| Finding ID |
Severity |
Title |
Description |
|
V-263665
|
Medium |
The IDPS must establish organization-defined alternate communications paths for system operations organizational command and control. |
An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about... |
|
V-263664
|
Medium |
The IDPS must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions. |
Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through... |
|
V-263663
|
Medium |
The IDPS must employ organization-defined controls by type of denial-of-service (DoS) to achieve the DoS objective. |
DoS events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A... |
|
V-206923
|
Medium |
The IDPS must be configured in accordance with the security configuration settings based on DoD security policy and technology-specific security best practices. |
Configuring the IDPS to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the... |
|
V-206922
|
Medium |
The IDPS must off-load log records to a centralized log server in real-time. |
Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised.
Off-loading is a common process in information systems with limited audit storage capacity. The audit storage on the IDPS is... |
|
V-206921
|
Medium |
The IDPS must, for fragmented packets, either block the packets or properly reassemble the packets before inspecting and forwarding. |
Packet fragmentation is allowed by the TCP/IP specifications and is encouraged in situations where it is needed. However, packet fragmentation has been used to make some attacks harder to detect (by placing them within fragmented packets), and unusual fragmentation has also been used as a form of attack. For example,... |
|
V-206920
|
Medium |
The IDPS must generate an alert to, at a minimum, the ISSM and ISSO when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security
of DoD systems is detected. |
Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss or compromise of information.
CJCSM 6510.01B, "Cyber Incident Handling Program", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM... |
|
V-206919
|
Medium |
The IDPS must send an alert to, at a minimum, the ISSM and ISSO when denial of service incidents are detected. |
Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss or compromise of information.
CJCSM 6510.01B, "Cyber Incident Handling Program", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM... |
|
V-206918
|
Medium |
The IDPS must send an alert to, at a minimum, the ISSM and ISSO when user level intrusions which provide non-privileged access are detected. |
Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss or compromise of information.
CJCSM 6510.01B, "Cyber Incident Handling Program", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM... |
|
V-206917
|
Medium |
The IDPS must generate an alert to, at a minimum, the ISSM and ISSO when root level intrusion events which provide unauthorized privileged access are detected. |
Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss or compromise of information.
CJCSM 6510.01B, "Cyber Incident Handling Program", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM... |
|
V-206916
|
Medium |
The IDPS must send an alert to, at a minimum, the ISSM and ISSO when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected which indicate a compromise or potential for compromise. |
Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded.
Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The IDPS must... |
|
V-206915
|
Medium |
The IDSP must send an alert to, at a minimum, the ISSM and ISSO when intrusion detection events are detected which indicate a compromise or potential for compromise. |
Without an alert, security personnel may be unaware of intrusion detection incidents that require immediate action and this delay may result in the loss or compromise of information.
In accordance with CCI-001242, the IDPS is a real-time intrusion detection system. These systems must generate an alert when detection events from... |
|
V-206914
|
Medium |
The IDPS must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions. |
If outbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile activity may not be noticed and defended against.
Although some of the components in the site's content scanning solution may be used for periodic scanning assessment, the IDPS sensors and other... |
|
V-206913
|
Medium |
The IDPS must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions. |
If inbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile activity may not be noticed and defended against.
Although some of the components in the site's content scanning solution may be used for periodic scanning assessment, the IDPS sensors and other... |
|
V-206912
|
Medium |
The IDPS must generate an alert to the ISSM and ISSO, at a minimum, when unauthorized network services are detected. |
Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.
Automated mechanisms can be used to send automatic alerts or notifications. Such automatic alerts or notifications can be conveyed in a variety of ways (e.g., telephonically, via... |
|
V-206911
|
Medium |
The IDPS must generate a log record when unauthorized network services are detected. |
Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.
Examples of network services include service-oriented architectures (SOAs), cloud-based services (e.g., infrastructure as a service, platform as a service, or software as a service), cross-domain, Voice Over... |
|
V-206910
|
Medium |
The IDPS must detect network services that have not been authorized or approved by the ISSO or ISSM, at a minimum. |
Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.
Examples of network services include service-oriented architectures (SOAs), cloud-based services (e.g., infrastructure as a service, platform as a service, or software as a service), cross-domain, Voice Over... |
|
V-206909
|
Medium |
IDPS components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability. |
An integrated, network-wide intrusion detection capability increases the ability to detect and prevent sophisticated distributed attacks based on access patterns and characteristics of access.
Integration is more than centralized logging and a centralized management console. The enclave's monitoring capability may include multiple sensors, IPS, sensor event databases, behavior-based monitoring devices,... |
|
V-206907
|
Medium |
The IDPS must protect against or limit the effects of known types of Denial of Service (DoS) attacks by employing signatures. |
If the network does not provide safeguards against DoS attack, network resources will be unavailable to users.
