| Finding ID |
Severity |
Title |
Description |
|
V-270947
|
High |
Dragos Platforms must limit privileges and not allow the ability to run shell. |
If Dragos Platform were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
This requirement applies to applications with software libraries that are accessible and configurable, as... |
|
V-271105
|
Medium |
Before establishing a network connection with a Network Time Protocol (NTP) server, Dragos Platform must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server. |
Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
Currently, DOD requires the use of AES for bidirectional authentication since it is the only FIPS-validated AES cipher block algorithm. The... |
|
V-271070
|
Medium |
The Dragos Platform must alert the information system security officer (ISSO), information system security manager (ISSM), and other individuals designated by the local organization when events are detected that indicate a compromise or potential for compromise. |
When a security event occurs, Dragos Platform must immediately notify the appropriate support personnel so they can respond appropriately.
Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection mechanisms, or prevention mechanisms.
IOCs are forensic artifacts from intrusions... |
|
V-271049
|
Medium |
The Dragos Platform must only allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions. |
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.... |
|
V-271034
|
Medium |
Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication. |
The use of Personal Identity Verification (PIV) credentials facilitates standardization and reduces the risk of unauthorized access.
PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12... |
|
V-271027
|
Medium |
The Syslog client must use TCP connections. |
Removal of unneeded or nonsecure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.
The organization must perform a periodic scan/review of Dragos (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to... |
|
V-271008
|
Medium |
Dragos Platform must allocate audit record storage retention length. |
In order to ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be able to allocate audit record storage capacity.
The task of allocating audit record storage capacity is usually performed during initial installation of Dragos Platform and is closely associated with... |
|
V-270993
|
Medium |
The Dragos Platform must notify system administrators and information system security officer (ISSO) of local account activity. |
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the system administrator and ISSO is one method... |
|
V-270978
|
Medium |
Dragos must use FIPS-validated encryption and hashing algorithms to protect the confidentiality and integrity of application configuration files and user-generated data stored or aggregated on the device. |
Confidentiality and integrity protections are intended to address the confidentiality and integrity of system information at rest (e.g., network device rule sets) when it is located on a storage device within the network device or as a component of the network device. This protection is required to prevent unauthorized alteration,... |
|
V-270955
|
Medium |
The Dragos Platform must configure local password policies. |
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that... |
|
V-270952
|
Medium |
Dragos must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system. |
Without restricting which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events.
Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the... |
|
V-270945
|
Medium |
The Dragos Platform must have disk encryption enabled on a virtual machines (VMs). |
Enabling disk encryption on VMs running the Dragos Platform is a critical security measure to protect sensitive data, ensure compliance with regulations, and provide a robust defense against various threats, including unauthorized access, data breaches, and insider threats.
Disk encryption ensures that the data stored on the VM's disk is... |
|
V-270944
|
Medium |
The Dragos Platform must be configured to send backup audit records. |
Configuring the Dragos Platform to send out backup audit records is a critical best practice for ensuring the security, integrity, and availability of audit data. It supports disaster recovery, regulatory compliance, forensic investigations, and overall operational resilience, thereby strengthening the organization's cybersecurity posture.
Storing backup audit records in a separate... |
|
V-270932
|
Medium |
The Dragos Platform must have notification and audit services installed. |
Installing the Knowledge Pack(s) is essential for the Dragos Platform to provide comprehensive security monitoring, compliance, and operational visibility within industrial environments. It enhances the Platform's capabilities in detecting and responding to threats, ensuring regulatory compliance, and maintaining the overall security. It is critical for the appropriate personnel to be... |
|
V-270919
|
Medium |
The Dragos Platform must only allow local administrative and service user accounts. |
Only two default accounts facilitate the initial setup and configuration of the Platform. These accounts provide immediate access to the system, allowing administrators to quickly get the system up and running without needing to create new user accounts during the initial installation phase.
During maintenance, updates, or support operations, default... |
|
V-270917
|
Medium |
The publicly accessible Dragos Platform application must display the Standard Mandatory DOD Notice and Consent Banner before granting access to Dragos Platform. |
|
|
V-270916
|
Medium |
The Dragos Platform must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system. |
|
|
V-270910
|
Medium |
Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes. |
Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error.
A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include,... |
|
V-270904
|
Medium |
Dragos must configure idle timeouts at 10 minutes. |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.
The session lock is implemented at the point where session activity... |