Tag Archive for: Compliance

Greenbone AG

Greenbone Audits for Compliance with the CIS Windows 11 Enterprise Benchmark”

Microsoft Windows remains the most widely used desktop operating system in enterprise environments – and also one of the most targeted by threat actors. Insecure configurations are a leading source of security breaches [1][2][3], often exploited to gain initial access [TA0001], escalate privileges [TA0004], steal credentials [TA0006], establish persistent access [TA0003], and move laterally within a network [TA0008]. Many national cybersecurity agencies continue to advocate strongly for organizations to enact policies to strengthen operating system (OS) baseline configurations [4][5][6][7][8].

Securing Windows 11 systems requires more than just patching known vulnerabilities. IT operations should start by deploying security hardened baseline images of Windows and periodically verify their configuration. This means adjusting many hidden or often overlooked settings of Microsoft Windows while disabling some features altogether. Hardened security controls include enforcing strong password and account lockout policies, disabling unnecessary system services like Remote Registry, applying application control rules via AppLocker, configuring advanced audit policies to monitor system activity and more.

Aligning with these enterprise IT cybersecurity goals, Greenbone is proud to announce the addition of CIS Microsoft Windows 11 Enterprise Benchmark v3.0.0 Level 1 (L1) auditing to our compliance capabilities. This latest enhancement allows our Enterprise feed customers to verify their Windows 11 configurations against the CIS compliance standard and adds to Greenbone’s growing arsenal of CIS compliance policies including Google Chrome, Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows, Linux and Docker [1][2]. Read on to find out more about Greenbone’s latest IT security detection capabilities.

Greenbone Adds CIS Microsoft Windows 11 Enterprise Benchmark

The CIS Microsoft Windows 11 Enterprise Benchmark v3.0.0 L1 is now available in the Greenbone Enterprise Feed. This benchmark defines a comprehensive set of security configurations – from Group Policy and registry hardening to built-in feature restrictions – designed to lock down Windows 11 Enterprise in line with industry best practices. With this new addition, Greenbone makes it easier to identify Microsoft Windows misconfigurations before attackers can exploit them.

Our Enterprise vulnerability feed leverages compliance policies to execute tests to verify each automatable CIS L1 requirement. These tests are grouped into scan configurations, allowing security teams to launch targeted assessments across their Windows 11 fleet. Whether aligning with internal security mandates or regulatory frameworks, Greenbone’s audit will confirm your Windows 11 Enterprise settings, ensuring that systems are locked down and that deprecated or risky features are disabled.

Windows Security Is Paramount

Microsoft Windows plays a prominent role in enterprise IT environments, serving as the backbone for endpoints, servers and domain infrastructure. But this ubiquity also makes it a prime target. Insecure Windows configurations can open the door to Remote Code Execution (RCE), credential theft and privilege escalation. A serious cyber breach can result in full domain compromise, ransomware attacks, loss of customer confidence, regulatory fines and even high cost legal action such as class action lawsuits when user data is leaked.

In recent years, national cybersecurity agencies – including Germany’s BSI [9], the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [10] and the Canadian Centre for Cyber Security [11] among others [12][13] – have issued alerts emphasizing the need to harden OS security configurations and disable legacy features that attackers routinely exploit. The increasing frequency and sophistication of adversarial threat actors further underscores the need for proactive Windows security.

Misconfigurations in Windows can have a cascading impact, compromising both the local system and the wider network. That’s why hardening efforts must go beyond vulnerability patching to include robust configuration management. Greenbone’s new CIS Windows 11 Enterprise compliance policy gives defenders the tools they need to strengthen resilience against many critical IT security weaknesses.

How Does the CIS Windows 11 Benchmark Improve Cybersecurity?

The CIS Microsoft Windows 11 Enterprise Benchmark offers a structured approach to securing Microsoft Windows endpoints. It defines configuration settings that could be used for unauthorized access, privilege abuse and system compromise. The benchmark audits a wide range of policies including account security, system services, network configurations, application controls and administrative templates to reduce attack surface and improve system integrity.

The major sections of the CIS Windows 11 benchmark are:

  • Account Policies: Defines policies for password complexity, history, expiration and account lockout thresholds. These settings help enforce strong authentication hygiene and limit brute-force attacks.
  • Local Policies: Focuses on enforcing a wide array of local access controls and system behavior. It covers audit settings, user rights assignments (like who can log in locally or shut down the system) and security options (like guest account status, access tokens, network access, device drivers, firmware options and cryptography requirements) and more.
  • System Services: Reduces attack surface by limiting active system components. Recommends disabling or configuring Windows services that may be unnecessary or expose the system to risk (e.g., Remote Registry, FTP, Bluetooth, OpenSSH, Geolocation service and more).
  • Windows Defender Firewall with Advanced Security: Covers firewall configurations for domain, private and public profiles. Includes rules for logging, connection restrictions and blocking unsolicited inbound traffic to enforce network segmentation and traffic control.
  • Advanced Audit Policy Configuration: Provides granular auditing settings across categories like logon events, object access and policy changes to enhance visibility and compliance.
  • Administrative Templates (Computer): Covers Group Policy settings at the computer level, including UI restrictions, legacy protocol controls, SMB hardening, UAC behavior and device configuration.
  • Administrative Templates (User): Focuses on user-level policies affecting personalization, privacy, desktop behavior, Windows components, telemetry, cloud content, search and Microsoft Store access.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone is committed to adding additional scan configurations to attest CIS Benchmarks. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Greenbone also has a dedicated compliance view for the Greenbone Security Assistant (GSA) web-interface, to streamline the assessment process for organizations.

