The IDPS must monitor for unusual usage of administrative user accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000013-IDPS-000033	SRG-NET-000013-IDPS-000033	SRG-NET-000013-IDPS-000033_rule		Low

Description
Atypical account usage is behavior that is not part of normal usage cycles (e.g., accounts logging in after hours or on weekends.) If this atypical behavior is not monitored, user accounts that are compromised could be used by unauthorized users for longer periods, giving an attacker more time to reconfigure the system to allow harmful traffic. This control can be met in two ways. (i) The IPS provides the capability to learn typical user behavior over time. (ii) A rule is created to enforce typical usage based on organizationally defined variable for typical usage (e.g., login hours, duration).

Description

Atypical account usage is behavior that is not part of normal usage cycles (e.g., accounts logging in after hours or on weekends.) If this atypical behavior is not monitored, user accounts that are compromised could be used by unauthorized users for longer periods, giving an attacker more time to reconfigure the system to allow harmful traffic. This control can be met in two ways. (i) The IPS provides the capability to learn typical user behavior over time. (ii) A rule is created to enforce typical usage based on organizationally defined variable for typical usage (e.g., login hours, duration).

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43151_chk )
Examine the configuration of the IDPS. Verify a rule exists which monitors and alarms on unusual user access control behavior. Examine the rule and verify it monitors such items as unusual login times and unusual file or device access. If the IDPS is not configured to monitor unusual usage of accounts, this is a finding.

Fix Text (F-43151_fix)
Configure the IDPS to monitor for atypical usage or create a rule to enforce the organizations usage policy.