ensure Deny access after failed login attempts is selected | Low |
Ensure Deny access to unused accounts is selected | Low |
Ensure Disk Space Alert is set | Low |
Ensure force users to change password at first login after password was changed from Users page is selected | Low |
Ensure Host Name is set | Low |
Ensure IPv6 is disabled if not used | Low |
Ensure Maximum number of failed attempts allowed is set to 5 or fewer | Low |
Ensure Minimum Password Length is set to 14 or higher | Low |
Ensure NTP is enabled and IP address is set for Primary and Secondary NTP server | Low |
Ensure Password Complexity is set to 3 | Low |
Ensure Password Expiration is set to 90 days or less | Low |
Ensure Telnet is disabled | Low |
Ensure Warn users before password expiration is set to 7 days or less | Low |
Ensure Web session timeout is set to less than or equal to 10 minutes | Low |
Ensure Radius or TACACS+ server is configured | Low |
Logging should be enabled for all Firewall Rules | Low |
CiS Benchmark for Cisco
Requirement | Risk Severity |
Ensure 'Domain Name' is set | Low |
Ensure 'Failover' is enabled | Low |
Ensure 'HTTP session timeout' is less than or equal to '5' minutes | Low |
Ensure 'Host Name' is set | Low |
Ensure 'LOGIN banner' is set | Low |
Ensure 'MOTD banner' is set | Low |
Ensure 'NTP authentication key' is configured correctly | Low |
Ensure 'Password Policy' is enabled | Low |
Ensure 'Password Recovery' is disabled | Low |
Ensure 'SNMP community string' is not the default string | Low |
Ensure 'SSH session timeout' is less than or equal to '5' minutes | Low |
Ensure 'TACACS+RADIUS' is configured correctly | Low |
Ensure 'console session timeout' is less than or equal to '5' minutes | Low |
Ensure 'local username and password' is set | Low |
Ensure 'logging with timestamps' is enabled | Low |
Ensure 'logging' is enabled | Low |
Ensure ActiveX filtering is enabled | Low |
Ensure DHCP services are disabled for untrusted interfaces | Low |
Ensure DOS protection is enabled for untrusted interfaces | Low |
Ensure Master Key Passphrase is set | Low |
Ensure email logging is configured for critical to emergency | Low |
Ensure explicit deny in access lists is configured correctly | Low |
Ensure 'trusted NTP server' exists | Low |
Ensure Enable Password is set | Low |
Ensure Java applet filtering is enabled | Low |
Ensure Logon Password is set | Low |
Ensure known default accounts do not exist | Low |
CiS Benchmark for Palo Alto
Requirement | Risk Severity |
Ensure 'Idle timeout' is less than or equal to 10 minutes for device management' is set | Low |
Ensure 'Login Banner' is set | Low |
Ensure 'Minimum Length' is greater than or equal to 12 | Low |
Ensure 'Minimum Lowercase Letters' is greater than or equal to 1 | Low |
Ensure 'Minimum Numeric Letters' is greater than or equal to 1 | Low |
Ensure 'Minimum Password Complexity' is enabled | Low |
Ensure 'Minimum Special Characters' is greater than or equal to 1 | Low |
Ensure 'Minimum Uppercase Letters' is greater than or equal to 1 | Low |
Ensure 'New Password Differs By Characters' is greater than or equal to 3 | Low |
Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled | Low |
Ensure 'Permitted IP Addresses' is set to those necessary for device management | Low |
Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords | Low |
Ensure 'Required Password Change Period' is less than or equal to 90 days | Low |
Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist | Low |
Ensure HTTP and Telnet options are disabled for all management profiles | Low |
Ensure HTTP and Telnet options are disabled for the management interface | Low |
Ensure System Logging to a Remote Host | Low |
Ensure alerts are enabled for malicious files detected by WildFire | Low |
Ensure redundant NTP servers are configured appropriately | Low |
Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones | Low |
Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types is attached to all untrusted zones | Low |
Ensure that the Certificate used for Decryption is Trusted | Low |
Ensure valid certificate is set for browser-based administrator interface | Low |
Syslog logging should be configured | Low |
Risk Assessment Grading
At any given time, a monitored device can have one or more open risks or warnings. This information is used by our Grading algorithm to provide each device with a letter grade. The quantity, criticality and type of open risks and warnings go into the calculation.
This grade informs the users which devices have the highest security or compliance risks. The lower the letter grade, the higher the risk.
The grade for each monitored device can be seen by clicking on a device on the topology map and reviewing the Risk Assessment Grading on the device menu. Clicking on the menu item displays the details that went into the grade.
An depiction of the data flow is as follows:
Calculating Device Risk Grade
The Device Risk Grade is calculated using the following weights:
- High = 5
- Medium = 3
- Low = 1
The Device Risk Grade is calculated using a simple equation, for example: (5 high * 5) + (1 low * 1) = 26 -> 100 – 26 = 74 -> C
- 90 -> 100 = A
- 80 -> 89 = B
- 70 -> 79 = C
- 60 -> 69 = D
- Else F
Issue Status is used to exclude both Resolved and Fixed issues from the calculation.