Summary

Securing Microsoft Windows 11 Enterprise requires more than patching vulnerabilities – it demands a disciplined approach to configuration management based on proven best practices. By hardening hidden system settings and disabling unnecessary features, security teams can prevent exploitation paths commonly used by attackers to deploy ransomware, exfiltrate data or establish persistence.

With added support for the CIS Microsoft Windows 11 Enterprise Benchmark v3.0.0, Greenbone strengthens its position as a leader in proactive cybersecurity, offering enterprises the tools they need to reduce risk, demonstrate compliance and stay resilient in an increasingly hostile digital landscape. Enterprise Feed subscribers can now audit and verify their Windows 11 configurations with precision and confidence

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Dennis-Kenji Kipker about the future of NIS2 in Germany and Europe

With the new elections, the implementation of NIS2 in Germany appears to have been halted for the time being. While other European countries are already ready, German companies will have to wait several more months until legal certainty is established. Everything has actually been said, templates have been drawn up, but the change of government means a new start is necessary.

We spoke to one of the leading experts on NIS2: Dennis-Kenji Kipker is Scientific Director of the cyberintelligence.institute in Frankfurt/Main, professor at the Riga Graduate School of Law and regularly consults as an expert at the German Federal Office for Information Security (BSI) and many other public and scientific institutions.

Why did the German government reject the final NIS2 draft?

Portrait of Prof. Dr. Dennis-Kenji Kipker, expert in IT law and cyber security, in an interview on the implementation of the NIS2 Directive

Prof. Dr. Dennis-Kenji Kipker

Kipker: This is due to the so-called discontinuity principle. Just like with the old government, all unfinished projects must be archived. “Due to the early elections, the parliamentary procedure for the NIS2UmsuCG could not be completed” is the official term. In line with the principle of discontinuity, when a newly elected Bundestag is constituted, all bills not yet passed by the old Bundestag must be reintroduced and renegotiated. This means that the work already done on NIS2 will fall by the wayside. But you can of course build on this and reintroduce almost the same text.

Will that happen?

Kipker: There is an internal 100-day plan from the Federal Ministry of the Interior for the period after the election. According to rumors, cybersecurity is a very high priority in the plan, and NIS2 in particular is now to be implemented very quickly. If this can be implemented before fall/winter 2025 (the actual current schedule), Germany will at least avoid the embarrassment of bringing up the rear in Europe.

Is that realistic?

Kipker: You would have to recycle a lot, i.e. take over things from the last legislative period despite the principle of discontinuity. Now, it seems that the current Ministry of the Interior wants to do just that. Only the politicians and officials directly involved know whether this is realistic. However, 100 days seems very ambitious to me in the Berlin political scene, even if everyone involved pulls together. There would need to be a budget, the current NIS2UmsuCG draft would need to be revised and addressed but also finalized, and the German scope of application of the law would need to be clarified and aligned with EU law. Furthermore, at the end of 2024 and the beginning of 2025, attempts were still being made to push through many things in the Bundestag after the expert hearing on NIS2, some of which are rather questionable. In any case, this would have to be renegotiated politically and evaluated technically.

When do you think this will happen?

Kipker: It’s hard to say, but even if you break the 100-day deadline, it should be feasible to complete a national NIS2 implementation before the winter of 2025/2026. But that’s just a very preliminary assumption that I keep hearing from “usually well-informed circles”. One way or another, we will be at the bottom of the league when it comes to Europe-wide implementation, and all the current ambitions won’t change that.

And what is the situation like in other European countries?

Kipker: A lot is happening right now. It has been recognized, for example, that the different national implementations of NIS2 lead to frictional losses and additional costs for the affected companies – that’s not really surprising. A few weeks ago, the European Union Agency For Cybersecurity (ENISA) published a report that is well worth reading, which explains and evaluates the maturity and criticality of relevant NIS2 sectors in a European comparison. “NIS360 is intended to support Member States and national authorities in identifying gaps and prioritizing resources”, writes the EU cybersecurity authority. And we at cyberintelligence.institute have produced a comprehensive study on behalf of the Swiss company Asea Brown Boveri, which also takes a closer look at the EU-wide implementation of the NIS2 directive.

What key insight did you gain there?

Kipker: The Comparison Report is primarily aimed at transnationally operating companies that are looking for a first point of contact for cybersecurity compliance. Above all, there is a lack of central administrative responsibilities in the sense of a “one-stop store”, and the diverging implementation deadlines are causing problems for companies. As of the end of January, only nine EU states had transposed NIS2 into national law, while the legislative process had not yet been completed in 18 other states. Another key insight: Just because I am NIS2-compliant in one EU member state does not necessarily mean that this also applies to another member state.

So, Germany may not be a pioneer, but it is not lagging behind either?

Kipker: We are definitely not at the forefront, but if we manage to implement it nationally this year, we may not be the last, but we will be among the last. My guess in this respect now is that we won’t have really reliable results until the fourth quarter of 2025. So, it’s going to be close to avoid being left in the red after all. Politicians will have to decide whether this can meet our requirements in terms of cyber security and digital resilience.

Where can affected companies find out about the current status?

