Dale posted an introduction to Bandolier a couple of weeks ago. I am increasingly excited about the value of this project. We are working with asset owners and vendors to identify a hardened configuration for twenty control system applications. We are then developing audit files for use in Nessus and other assessment tools that determine whether a system is configured according the hardened configuration. In Nessus, these are called “compliance checks”. Each check has a corresponding “.audit” file.
I want to discuss briefly the difference between compliance checks and traditional vulnerability scanning – it’s subtle but significant. Each has its own distinct purpose and value. Vulnerability scanning relies on a set of signatures of “known bad things”. The compliance checks, on the other hand, compare a system against the “known good”, hardened configuration. It does this by actually authenticating to the system and inspecting its configuration. Once authenticated, any number of things can be evaluated – user accounts, registry settings, configuration file settings, system settings, permissions, etc… More information can be found on the Tenable Security site in the Compliance Checks FAQ.
Tenable Security along with organizations like NIST and the Center for Internet Security, have developed best practice compliance checks for many operating systems and applications. The Bandolier project will use the same concept to develop .audit files specifically for the twenty control system applications that reside on a variety of Windows and UNIX platforms. This will allow asset owners to validate that their system is configured according to a vendor-supported best practice – at the OS and application levels.
I think this project will raise the level of security awareness from the asset owner and vendor perspectives. More importantly, it will put some useful tools into the hands of those responsible for maintaining security of their control system applications. Stay tuned for further updates.