V-80437 | High | The Bromium vSentry client must automatically terminate a micro-virtual machine (VM) when any malicious activities are detected within the micro-VM. | Execution of malicious code represents an immediate threat to the security posture of the endpoint. Automatic session termination addresses the termination of user-initiated logical sessions in... |
V-80435 | High | The Bromium Enterprise Controller (BEC) must remove all local Bromium accounts after setup is complete and use the account recovery procedures to recover the local account if network access using the Bromium Account of Last Resort is required. | Since Bromium multifactor authentication is implemented through use of the enclave's directory service, the Bromium account of last resort cannot comply with the DoD requirement for multifactor... |
V-80479 | High | The Bromium Enterprise Controller (BEC) must forward an event to the central log server when isolation is disabled on any protected Bromium vSentry client. | Disabling isolation on the endpoint is a potential indicator of compromise of insider threat. In production deployments, the ability to disable Bromium isolation is not available to non-privileged users. |
V-80461 | Medium | The Bromium vSentry client must prohibit user installation of software except for clients that are explicitly approved by the ISSM or other authorizing official. | Allowing regular users to install software without explicit privileges creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges... |
V-80449 | Medium | The Bromium Enterprise Controller (BEC) must send log records to a central log server (i.e., syslog server). | Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a... |
V-80467 | Medium | The Bromium vSentry client must include exceptions for HBSS to ensure interoperability and protect from attacks on critical files, applications, processes, registry settings, and attempts at executing unauthorized code in memory. | The monitoring agent will monitor and alert on attempts to attack critical files, applications, processes, and registry settings associated with the Bromium vSentry application itself, as well as... |
V-80443 | Medium | The Bromium Enterprise Controller (BEC) must change the password for the Account of Last Resort when an individual with knowledge of the password leaves the group. | If shared/group account credentials are not terminated when individuals leave the group, the user who left the group can still gain access even though they are no longer authorized. A shared/group... |
V-80441 | Medium | The Bromium Enterprise Controller (BEC) must be configured to immediately disconnect or disable remote access to the BEC. | Without the ability to immediately disconnect or disable remote access, an attack or other compromise would not be immediately stopped.
Applications must have the capability to immediately... |
V-80429 | Medium | The Bromium Enterprise Controller (BEC) must generate a log record that can be sent to the central log server, which will alert the system administrator (SA) and Information System Security Officer (ISSO), at a minimum, when a Bromium vSentry client has not connected to the BEC for logging or policy update purposes for an organization-defined time period. | It is critical for the appropriate personnel to be aware if an endpoint fails to connect to the management server within a defined time period. Without this notification, the security personnel... |
V-80425 | Medium | The Bromium Enterprise Controller (BEC) lockout_delay_base in the settings.json file must be set to a minimum of 10 and the lockout_delay_scale must be set to 1 at a minimum. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. |
V-80423 | Medium | The Bromium Enterprise Controller (BEC) must set the number of concurrent sessions to 1. | Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in... |
V-80463 | Medium | The Bromium Enterprise Controller (BEC) Update Interval must be set to a maximum of one hour. | Without reauthenticating the endpoint, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
The BEC Update Interval setting controls the frequency of... |
V-80455 | Medium | The Bromium Enterprise Controller (BEC) must generate a log record that can be sent to the central log server, which will alert the system administrator (SA) and Information System Security Officer (ISSO), at a minimum, when it is unable to connect to the SQL database. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an... |
V-80451 | Medium | The Bromium Enterprise Controller (BEC) must send history.log records to a central log server (i.e., syslog server). | Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a... |
V-80453 | Medium | The Bromium Enterprise Controller (BEC) must manage log record storage capacity so history.log does not exceed physical drive space capacity allocated by the database administrator (DBA) and system administrator. | To ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be able to allocate audit record storage capacity.
The task of allocating audit... |
V-80439 | Medium | The Bromium vSentry client must automatically capture and forward payloads (Malware Manifest) that were downloaded and determined to be malicious to the management console. | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions... |
V-80469 | Medium | The Bromium Enterprise Controller (BEC) must have the base policy Logging Level set to Debug. | The default policy logging level captures the maximum level of data available to the administrator for forensic purposes and troubleshooting. This is required for analyzing Indicators of... |
V-80433 | Medium | The Bromium Enterprise Controller (BEC) must protect BEC Web console from unauthorized modification. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on... |
V-80431 | Medium | The Bromium Enterprise Controller (BEC) must protect the BEC Web Console from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on... |
V-80465 | Low | If the Host Based Security System (HBSS) is not installed to monitor the Bromium Enterprise Controller (BEC) application, processes, and registry settings, the Bromium Protection agent must be installed on the BEC server. | Installing the Bromium Protection agent on the BEC server will allow for monitoring and alerting on attempts to attack critical files, applications, processes, and registry settings on the BEC... |
V-80447 | Low | The Bromium Enterprise Controller (BEC) must be configured to permit only authorized users to remotely view, in real time (within seconds of event occurring), all content related to an established Bromium vSentry client session. | Without the capability to remotely view/hear all content related to a user session, investigations into suspicious user activity would be hampered. Real-time monitoring allows authorized personnel... |
V-80445 | Low | The Bromium Enterprise Controller (BEC) must be configured so that organization-identified administrator roles have permission to change, based on selectable criteria, the types of Bromium vSentry client events that are captured in the events log and stored in the SQL database with immediate effect. | If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to respond effectively and important... |
V-80427 | Low | The Bromium Enterprise Controller (BEC) must be configured for authorized system administrators to capture and log content related to a Bromium vSentry client. | Without the capability to capture and log all content related to a user session, investigations into suspicious user activity would be hampered.
By default, untrusted file, web, and application... |
V-80483 | Low | The Bromium Enterprise Controller (BEC) must have Threat Intelligence lookup disabled. | The Enable Threat Intelligence lookup setting controls whether the controller obtains and displays threat information from Bromium Threat Intelligence, which needs an external connection to... |
V-80481 | Low | The Bromium Enterprise Controller (BEC) must be configured to allow authorized administrators to create organization-defined custom rules to support mission and business requirements. | Without the capability to create custom rules specific to the business and mission needs of the organization, detection of suspicious user activity would be hampered.
Additional custom rules can... |
V-80471 | Low | The Bromium monitoring module installed on the Bromium Enterprise Controller (BEC) or Bromium vSentry must generate an event and forward to the central log server when anomalies in the operation of security functions of the BEC or Bromium vSentry application are discovered. | If anomalies are not acted upon, security functions may fail to secure the system.
Security function is defined as the hardware, software, and/or firmware of the information system responsible... |
V-80459 | Low | The Bromium Enterprise Controller (BEC) must be configured to provide report generation that supports after-the-fact investigations of security incidents. | If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or... |
V-80457 | Low | The Bromium Enterprise Controller (BEC) must be configured to provide report generation that supports on-demand reporting requirements for threat events. | The report generation function must support on-demand review and analysis to facilitate the organization's ability to generate incident reports as needed to better handle larger-scale or more... |