Kipker: There are ongoing events and opportunities for participation. On March 18, for example, there will be a BSI information event (in German language) where you can ask about the plans. Then, in May 2025, there will also be the NIS-2 Congress right next door to us in Frankfurt, for which the “most recognized NIS-2 Community Leader” has just been selected. There will certainly be one or two interesting tidbits of information to pick up here. Otherwise, feel free to contact me at any time if you have any questions about NIS2!

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Audits CIS Google Chrome Benchmarks

Web browsers are a primary gateway to business and consequently they are also a primary gateway for cyber attacks. Malware targeting browsers could gain direct unauthorized access to a target’s network and data or social engineer victims into providing sensitive information that gives the attacker unauthorized access, such as account credentials. In 2024, major browsers (Chrome, Firefox, and Safari) accounted for 59 Critical severity (CVSS3 ³ 9) and 256 High severity (CVSS3 between 7.0 and 8.9) vulnerabilities. 10 CVEs (Common Vulnerabilities and Exposures) in the trifecta were added to the KEV (Known Exploited Vulnerabilities) catalog of CISA (Cybersecurity & Infrastructure Security Agency). Browser security should therefore be top-of-mind for security teams.

In light of this, we are proud to announce the addition of CIS Google Chrome Benchmark v3.0.0 Level 1 auditing to our list of compliance capabilities. This latest feature allows our Enterprise feed subscribers to verify their Google Chrome configurations against the industry-leading CIS compliance framework of the CIS (Center for Internet Security). The new Google Chrome benchmark tests will sit among our other CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1] [2].

CIS Google Chrome Benchmark for Windows

The CIS Google Chrome Benchmark v3.0.0 Level 1 is now available in the Greenbone Enterprise Feed. It establishes a hardened configuration for the Chrome browser. For Windows, implementing the controls involves setting Windows registry keys to define Chrome’s security configuration. Continuous attestation is important because if modified at the user level Chrome becomes more vulnerable to data-leakage, social engineering attacks or other attack vectors.

Our Enterprise vulnerability feed uses compliance policies to run tests on target endpoints, verifying each requirement in the CIS benchmark through one or more dedicated vulnerability tests. These tests are grouped into scan configurations which can be used to create scan tasks that access groups of target systems to verify their security posture. When aligning with internal risk requirements or mandatory government policies, Greenbone has you covered.

The Importance of Browser Security

Much of the critical information flowing through the average organization is transmitted through the browser. The rise of a remote workforce and cloud-based web-applications means that web browsers are a primary interface for business activities. Not surprisingly, in the past few years, Internet browsers have been a hotbed for exploitation. National cybersecurity agencies such Germany’s BSI [3] [4], CISA [5] [6], and the Canadian Centre for Cyber Security [7] have all released advisories for addressing the risks posed by Internet browsers.

Browsers can be exploited via technical vulnerabilities and misconfigurations that could lead to remote code execution, theft of sensitive data and account takeover, but are also a conduit for social engineering attacks. Browser security must be addressed by implementing a hardened security profile and continuously attesting it and by regularly applying updates to combat any recently discovered vulnerabilities. Greenbone is able to detect known vulnerabilities for published CVEs in all major browsers and now with our latest CIS Google Chrome Benchmark certification, we can attest industry standard browser compliance.

How Does the CIS Google Chrome Benchmark Improve Browser Security?

Every CIS Benchmark is developed through a consensus review process that involves a global community of subject matter experts from diverse fields such as consulting, software development, auditing, compliance, security research, operations, government, and legal. This collaborative process is meant to ensure that the benchmarks are practical and data-driven and reflect real-world expertise. As such, CIS Benchmarks serve as a vital part of a robust cybersecurity program.

In general, CIS Benchmarks focus on secure technical configuration settings and should be used alongside essential cyber hygiene practices, such as monitoring and promptly patching vulnerabilities in operating systems, applications and libraries.

The CIS Google Chrome Benchmark defines security controls such as:

  • No domains can bypass scanning for dangerous resources such as phishing content and malware.
  • Strict verification of SSL/TLS certificates issued by websites.
  • Reducing Chrome’s overall attack surface by ensuring the latest updates are automatically applied periodically.
  • Chrome is configured to detect DNS interception which could potentially allow DNS hijacking.
  • Chrome and extensions cannot interact with other third party software.
  • Websites and browser extensions cannot abuse connections with media, the local file system or external devices such as Bluetooth, USB or media casting devices.
  • Only extensions from the Google Chrome Web Store can be installed.
  • All processes forked from the main Chrome process are stopped once the Chrome application has been closed.
  • SafeSites content filtering blocks links to adult content from search results.
  • Prevent importing insecure data such as auto-fill form data, default homepage or other configuration settings.
  • Ensuring that critical warnings cannot be suppressed.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone continues to enhance its CIS Benchmark scan configurations. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Also, Greenbone has added a new compliance view to the Greenbone Security Assistant (GSA) web-interface, streamlining the process for organizations seeking to remove security gaps from their infrastructure to prevent security breaches.

