| Finding ID |
Severity |
Title |
Description |
|
V-268324
|
High |
The ICS must be configured to protect against known types of denial-of-service (DoS) attacks by enabling JITC mode. |
This configuration protects the confidentiality of Web UI session and guards against DoS attacks. If JITC (DODIN APL) Mode is enabled, then the following protections are enforced:
- Log support for detection and prevention of SMURF/SYN Flood/SSL Replay Attack.
- Disable ICMPv6 echo response for multicast echo request.
- Disable... |
|
V-258620
|
High |
The ICS must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication. |
Once issued by a DOD certificate authority (CA), public key infrastructure (PKI) certificates are typically valid for three years or shorter within the DOD. However, there are many reasons a certificate may become invalid before the prescribed expiration date. For example, an employee may leave or be terminated and still... |
|
V-258615
|
High |
The ICS must be configured to transmit only encrypted representations of passwords. |
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
This is applicable to the account of last resort which uses a password. Secure password while in... |
|
V-258613
|
High |
The ICS must be configured to run an operating system release that is currently supported by Ivanti. |
Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. |
|
V-258609
|
High |
The ICS must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins. |
MFA is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g.,... |
|
V-258608
|
High |
The ICS must be configured to terminate after 10 minutes of inactivity except to fulfill documented and validated mission requirements. |
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by... |
|
V-258600
|
High |
The ICS must be configured to prevent nonprivileged users from executing privileged functions. |
Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations.... |
|
V-258599
|
High |
The ICS must be configured to send admin log data to a redundant central log server. |
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches... |
|
V-258598
|
High |
The ICS must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 approved algorithm. |
If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.
When JITC mode is enabled, it also enables FIPS mode is also... |
|
V-258625
|
Medium |
The ICS must be configured to conduct backups of system level information contained in the information system when changes occur. |
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and... |
|
V-258624
|
Medium |
The ICS must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. |
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
|
V-258623
|
Medium |
The ICS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting access to manage the device. |
Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via logon interfaces with human users.
The banner... |
|
V-258622
|
Medium |
The ICS must be configured to limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type. |
Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to DoS attacks.
This requirement addresses concurrent sessions... |
|
V-258621
|
Medium |
The ICS must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g.,... |
|
V-258619
|
Medium |
The ICS must be configured to enforce password complexity by requiring that at least one uppercase character be used. |
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-258618
|
Medium |
The ICS must be configured to enforce password complexity by requiring that at least one lowercase character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-258617
|
Medium |
The ICS must be configured to enforce password complexity by requiring that at least one numeric character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-258616
|
Medium |
The ICS must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password. |
If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
The number of changed characters refers to the number of changes required with respect to the total... |
|
V-258614
|
Medium |
The ICS must be configured to enforce a minimum 15-character password length. |
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.
The shorter the password, the lower the number... |
|
V-258612
|
Medium |
The ICS must be configured to support organizational requirements to conduct weekly backups of information system documentation, including security-related documentation. |
Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information were not backed up, and a system failure were to occur, the security settings would be difficult to reconfigure quickly... |
|
V-258611
|
Medium |
The ICS must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider. |
For user certificates, each organization obtains certificates from an approved and shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. |
|
V-258610
|
Medium |
The ICS must be configured to synchronize internal information system clocks using redundant authoritative time sources. |
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time... |
|
V-258607
|
Medium |
The ICS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. |
Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as... |
|
V-258606
|
Medium |
The ICS must be configured to enforce password complexity by requiring that at least one special character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-258605
|
Medium |
The ICS must be configured to allocate local audit record storage capacity in accordance with organization-defined audit record storage requirements. |
In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable.
The value... |
|
V-258604
|
Medium |
The ICS must be configured to record time stamps for audit records that can be mapped to Greenwich Mean Time (GMT). |
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local... |
|
V-258603
|
Medium |
The ICS must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based. |
If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating... |
|
V-258602
|
Medium |
If SNMP is used, the ICS must be configured to use SNMPv3 with FIPS-140-2/3 validated Keyed-Hash Message Authentication Code (HMAC). |
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
A local connection is any connection with a device communicating without the use of a network. A... |
|
V-258601
|
Medium |
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes. |
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and... |
