Device Class 1: Vulnerability Scanning

Control ID: RA-5 Vulnerability Scanning Family: Risk Assessment Source: NIST 800-53r4
Control: The organization:
  1. Scans for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported;
  2. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
    1. Enumerating platforms, software flaws, and improper configurations;
    2. Formatting checklists and test procedures; and
    3. Measuring vulnerability impact;
  3. Analyzes vulnerability scan reports and results from security control assessments;
  4. Remediates legitimate vulnerabilities in accordance with an organizational assessment of risk; and
  5. Shares information obtained from the vulnerability scanning process and security control assessments with CVE Numbering Authorities (CAN) to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Supplemental Guidance:
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

Related Controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2
Control Enhancements:
(5) Vulnerability Scanning | Privileged Access
The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities].
Supplemental Guidance: In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning.
Related Controls: N/A
References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov.
Mechanisms:

  • Device scanning to investigating application patch levels, device configuration, exposed services and known vulnerabilities shall occur at regular intervals (daily, weekly)
  • Device scanning tool will maintain regular security signature updates of its own.
  • The device will report on security weaknesses so that vulnerabilities can be tracked and remediated centrally.
  • Regular network scanning of all connected hosts shall occur.
  • This could be periodic (monthly) or with any major changes to the network configuration (say the addition of new services or servers).
  • Regular network scanning shall look for the following:
    • Hosts and services that are exposed that should not be .
    • Known vulnerabilities in exposed services based on public vulnerability databases .
    • Unpatched services that need updating
    • Weak security configurations (default passwords, lack of authorization controls)
  • All exposed Web Applications/Services will undergo regular web application scanning to look for common vulnerabilities affecting web applications (including OWASP-Top 10 vulnerabilities)
  • Web applications shall also undergo a privileged access scan per [Control Enhancement 5] to identify issues affecting authenticated users.
  • Application source code shall undergo regular audits, either periodically or before any major release. This can involve static analysis code audit tools, peer code review, and/or external auditors.
  • Regular external audits or penetration test on the network infrastructure, exposed services, and web applications shall be conducted.
  • Application binaries shall be scanned using a binary analyzer or input fuzzer.
  • The organization must have a defined process for tracking all security related issues and remediation status identified by any scanning or auditing activties.
  • The organization shall react to all legitimate vulnerabilities .

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
RA-5/1 Provides a mechanism to scan for vulnerabilities in the information system and hosted applications M Describe scanning mechanism
RA-5/1.1 Provides vulnerability scanning tools M Describe scanning tools
RA-5(5)/2 Provides a device scanning that investigates application patch levels, device configuration, exposed services and known vulnerabilities M
RA-5(5)/3 Device scanning tool can be configured to operate automatically at regular intervals M Define supported intervals
RA-5(5)/4 Device scanning tool maintains regular security signature updates of its own. M
RA-5(5)/5 Device reports on security weaknesses M Define location of report
RA-5(5)/5.1 Device scanning reports hosts and services that are exposed that should not be M
RA-5(5)/5.2 Device scanning reports known vulnerabilities in exposed services M
RA-5(5)/5.3 Device scanning reports unpatched services that need updating M
RA-5(5)/5.4 Device scanning reports weak security configurations (default passwords, lack of authorization controls) M