Summary

CIS Controls are critical for safeguarding systems and data by providing clear, actionable guidance on secure configurations. The CIS Google Chrome Benchmark is especially vital at the enterprise level, where browsers impact many forms of sensitive data. It’s exciting to announce that Greenbone is expanding the industry leading vulnerability detection capabilities with a new compliance scan: the CIS Google Chrome Benchmark v3.0.0 Level 1. With this certification, Greenbone continues to strengthen its position as a trusted ally in proactive cybersecurity. This latest feature reflects our dedication to advancing IT security and protecting against evolving cyber threats.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

NIS2: Implementation Delayed but Stay on Course

While the German government has yet to implement the necessary adjustments for the NIS2 directive, organizations shouldn’t lose momentum. Although the enforcement is now expected in Spring 2025 instead of October 2024, the core requirements remain unchanged. While there remains a lot of work for companies, especially operators of critical infrastructure, most of it is clear and well-defined. Organizations must still focus on robust vulnerability management, such as that offered by Greenbone.

Missed Deadlines and the Need for Action

Initially, Germany was supposed to introduce the NIS2 compliance law by October 17, 2024, but the latest drafts failed to gain approval, and even the Ministry of the Interior does not anticipate a timely implementation. If the parliamentary process proceeds swiftly, the law could take effect by Q1 2025, the Ministry announced.

A recent study by techconsult (only in German), commissioned by Plusnet, reveals that while 67% of companies expect cyberattacks to increase, many of them still lack full compliance. NIS2 mandates robust security measures, regular risk assessments and rapid response to incidents. Organizations must report security breaches within 24 hours and deploy advanced detection systems, especially those already covered under the previous NIS1 framework.

Increased Security Budgets and Challenges

84% of organizations plan to increase their security spending, with larger enterprises projecting up to a 12% rise. Yet only 29% have fully implemented the necessary measures, citing workforce shortages and lack of awareness as key obstacles. The upcoming NIS2 directive presents not only a compliance challenge but also an opportunity to strengthen cyber resilience and gain customer trust. Therefore, 34% of organizations will invest in vulnerability management in the future.

Despite clear directives from the EU, political delays are undermining the urgency. The Bundesrechnungshof and other institutions have criticized the proposed exemptions for government agencies, which could weaken overall cybersecurity efforts. Meanwhile, the healthcare sector faces its own set of challenges, with some facilities granted extended transition periods until 2030.

Invest now to Stay Ahead

Latest since the NIS2 regulations impend, businesses are aware of the risks and are willing to invest in their security infrastructure. As government action lags, companies must take proactive measures. Effective vulnerability management solutions, like those provided by Greenbone, are critical to maintaining compliance and security.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

KPI for Measuring Vulnerability Management Performance

Every business has mission critical activities. Security controls are meant to protect those critical activities to ensure business operations and strategic goals can be sustained indefinitely. Using an “Install and forget”-approach to security provides few assurances for achieving these objectives. An ever-changing digital landscape means a security gap could lead to a high stakes data breach. Things like privilege creep, server sprawl, and configuration errors tend to pop-up like weeds. Security teams who don’t continuously monitor don’t catch them – attackers do. For this reason, cyber security frameworks tend to be iterative processes that include monitoring, auditing, and continuous improvement.

Security officers should be asking: What does our organization need to measure to gain strong assurances and enable continuous improvement? In this article we will take you through a rationale for Key Performance Indicators (KPI) in cyber security outlined by industry leaders such as NIST and The SANS Institute and define a core set of vulnerability management specific KPIs. The most fundamental KPIs covered here can serve as a starting point for organizations implementing a vulnerability management program from scratch, while the more advanced measures can provide depth of visibility for organizations with mature vulnerability management programs already in place.

Cyber Security KPI Support Core Strategic Business Goals

KPI are generated by collecting and analyzing relevant performance data and are mainly used for two strategic goals. The first is to facilitate evidence-based decision making. For example, KPI can help managers benchmark how vulnerability management programs are performing in order to assess the overall level of risk mitigation and decide whether to allocate more resources or accept the status-quo. The second core strategic goal that KPIs support is to provide accountability of security activities. KPI can help identify causes of poor performance and provide an early warning of insufficient or poorly implemented security controls. With proper monitoring of vulnerability management performance, the effectiveness of existing procedures can be evaluated, allowing them to be adjusted or supplemented with additional controls. The evidence collected while generating KPIs can also be used to demonstrate compliance with internal policies, mandatory or voluntary cyber security standards, or any applicable laws and regulations by evidencing cyber security program activities.

The scope of measuring KPI can be enterprise-wide or focused on departments or infrastructure that is critical to business operations. This scope can also be adjusted as a cybersecurity program matures. During the initial stages of starting a vulnerability management, only basic information may be available to build KPI metrics from. However, as a program matures, data collection will become more robust, supporting more complex KPI metrics. More advanced measures may also be justified to gain high visibility for organizations with increased risk.

Types of Cyber Security Measures

NIST SP 800-55 V1 (and it’s predecessor NIST SP 800-55 r2) focuses on the development and collection of three types of measures:

  • Implementation Measures: These measure the execution of security policy and gauge the progress of implementation. Examples include: the total number of information systems scanned and the percentage of critical systems scanned for vulnerabilities.
  • Effectiveness/Efficiency Measures: These measure the results of security activities and monitor program-level and system-level processes. This can help gauge if security controls are implemented correctly, operating as intended, and producing a desirable outcome. For example, the percentage of all identified critical severity vulnerabilities that have been mitigated across all operationally critical infrastructure.
  • Impact Measures: These measure the business consequences of security activities such as cost savings, costs incurred by addressing security vulnerabilities, or other business related impacts of information security.

