Risk Based Security Audit Updates

The latest release of Nipper contains updates to the risk based security audit, including the findings ratings, including the following:

  • Made clear the use of the Risk Profile table in the Security Audit Summary - added a sentence explaining what the table plots, as well as updated the row headings to highlight this.
  • Updated wording in various locations to be consistent with the Audit Style setting -
    • CMMC Pre-assessment Additional Information links to Security Audit findings not present in the report
    • Exclude Security Issues dialog
    • Save as Filtering Baseline dialog
    • Filtering Differences report
    • Device specific report text

Security Audit Finding Ratings

  • Changes to several Security Audit finding ratings have been made to increase their overall rating to critical -
    • NSA-ADMIN-023
    • NSA-ADMIN-046
    • NSA-AUTH-005
    • NSA-AUTH-031
    • NSA-SNMP-002
    • NSA-FLTR-001
    • NSA-FLTR-007
    • NSA-ROUT-021
    • NSA-ROUT-023

CMMC Settings

  • A new setting has been added to the CMMC plugin - Include Not Analyzed Objectives (default - Off) -
    • This setting allows the user to choose whether to display objectives that Nipper has performed no analysis for in the CMMC Security Assessment Objective Summary Table - these objectives will still be shown in the Practice sections regardless of the setting value.
  • Settings affecting the scope of the CMMC Security Assessment have been moved to their own group in settings - these can be found under the "Coverage" tab in the "Scope" group.

Enhanced Device Support

Cisco IOS XR

The latest release of Nipper contains enhanced support for Cisco IOS XR devices.

  • The scope of auditing Cisco IOS XR devices has improved in the following areas:
    • Static Routing
    • Routing Information Protocol (RIP) Routing
    • Intermediate System to Intermediate System (IS-IS)
    • Virtual Router Redundancy Protocol (VRRP)
    • Hot Standby Router Protocol (HSRP)
    • System Aliases
    • Syslog Interfaces
    • Open Shortest Path First (OSPF) Version 3
    • Routing Redistribution
    • Hypertext Transfer Protocol Secure (HTTPS) Ciphers

Bug fixes

  • NSA-ROUT-023 will now be triggered when a routing-key is configured without a password.
  • Fixed an issue causing some tables in JSON logs to have the wrong table headings associated with the relevant data.
  • Fixed an issue causing NSA-FLTR-009 to not be triggerable on PanOS 9 devices.
  • Fixed an issue causing NSA-FLTR-009 to not be triggered when the defined Host and Service Black List contains the default route.
  • Fixed an issue causing Line passwords to be reported in User Password findings
  • Fixed an issue causing HTTP(S) ciphers to not be reported as configured on Cisco IOS devices.
  • Fixed an issue causing tables detailing affected interfaces in NSA-INTFC-003 to not be displayed.
  • Fixed an issue causing the NIST 800-171 Pre-assessment setting to always be on.
  • Fixed an issue causing no vulnerabilities to be reported in the Vulnerability Audit for Cisco WLAN AIR devices.
  • Assigned a finding ID to the Security Audit finding "SNMP Access To The Authentication MIB".
  • Fixed an issue causing reports to not be generated on Linux when auditing both a NETGEAR Switch and NETGEAR Firewall via CLI.
  • Border Gateway Protocol (BGP) passwords are now encrypted when "Show Passwords in Report" is deselected in Nipper's settings for Cisco IOS XR devices
  • Fixed an issue causing certain Enhanced Interior Gateway Routing Protocol (EIGRP) Interfaces to not appear in the Configuration Report for Cisco IOS XR devices
  • Fixed an issue causing empty Enhanced Interior Gateway Routing Protocol (EIGRP) groups preventing other EIGRP groups from appearing in the Configuration Report for Cisco IOS XR devices