UCF STIG Viewer Logo

The IDPS administrator will review whitelists and blacklists regularly and validate all entries to ensure they are still accurate and necessary.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000181-IDPS-000169 SRG-NET-000181-IDPS-000169 SRG-NET-000181-IDPS-000169_rule Medium
Description
A blacklist is a list of discrete entities, such as hosts, TCP or UDP port numbers, ICMP types and codes, applications, usernames, URLs, filenames, or file extensions, that have been previously determined to be associated with malicious activity. Blacklists, also known as hot lists, are typically used to allow the IDPS to recognize and block activity that is highly likely to be malicious, and may also be used to assign a higher priority to alerts that match entries on the blacklists. Some IDPS generate dynamic blacklists that are used to temporarily block recently detected threats. A whitelist is a list of discrete entities that are known to be benign. Whitelists are typically used on a granular basis, such as protocol-by-protocol, to reduce or ignore false positives involving known benign activity from trusted hosts. Whitelists and blacklists are most commonly used in signature-based detection and stateful protocol analysis. Without the use of validated and up-to-date blacklists and whitelists, recently discovered malicious software, sites, or protocols may be missed by the IDPS monitoring functionality.
STIG Date
IDPS Security Requirements Guide (SRG) 2012-03-08

Details

Check Text ( C-43309_chk )
Review the whitelists and Blacklists used by the IDPS.
Interview the SA to determine when the last update occurred. These lists are updated frequently by the vendor.

If whitelists and/or blacklists are not kept updated, this is a finding.
Fix Text (F-43309_fix)
Create a periodic update schedule to review the whitelists and blacklists.