Important Indicators for Vulnerability Management

Since vulnerability management is fundamentally the process of identifying and remediating known vulnerabilities, KPI that provide insight into the detection and remediation of known threats are most appropriate. In addition to these two key areas, assessing a particular vulnerability management tool’s effectiveness for detecting vulnerabilities can help compare different products. Since these are the most logical ways to evaluate vulnerability management activities, our list has grouped KPI into these three categories. Tags are also added to each item indicating which purpose specified in NIST SP 800-55 the metric satisfies.

While not an exhaustive list, here are some key KPIs for vulnerability management:

Detection Performance Metrics

  • Scan Coverage (Implementation): This measures the percentage of an organization’s total assets that are being scanned for vulnerabilities. Scan coverage is especially relevant at the early stages of program implementation for setting targets and measuring the evolving maturity of the program. Scan coverage can also be used to identify gaps in an organization’s IT infrastructure that are not being scanned putting them at increased risk.
  • Mean Time to Detect (MTTD) (Efficiency): This measures the average time to detect vulnerabilities from when information is first published and when a security control is able to identify it. MTTD may be improved by adjusting the frequency of updating a vulnerability scanner’s modules or frequency of conducting scans.
  • Unidentified Vulnerabilities Ratio (Effectiveness): The ratio of vulnerabilities identified proactively through scans versus those discovered through breach or incident post-mortem analyses. A higher ratio suggests better proactive detection capabilities.
  • Automated Discovery Rate (Efficiency): This metric measures the percentage of vulnerabilities identified by automated tools versus manual discovery methods. Higher automation can lead to more consistent and faster detection.

Remediation Performance Metrics

  • Mean Time to Remediate (MTTR; Efficiency): This measures the average time taken to fix vulnerabilities after they are detected. By tracking remediation times organizations can gauge their responsiveness to security threats and evaluate the risk posed by exposure time. A shorter MTTR generally indicates a more agile security operation.
  • Remediation Coverage (Effectiveness): This metric represents the proportion of detected vulnerabilities that have been successfully remediated and serves as a critical indicator of effectiveness in addressing identified security risks. Remediation coverage can be adjusted to specifically reflect the rate of closing critical or high severity security gaps. By focusing on the most dangerous vulnerabilities first, security teams can more effectively minimize risk exposure.
  • Risk Score Reduction (Impact): This metric reflects the overall impact that vulnerability management activities are having to risk. By monitoring changes in the risk score, managers can evaluate how well the threat posed by exposed vulnerabilities is being managed. Risk Score Reduction is typically calculated using risk assessment tools that provide a contextual view of each organization’s unique IT infrastructure and risk profile.
  • Rate Of Compliance (Impact): This metric represents the percentage of systems that comply with specific cyber security regulations, standards, or internal policies. It serves as an essential measure for gauging compliance status and provides evidence of this status to various stakeholders. It also serves as a warning if compliance requirements are not being satisfied, thereby reducing the risk of penalties and ensuring the intended security posture put forth by the compliance target.
  • Vulnerability Reopen Rate (Efficiency): This metric measures the percentage of vulnerabilities that are reopened after being marked as resolved. Reopen rate indicates the efficiency of remediation efforts. Ideally, once a remediation ticket has been closed, the vulnerability does not issue another ticket.
  • Cost of Remediation (Impact): This metric measures the total cost associated with fixing detected vulnerabilities, encompassing both direct and indirect expenses. Cost analysis can aid decisions for budgeting and resource allocation by tracking the amount of time and resources required to detect and apply remediation.

Vulnerability Scanner Effectiveness Metrics

  • True Positive Detection Rate (Effectiveness): This measures the percentage of vulnerabilities that can be accurately detected by a particular tool. True positive detection rate measures the effective coverage of a vulnerability scanning tool and allows two vulnerability scanning products to be compared according to their relative value.
  • False Positive Detection Rate (Effectiveness): This metric measures the frequency at which a tool incorrectly identifies non-existent vulnerabilities as being present. This can lead to wasted resources and effort. False positive detection rate can gauge the reliability of a vulnerability scanning tool to ensure it aligns with operational requirements.

Key Takeaways

By generating and analyzing Key Performance Indicators (KPIs), organizations can satisfy fundamental cybersecurity requirements for continuous monitoring and improvement. KPI also supports core business strategies such as evidence-based decision making and accountability.

With quantitative insight into vulnerability management processes, organizations can better gauge their progress and more accurately evaluate their cyber security risk posture. By aggregating an appropriate set of KPIs, organizations can track the maturity of their vulnerability management activities, identify gaps in controls, policies, and procedures that limit the effectiveness and efficiency of their vulnerability remediation, and ensure alignment with compliance with internal risk requirements and relevant security standards, laws and regulations.

References

National Institute of Standards and Technology. Measurement Guide for Information Security: Volume 1 — Identifying and Selecting Measures. NIST, January 2024, https://csrc.nist.gov/pubs/sp/800/55/v1/ipd

National Institute of Standards and Technology. Performance Measurement Guide for Information Security, Revision 2. NIST, November 2022, https://csrc.nist.gov/pubs/sp/800/55/r2/iwd

National Institute of Standards and Technology. Assessing Security and Privacy Controls in Information Systems and Organizations Revision 5. NIST, January 2022, https://csrc.nist.gov/pubs/sp/800/53/a/r5/final

National Institute of Standards and Technology. Guide for Conducting Risk Assessments Revision 1. NIST, September 2012, https://csrc.nist.gov/pubs/sp/800/30/r1/final

National Institute of Standards and Technology. Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology Revision 4. NIST, April 2022, https://csrc.nist.gov/pubs/sp/800/40/r4/final

SANS Institute. A SANS 2021 Report: Making Visibility Definable and Measurable. SANS Institute, June 2021, https://www.sans.org/webcasts/2021-report-making-visibility-definable-measurable-119120/

SANS Institute. A Guide to Security Metrics. SANS Institute, June 2006, https://www.sans.org/white-papers/55/

Contact Test Now Buy Here Back to Overview

/by
Andreas Bergler

Greenbone All in Green: ISO 14001 Certification

It doesn’t get any greener? Not at all! We have just completed certification of our environmental management system in accordance with ISO 14001. And we have realised: There is always room for getting “greener” – you just have to be committed and willing to drive this commitment forward in measurable progress.

