| Applies to Product: |
 USM Appliance™
|
 LevelBlue OSSIM®
|
|
Testing Procedure |
How USM Appliance Delivers |
USM Appliance Instructions |
USM Appliance Documentation |
|---|---|---|---|
|
2.1.a Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords have been changed (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings). (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) |
In USM Appliance, you can configure a Vulnerability Scan to test for default accounts, passwords and community strings during scans. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
|
|
|
Run a Vulnerability Scan using the custom scan profile that was created. |
|||
|
Export successful scan results and identify findings to determine if system is configured correctly. |
|||
|
2.1.b For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled. |
In USM Appliance, you can configure a Vulnerability Scan to test for default accounts, passwords and community strings during scans. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
|
|
|
Run a Vulnerability Scan using the custom scan profile that was created. |
|||
|
Export successful scan results and identify findings to determine if system is configured correctly. |
|||
|
2.1.1.c Examine vendor documentation and login to wireless devices, with system administrator help, to verify: |
In USM Appliance, you can configure a Vulnerability Scan to test for default accounts, passwords and community strings during scans. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
|
|
|
Run a Vulnerability Scan using the custom scan profile that was created. |
|||
|
Export successful scan results and identify findings to determine if system is configured correctly. |
|||
|
2.1.1.e Examine vendor documentation and observe wireless configuration settings to verify other security-related wireless vendor defaults were changed, if applicable. |
In USM Appliance, you can configure a Vulnerability Scan to test for default accounts and passwords on wireless devices. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
|
Creating a Custom Scan Profile
|
|
Run a Vulnerability Scan using the custom scan profile that was created. |
|||
|
Export successful scan results and identify findings to determine if system is configured correctly. |
|||
|
2.2.a Examine the organization's system configuration standards for all types of system components and verify the system configuration standards are consistent with industry- accepted hardening standards. |
In USM Appliance, you can configure a Vulnerability Scan to test for system hardening standards. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the appropriate checks in the scanning profile for the target host. |
Creating a Custom Scan Profile
|
|
Run a Vulnerability Scan using the custom scan profile that was created. |
|||
|
Export successful scan results and identify findings to determine if system is configured correctly. |
|||
|
2.2.d Verify that system configuration standards include the following procedures for all types of system components: |
The Vulnerability Scan in USM Appliance can assist in testing for system default passwords, detecting running services, and testing system hardening configurations. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
|
|
|
Run a Vulnerability Scan using the custom scan profile that was created. |
|||
|
Export successful scan results and identify findings to determine if system is configured correctly. |
|||
|
2.2.2.b Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuration standards. |
The Vulnerability Scan in USM Appliance can assist in identifying insecure services, daemons and protocols. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
|
|
|
Run a Vulnerability Scan using the custom scan profile that was created. |
|||
|
Export successful scan results and identify findings to determine if system is configured correctly. |
|||
|
2.2.3.a Inspect configuration settings to verify that security features are documented and implemented for all insecure services, daemons, or protocols. |
The Vulnerability Scan in USM Appliance can assist in identifying insecure services, daemons and protocols. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
|
|
|
Run a Vulnerability Scan using the custom scan profile that was created. |
|||
|
Export successful scan results and identify findings to determine if system is configured correctly. |
|||
|
2.2.4.b Examine the system configuration standards to verify that common security parameter settings are included. |
In USM Appliance, you can configure a Vulnerability Scan to test for system hardening standards. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
|
|
|
Run a Vulnerability Scan using the custom scan profile that was created. |
|||
|
Export successful scan results and identify findings to determine if system is configured correctly. |
|||
|
2.2.4.c Select a sample of system components and inspect the common security parameters to verify that they are set appropriately and in accordance with the configuration standards. |
In USM Appliance, you can configure a Vulnerability Scan to test for system hardening standards. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
|
Creating a Custom Scan Profile
|
|
Run a Vulnerability Scan using the custom scan profile that was created. |
|||
|
Export successful scan results and identify findings to determine if system is configured correctly. |
|||
|
2.3.b Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access. |
The Vulnerability Scan in USM Appliance can assist in testing for the presence of Telnet services or other insecure remote-login commands. |
Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
|
|
|
Run a Vulnerability Scan using the custom scan profile that was created. |
|||
|
Export successful scan results and identify findings to determine if system is configured correctly. |
|||
|
2.4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each. |
USM Appliance has built-in capability for asset management and discovery. |
Run an Asset Scan to discover all assets. |
|
| Update and maintain the description field for each asset. | |||
|
Run the existing Asset Report for an inventory of all assets. |
Feedback