Installation of IDPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns... |
|
V-206906
|
Medium |
The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing anomaly-based attack detection. |
If the network does not provide safeguards against DoS attack, network resources will be unavailable to users.
Installation of IDPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns... |
|
V-206905
|
Medium |
The IDPS must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis. |
If the network does not provide safeguards against DoS attack, network resources will be unavailable to users.
Installation of IDPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns... |
|
V-206904
|
Medium |
The IDPS must assign a critical severity level to all audit processing failures. |
It is critical that when the IDPS is at risk of failing to process audit logs as required, it takes action to mitigate the failure
Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Since action must be taken... |
|
V-206903
|
Medium |
The IDPS must provide an alert to, at a minimum, the system administrator and ISSO when any audit failure events occur. |
Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis may be impeded.
This requirement includes, but is not limited to, failures where the detection and/or prevention function is unable to write events to either local storage... |
|
V-206902
|
Medium |
The IDPS must off-load log records to a centralized log server. |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised.
This also prevents the log records... |
|
V-206900
|
Medium |
To protect against unauthorized data mining, the IDPS must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. |
Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information.
SQL injection attacks are the most prevalent attacks against web applications... |
|
V-206899
|
Medium |
To protect against unauthorized data mining, the IDPS must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code. |
Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack applications may result in the compromise of information.
Injection attacks allow an attacker to inject code into a program... |
|
V-206898
|
Medium |
To protect against unauthorized data mining, the IDPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. |
Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information.
Injection attacks allow an attacker to inject code into a program... |
|
V-206897
|
Medium |
To protect against unauthorized data mining, the IDPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. |
Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information.
SQL injection attacks are the most prevalent attacks against web applications... |
|
V-206896
|
Medium |
To protect against unauthorized data mining, the IDPS must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code. |
Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack applications may result in the compromise of information.
Injection attacks allow an attacker to inject code into a program... |
|
V-206895
|
Medium |
To protect against unauthorized data mining, the IDPS must prevent code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. |
Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information.
Injection attacks allow an attacker to inject code into a program... |
|
V-206894
|
Medium |
The IDPS must block malicious ICMP packets by properly configuring ICMP signatures and rules. |
Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some messages can also provide host information, network topology, and a covert channel that may be exploited by an attacker.
Given the... |
|
V-206893
|
Medium |
The IDPS must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages. |
Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some messages can also provide host information and network topology that may be exploited by an attacker.
An IDPS must be configured... |
|
V-206892
|
Medium |
The IDPS must automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy. |
Failing to automatically update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploitation by recently developed attack methods and programs. An automatic update process ensures this important task is performed without the need for system administrator intervention.
The IDPS is... |
|
V-206891
|
Medium |
The IDPS must send an immediate (within seconds) alert to, at a minimum, the system administrator when malicious code is detected. |
Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded.
The IDPS generates an immediate (within seconds) alert which notifies designated personnel of the incident. Sending a message... |
|
V-206890
|
Medium |
The IDPS must quarantine and/or delete malicious code. |
Configuring the network element to delete and/or quarantine based on local organizational incident handling procedures minimizes the impact of this code on the network.
Malicious code includes, but is not limited to, viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from... |
|
V-206889
|
Medium |
The IDPS must block malicious code. |
Configuring the IDPS to delete and/or quarantine based on local organizational incident handling procedures minimizes the impact of this code on the network. |
|
V-206888
|
Medium |
The IDPS must perform real-time monitoring of files from external sources at network entry/exit points. |
Real-time monitoring of files from external sources at network entry/exit points helps to detect covert malicious code before it is downloaded to or executed by internal and external endpoints. Using malicious code, such as viruses, worms, Trojan horses, and spyware, an attacker may gain access to sensitive data and systems.... |
|
V-206887
|
Medium |
The IDPS must automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management procedures. |
Failing to update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploitation by recently developed attack methods and programs.
The IDPS is a key malicious code protection mechanism in the enclave infrastructure. To ensure this protection is responsive to changes... |
|
V-206885
|
Medium |
In the event of a failure of the IDPS function, the IDPS must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted. |
Failure in a secure state address safety or security in accordance with the mission needs of the organization. Failure to a secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving state... |
|
V-206884
|
Medium |
The IDPS must fail to a secure state which maintains access control mechanisms when the IDPS hardware, software, or firmware fails on initialization/shutdown or experiences a sudden abort during normal operation. |
Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Preserving information system state information also facilitates system restart and return to the operational mode of the organization with less disruption to mission-essential processes.... |
|
V-206883
|
Medium |
The IDPS must block any prohibited mobile code at the enclave boundary when it is detected. |
Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Examples of mobile code include JavaScript, VBScript, Java applets, ActiveX controls, Flash animations, Shockwave videos, and macros embedded... |
|
V-206882
|
Medium |
The IDPS must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment. |
Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Examples of mobile code include JavaScript, VBScript, Java applets, ActiveX controls, Flash animations, Shockwave videos, and macros embedded... |
|
V-206881
|
Medium |
The IDPS must block outbound traffic containing known and unknown DoS attacks by ensuring that security policies, signatures, rules, and anomaly detection techniques are applied to outbound communications traffic. |
The IDPS must include protection against DoS attacks that originate from inside the enclave which can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave.