Greenbone passes ISO 14001 Certification.

The international standard ISO 14001 defines requirements that companies can use to achieve environmental goals and fulfil legal obligations. Because the environmental niche is different for every organisation, the standard does not specify absolute values and targets, but it does emphasise integration into quality management, C-level responsibility for environmental management and the elimination of ambiguity regarding environmental targets.

Targets, objectives, key figures: A dry framework for green growth

The current German version of the standard, DIN EN ISO 14001:2015, places particular emphasis on “environmental performance improvement” and its measurement using appropriate indicators. The ecological objectives thus relate to the upstream and downstream environmental impact of products and services as well as the consideration of opportunities and risks in day-to-day business. The whole process is to be set up as part of a continuous improvement process (CIP) so that the effects of each new measure can be monitored and adapted accordingly. With this certification, we are proud to be able to announce another important step towards a company that is not only “green” on the outside, in the company logo, but also on the inside.

Back in autumn 2023, when the “Environmental Management System” was introduced, it was clear to us: we may not be able to save the world, but every step in this direction is important to us! So, step by step, we started by collecting all aspects that could have an impact on the environment. After ranking the factors and prioritising them, eleven areas emerged in which Greenbone can become ecologically effective and active: Starting with electricity consumption, cooling servers, heating offices and dispatching goods, through to waste separation and the energy efficiency of our appliances.

And again and again: measure…

As a company that emphasises the realisation and clear presentation of objectives, Greenbone is already certified according to ISO 9001:2015 (quality management) and ISO 27001:2017 (information security) as well as within the framework of TISAX for the Information Security Management System (ISMS). For ISO 14001, we have concretised our objectives in clearly defined key performance indicators (KPIs) in order to make them available for subsequent measurements. This allows us to readjust existing measures and introduce further improvements. What initially sounds dry is already bearing its first “green” fruits

  • Our electricity has been supplied entirely from renewable energy sources since the company was founded. Total consumption – including clients and servers – is set to be reduced by a further 3% in the near future.
  • Whenever we purchase new equipment, we pay particular attention to sustainability and energy efficiency.
  • Since 2020, we have only used electric cars as company vehicles.
  • We have switched to digital payroll accounting.
  • The server room is regularly checked for potential savings.
  • We also prioritise environmental protection on a small scale: Waste is only collected centrally and packaging material is reused as a matter of principle.

To make our ecological progress even more sustainable, we keep up to date with regular internal training courses on energy efficiency. In this way, we are helping to make the world even “greener” outside of Greenbone.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

More Docker compliance tests in Greenbones Vulnerability Management

For almost two years, Greenbone has been adding more and more tests from the recommendations of the Center for Internet Security (CIS) in its security feed. Among the newest ones are benchmarks for the container management solution Docker.

Docker is one of the most common container technologies in enterprise environments. Its increasing popularity within DevOps circles, ease-of-use and flexibility made it popular among developers and DevOPS. Therefore, the CIS is providing benchmark tests for configuration compliance in Docker environments which are „intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Docker“ – and Greenbone is happy to integrate these tests in its vulnerability management products.

Testing Docker environments for Vulnerabilities

The CIS benchmarks (more than 140 as of 2023) contain guidance on best practices for configuring IT systems, networks, and software. They are created together with developers, subject matter experts and companies in enterprise Docker environments and have become the reference for compliance testing regarding cybersecurity. The CIS benchmarks come in seven groups, (Operating System, Server Software, Cloud Provider Benchmarks, Mobile Device, Network Device, Desktop Software, Multi-Function Print Device), of which the Docker tests reside in the Server section. Greenbone has been supporting Docker for a while, continuously updating the tests.

Greenbone has been supporting CIS benchmarks for years

Since 2021, Greenbone has been integrating and continuously expanding CIS benchmarks in its products – now integrating the docker compliance benchmarks for Docker systems newer than Docker 1.4. All tests are combined by Greenbone into scan configurations and added to the Greenbone Enterprise Feed. The Greenbone product will run the set of tests on a target system, checking configuration and other settings, for example file permissions. Having done so, it returns a report with mitigation strategies to the administrator who can then adapt his systems to the recommendations for security compliance.

Certified by CIS

As a member CIS consortium Greenbone is continuously expanding its CIS Benchmark scan configurations – right now, for example, Greenbone is working on Kubernetes integration. Like all compliance policies developed by Greenbone on the basis of CIS Benchmarks, the latest ones are certified by CIS – this means maximum security when it comes to auditing a system according to CIS hardening recommendations. This not only simplifies the preparation of audits, important criteria can be checked in advance with a scan by a Greenbone product and, if necessary, any weaknesses found can be remedied before problems arise.


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

New BSI Recommendations for Windows 10 in the Greenbone Security Feed

SiSyPHuS Win10 is a project of the German Federal Office for Information Security (BSI).
Based on an analysis of the security-critical functions in the operating system Microsoft Windows 10, recommendations for action to harden it were developed. These recommendations are now also part of the Greenbone Security Feed in the form of a compliance guideline and Greenbone customers can conveniently check them directly with the Greenbone appliances.

The measures include configuration recommendations, password policies, encryption requirements and, of course, updates. They help to make Windows 10 systems significantly more secure. By integrating the compliance policy into the Greenbone Security Feed, the measures can be easily integrated into the Greenbone Vulnerability Management audit routines.

More information can be found here.

Contact Free Trial Buy Here Back to overview

/by
Greenbone AG

CIS-Certified Compliance Policies in the Greenbone Security Feed

Compliance Policies are used by companies, organizations, or authorities to check whether all products, applications, operating systems and other components used meet certain specifications. The Center for Internet Security (CIS) provides so-called CIS benchmarks for this purpose. Since March 2021, the Greenbone solutions also offer the possibility to check the fulfillment of CIS Benchmarks – with the help of new compliance policies.

But what do we actually mean by a compliance policy?

In addition to legal requirements, companies, organizations and authorities often have their own requirements that must be met for the secure configuration of a system. Such requirements can be formulated, for example, by a software or application vendor for its own products, but also by IT security organizations.

The aim is to ensure the information and data security of a company or an authority by guaranteeing the confidentiality, integrity, availability and authenticity of information.

All specifications and guidelines, but also recommendations to be fulfilled for this purpose, are bundled in a policy in written form.

These guidelines form the basis for compliance policies developed by Greenbone, i.e., for the collection of tests that a Greenbone solution runs on a target system. A vulnerability test is developed for each individual requirement or recommendation to check compliance with that requirement or recommendation. All tests are combined to scan configurations by Greenbone and added to the Greenbone Security Feed.

Since the scan configurations in this case map company or authority guidelines, they are referred to as “compliance policies”.

Example: A company issues a policy with the following requirements:

  • Version 2 of software A is installed on the target system
  • SSH is enabled on the target system
  • Software B is not installed on the target system

For each of the requirements, Greenbone develops a vulnerability test that queries whether the respective condition is met.

The three tests are then combined into a compliance policy that a user of Greenbone solutions can select for running a vulnerability scan. During the scan, it is then checked whether the conditions listed above are met on the target system.

 CIS Benchmarks as decisive security guidelines

The Center for Internet Security (CIS) also publishes such security guidelines: the so-called CIS Benchmarks. CIS is a non-profit organization founded in 2000 to provide best practices for IT security that are used by governments, industry and academia.

One of the largest fields of activity of the organization is the so-called CIS Benchmarks. These are recommendations for handling and configuring numerous products from a wide range of product families. For example, there are CIS benchmarks for web browsers such as Mozilla Firefox or Google Chrome, for operating systems like Microsoft Windows or different Linux distributions, but also for the Microsoft Office products.

In contrast to many other security standards, which only make basic specifications regarding IT security – for example, that there must be vulnerability management – the CIS benchmarks are very detailed. They provide requirements that must be met in order to harden a system, i.e. make it more secure and protect it against attacks. Among other things, this can include criteria for passwords, but also the specification for a certain installed software version.

The CIS Benchmarks are provided by CIS free of charge as a PDF and are constantly being expanded. For CIS SecureSuite Members – just like Greenbone is since 2021 – the CIS Benchmarks are also available via the CIS Workbench in other formats, for example for Microsoft Word or Excel.

CIS-certified Compliance Policies at Greenbone

As with the security policies of other companies, organizations or authorities, Greenbone has now developed own compliance policies based on the CIS benchmarks. These enable users of a Greenbone solution to check their networks, systems and applications against the requirements from the CIS benchmarks. Since March 2021, several compliance policies that map CIS benchmarks are included in the Greenbone Security Feed.

And the special thing about it: the compliance policies developed by Greenbone are certified by CIS! This means that users can be sure that their system is tested according to the hardening recommendations of CIS.

Users can now check their systems to see whether the CIS requirements are met. This also simplifies the preparation of audits. Important criteria can already be checked in advance with a scan by a greenbone solution and any weaknesses found can be eliminated.

But these CIS certified compliance policies will not be the end of the story. Many more policies that map CIS Benchmarks are in the planning or even already in development at Greenbone.

Contact Free Trial Buy Here Back to overview
/by
Greenbone AG

Direct Integration of Compliance Policies via the Greenbone Security Feed

With the help of compliance policies, a company can check whether all components integrated in the system meet the required specifications. The increasing digitalization and the associated growth of new technologies create opportunities, but also risks. For this reason, the demands on compliance are increasing as well. With GOS 20.08, all compliance policies were made available via the Greenbone Security Feed and four new compliance policies were added: TLS-Map, BSI TR-03116: Part 4, Huawei Datacom Product Security Configuration Audit Guide and Windows 10 Security Hardening.

Compliance policies for different industries

What is a compliance policy anyway?

In addition to legal requirements, companies and public authorities often have their own guidelines that must be met for the secure configuration of a system. The aim is to ensure the information security of the company or authority by guaranteeing the confidentiality, integrity, availability and authenticity of information.

All specifications and guidelines that are necessary for this are summarized in one document to form a policy.