Installation of IDPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates... |
|
V-206880
|
Medium |
The IDPS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. |
Some ports, protocols, or services have known exploits or security weaknesses. These ports, protocols, and services must be prohibited or restricted in the IDPS configuration in accordance with DoD policy.
Policy filters restrict traffic destined to the enclave perimeter in accordance with the guidelines contained in DoD Instruction 8551.1 for... |
|
V-206879
|
Medium |
The IDPS must be configured to remove or disable non-essential features, functions, and services of the IDPS application. |
An IDPS can be capable of providing a wide variety of capabilities. Not all of these capabilities are necessary. Unnecessary services, functions, and applications increase the attack surface (sum of attack vectors) of a system. These unnecessary capabilities are often overlooked and therefore may remain unsecured.
This requirement applies to... |
|
V-206878
|
Medium |
The IDPS must be configured to remove or disable non-essential capabilities which are not required for operation or not related to IDPS functionality (e.g., DNS, email client or server, FTP server, or web server). |
An IDPS can be capable of providing a wide variety of capabilities. Not all of these capabilities are necessary. Unnecessary services, functions, and applications increase the attack surface (sum of attack vectors) of a system. These unnecessary capabilities are often overlooked and therefore may remain unsecured. |
|
V-206877
|
Medium |
The IDPS must provide audit record generation with a configurable severity and escalation level capability. |
Without the capability to generate audit records with a severity code it is difficult to track and handle detection events.
While auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in a system, while auditing is the use of... |
|
V-206876
|
Medium |
The IDPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis. |
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
While auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in... |
|
V-206875
|
Medium |
The IDPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis. |
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
While auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in... |
|
V-206874
|
Medium |
The IDPS must provide log information in a format that can be extracted and used by centralized analysis tools. |
Centralized review and analysis of log records from multiple IDPS components gives the organization the capability to better detect distributed attacks and provides increased data points for behavior analysis techniques. These techniques are invaluable in monitoring for indicators of complex attack patterns.
To support the centralized analysis capability, the IDPS... |
|
V-206871
|
Medium |
The IDPS must produce audit records containing information to establish the outcome of events associated with detected harmful or potentially harmful traffic, including, at a minimum, capturing all associated communications traffic. |
Associating event outcome with detected events in the log provides a means of investigating an attack or suspected attack.
While auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in a system, while auditing is the use of log... |
|
V-206870
|
Medium |
The IDPS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address. |
Associating the source of the event with detected events in the logs provides a means of investigating an attack or suspected attack.
While auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in a system, while auditing is the... |
|
V-206869
|
Medium |
The IDPS must produce audit records containing information to establish where the event was detected, including, at a minimum, network segment, destination address, and IDPS component which detected the event. |
Associating where the event was detected with the event log entries provides a means of investigating an attack or identifying an improperly configured IDPS. This information can be used to determine what systems may have been affected.
While auditing and logging are closely related, they are not the same. Logging... |
|
V-206868
|
Medium |
The IDPS must produce audit records containing information to establish when (date and time) the events occurred. |
Without establishing the time (date/time) an event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Associating the date and time the event occurred with each event log entry provides a means of investigating an attack or identifying an improperly... |
|
V-206867
|
Medium |
The IDPS must produce audit records containing sufficient information to establish what type of event occurred, including, at a minimum, event descriptions, policy filter, rule or signature invoked, port, protocol, and criticality level/alert code or description. |
Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Associating an event type with each event log entry provides a means of investigating an attack or identifying an improperly configured IDPS.
While auditing and... |
|
V-206866
|
Medium |
The IDPS must immediately use updates made to policy filters, rules, signatures, and anomaly analysis algorithms for traffic detection and prevention functions. |
Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes to the PPSM CAL, vulnerability assessments, or mission conditions. Changing conditions include changes in the threat environment and detection of potentially harmful or adverse events.
Changes to the IDPS must take... |
|
V-206865
|
Medium |
The IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. |
The IDPS enforces approved authorizations by controlling the flow of information between interconnected networks to prevent harmful or suspicious traffic does spread to these interconnected networks.
Information flow control policies and restrictions govern where information is allowed to travel as opposed to who is allowed to access the information. The... |
|
V-206864
|
Medium |
The IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments. |
The flow of all communications traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data.
Restricting the flow of communications traffic, also known as Information flow control, regulates where information is allowed to travel as opposed to who is allowed... |