Based on the individual criteria of the guidelines, Greenbone develops vulnerability tests – roughly speaking: one criterion results in one vulnerability test. Greenbone combines these tests into a scan configuration.

Such scan configurations, which reflect policies of companies or authorities, are called Compliance Policies.

Example: a company releases a security policy with the following requirements:

  • Version 2 of software A is installed on the target system
  • SSH is activated on the target system
  • Software B is not installed on the target system

Greenbone develops a vulnerability test for each of the requirements, which checks whether the respective condition is fulfilled.

The three tests are then combined into a compliance policy that a user of the Greenbone solutions can choose when performing a vulnerability test. During the scan, it is checked whether the conditions mentioned above are met on the target system.

New: distribution of compliance policies via the Greenbone Security Feed

Starting with GOS 20.08, all standard scan configurations, reports formats, port lists, and compliance policies of Greenbone are distributed via the Greenbone Security Feed.

Among other things, this allows the publication and distribution of scan configurations for current, hot vulnerability tests. In the past, these were published as XML files for manual download on the Greenbone download website and had to be imported by the users themselves – which was very tedious and left room for mistakes, making a quick application hardly possible.

But this is not the only advantage. It also makes troubleshooting much easier and faster for the customer: objects can be updated and, if necessary, fixed for all setups with a single feed update.

In addition to this innovation, the Greenbone Security Feed has been extended by some important compliance policies.

More Compliance Policies in the Greenbone Security Feed

Four new compliance policies were added to the Greenbone Security Feed in the 4th quarter 2020:

  • TLS-Map
  • BSI TR-03116: Part 4
  • Huawei Datacom Product Security Configuration Audit Guide
  • Windows 10 Security Hardening

About the Special Scan Configuration TLS-Map

Note: TLS-Map is a scan configuration for special scans that are different from vulnerability scans. For reasons of simplicity, this special scan configuration is listed in this article along with the compliance policies.

The special scan configuration TLS-Map is helpful wherever secure communication over the Internet is required. TLS – short for Transport Layer Security – is a protocol for the secure transmission of data on the Internet. It is the successor of SSL – Secure Sockets Layer – which is why both protocols are still often used synonymously today. However, all SSL versions and TLS versions prior to version 1.2 have been outdated since 2020 at the latest and are therefore insecure.

The largest area of application for TLS is data transfer via the World Wide Web (WWW), for example between a web browser as the client and a server such as www.greenbone.net. Other areas of application are in e-mail traffic and in the transfer of files via File Transport Protocol (FTP).

The special scan configuration TLS-Map checks whether the required TLS version is available on the target system and whether the required encryption algorithms – so-called ciphers – are offered.

About the Compliance Policy BSI TR-03116: Part 4

The Technical Guideline BSI TR-03116 Cryptographic Requirements for Federal Projects from the Federal Office for Information Security (BSI) is used for Federal Government projects. This means that if a federal project should be implemented, this guideline must be fulfilled. It consists of 5 parts in total:

  • Part 1: Telematic infrastructure
  • Part 2: Sovereign identification documents
  • Part 3: Intelligent measuring systems
  • Part 4: Communications procedures in applications
  • Part 5: Applications of the Secure Element API

The compliance policy, which Greenbone Network has developed accordingly, checks whether the contents of the fourth part of the policy are fulfilled. This part contains requirements for communication procedures.

The compliance policy BSI TR-03116: Part 4 in the Greenbone Security Feed tests the three main requirements – minimum TLS version as well as necessary and not legitimate ciphers – of the technical guideline.

About the Compliance Policy Huawei Datacom Product Security Configuration Audit Guide

Compliance policies for Huawei solutions have been part of the Greenbone Security Feed for quite some time.

Greenbone had already developed compliance policies for the following two solutions:

  • EulerOS: Linux operating system, based on CentOS
    Related compliance Policy: EulerOS Linux Security Configuration
  • GaussDB: database management system (DBMS)
    Related compliance policy: GaussDB 100 V300R001C00 Security Hardening Guide

With a compliance policy for Huawei Datacom, a product category that also includes routers and switches with their own operating system, a third compliance policy for solutions developed by Huawei is added now.

For all three products – Huawei Datacom, EulerOS and GaussDB – there are security configurations that were specified by Huawei. Based on these configurations, Greenbone has developed compliance policies which check the compliance with those security configurations. The different compliance policies are always applied if the corresponding solution is available on the target system.

For the Huawei Datacom operating system, Huawei distributes the Huawei Datacom Product Security Configuration Audit Guide. The associated, newly developed compliance policy tests, for example, whether the correct versions of SSH and SNMP are available on the target system.

About the Compliance Policy Windows 10 Security Hardening

The compliance policy Windows 10 Security Hardening includes vulnerability tests to evaluate the hardening of Windows 10 according to industry standards.

Among other things, the compliance policy checks different password specifications such as age, length and complexity of the password, specifications for the assignments of user rights, and requirements for different system devices.

Even faster integration of compliance policies with GOS 20.08

As digitalization continues, compliance requirements are growing in companies of all sizes and in all industries.

Through the direct integration of compliance policies via the Greenbone Security Feed and the inclusion of new compliance policies, the testing of target systems is even more efficient, easier and quicker, thus increasing the protection of the IT infrastructure without the need for special compliance know-how. Of course, we continue to work on new compliance policies on an ongoing basis. So be curious!

/by