Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Akamai KSD Service Impact Level 2 NDM Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2017-09-15
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
Upon successful login, the Akamai Luna Portal must notify the administrator of the date and time of the last login.
AC-9 - Medium - CCI-000052 - V-76457 - SV-91153r1_rule
RMF Control
AC-9
Severity
Medium
CCI
CCI-000052
Version
AKSD-DM-000005
Vuln IDs
  • V-76457
Rule IDs
  • SV-91153r1_rule
Administrators need to be aware of activity that occurs regarding their network device management account. Providing administrators with information regarding the date and time of their last successful login allows them to determine if any unauthorized activity has occurred. This incorporates all methods of login, including but not limited to SSH, HTTP, HTTPS, and physical connectivity.
Checks: C-76117r1_chk

Verify that the activity log is showing user login data: 1. Log in to the Luna Portal. 2. Verify that one of the four widgets includes the activity log. If the activity log is not showing, this is a finding.

Fix: F-83135r1_fix

Configure the activity log to appear in the "My Akamai" section. 1. Select the gear icon on one of the four widgets. 2. Select the activity log in the left column. 3. Check the box for "All Logins".

b
The Akamai Luna Portal must notify the administrator of the number of successful login attempts.
CM-6 - Medium - CCI-000366 - V-76459 - SV-91155r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
AKSD-DM-000006
Vuln IDs
  • V-76459
Rule IDs
  • SV-91155r1_rule
Administrators need to be aware of activity that occurs regarding their network device management account. Providing administrators with information regarding the date and time of their last successful login allows the administrator to determine if any unauthorized activity has occurred. This incorporates all methods of login, including but not limited to SSH, HTTP, HTTPS, and physical connectivity. The organization-defined time period is dependent on the frequency with which administrators typically log in to the network device.
Checks: C-76119r1_chk

Verify the activity log is showing user login data: 1. Log in to the Luna Portal. 2. Verify that one of the four widgets includes the activity log. If the activity log is not showing, this is a finding.

Fix: F-83137r1_fix

Configure the activity log to appear in the "My Akamai" section. 1. Select the gear icon on one of the four widgets. 2. Select the activity log in the left column. 3. Check the box for "All Logins".

b
The Akamai Luna Portal must initiate a session logoff after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-76461 - SV-91157r1_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
AKSD-DM-000007
Vuln IDs
  • V-76461
Rule IDs
  • SV-91157r1_rule
A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user to manually lock their management session prior to vacating the vicinity, network devices need to be able to identify when a management session has idled and take action to initiate the session lock. Once invoked, the session lock must remain in place until the administrator reauthenticates. No other system activity aside from reauthentication must unlock the management session. When the network device is remotely administered, a session logoff may be the only practical option in lieu of a session lock. For a web portal, a session logoff must be invoked when idle time is exceeded for an administrator. Note that CCI-001133 requires that administrative network sessions be disconnected after 10 minutes of idle time.
Checks: C-76121r1_chk

Verify that all portal users have the session timeout duration set to 15 minutes: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Manage Users & Groups. 3. Select each administrator and inspect the "Timeout" setting to verify it reads "After 15 Minutes". 4. Click "Save" button. If any user has a "Timeout" value other than "After 15 Minutes", this is a finding.

Fix: F-83139r1_fix

Configure the session timeout duration to 15 minutes: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Manage Users & Groups. 3. Select each user and set the "Timeout" value to "After 15 Minutes".

b
The Akamai Luna Portal must automatically audit account creation.
AC-2 - Medium - CCI-000018 - V-76463 - SV-91159r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
AKSD-DM-000008
Vuln IDs
  • V-76463
Rule IDs
  • SV-91159r1_rule
Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.
Checks: C-76123r1_chk

Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Verify that the following setting is selected: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.

Fix: F-83141r1_fix

Enable account creation alerting: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Select "Manage - Manage Users".

b
The Akamai Luna Portal must automatically audit account modification.
AC-2 - Medium - CCI-001403 - V-76465 - SV-91161r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
AKSD-DM-000009
Vuln IDs
  • V-76465
Rule IDs
  • SV-91161r1_rule
Since the accounts in the network device are privileged or system-level accounts, account management is vital to the security of the network device. Account management by a designated authority ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. If modifications to management accounts are not audited, reconciliation of account management procedures cannot be tracked.
Checks: C-76125r1_chk

Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Verify that the following setting is selected: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.

Fix: F-83143r1_fix

Enable account modification alerting: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Select "Manage - Manage Users".

b
The Akamai Luna Portal must automatically audit account removal actions.
AC-2 - Medium - CCI-001405 - V-76467 - SV-91163r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001405
Version
AKSD-DM-000011
Vuln IDs
  • V-76467
Rule IDs
  • SV-91163r1_rule
Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.
Checks: C-76127r1_chk

Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Verify that the following setting is selected: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.

Fix: F-83145r1_fix

Enable account removal alerting: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Select "Manage - Manage Users".

b
The Akamai Luna Portal must generate alerts that can be forwarded to the SAs and ISSO when accounts are created.
AC-2 - Medium - CCI-001683 - V-76469 - SV-91165r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001683
Version
AKSD-DM-000012
Vuln IDs
  • V-76469
Rule IDs
  • SV-91165r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail that documents the creation of accounts and notifies the SAs and ISSO. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Checks: C-76129r1_chk

Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "account creation". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.

Fix: F-83147r1_fix

Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the box that reads "Manage - Manage Users". 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit". Alternatively, custom notifications can be created by using the event manager API at https://developer.akamai.com/api/luna/events/overview.html.

b
The Akamai Luna Portal must generate alerts that can be forwarded to the SAs and ISSO when accounts are modified.
AC-2 - Medium - CCI-001684 - V-76471 - SV-91167r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001684
Version
AKSD-DM-000013
Vuln IDs
  • V-76471
Rule IDs
  • SV-91167r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail that documents the modification of device administrator accounts and notifies the SAs and ISSO. Such a process greatly reduces the risk that accounts will be surreptitiously modified and provides logging that can be used for forensic purposes. The network device must generate the alert. Notification may be done by a management server.
Checks: C-76131r1_chk

Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "account modification". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.

Fix: F-83149r1_fix

Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the box that reads "Manage - Manage Users". 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit". Alternatively, custom notifications can be created by using the event manager API at https://developer.akamai.com/api/luna/events/overview.html.

b
The Akamai Luna Portal must generate alerts that can be forwarded to the SAs and ISSO when accounts are removed.
AC-2 - Medium - CCI-001686 - V-76473 - SV-91169r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001686
Version
AKSD-DM-000015
Vuln IDs
  • V-76473
Rule IDs
  • SV-91169r1_rule
When application accounts are removed, administrator accessibility is affected. Accounts are used for identifying individual device administrators or for identifying the device processes themselves. In order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
Checks: C-76133r1_chk

Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "account removal". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.

Fix: F-83151r1_fix

Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the box that reads "Manage - Manage Users". 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit". Alternatively, custom notifications can be created by using the event manager API at https://developer.akamai.com/api/luna/events/overview.html.

b
The Akamai Luna Portal must automatically audit account enabling actions.
AC-2 - Medium - CCI-002130 - V-76475 - SV-91171r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002130
Version
AKSD-DM-000016
Vuln IDs
  • V-76475
Rule IDs
  • SV-91171r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail that documents the creation of application user accounts and notifies administrators and ISSOs. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Checks: C-76135r1_chk

Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "account enabling". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.

Fix: F-83153r1_fix

Enable Luna Event notifications. 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the box that reads "Manage - Manage Users". 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit".

b
The Akamai Luna Portal must notify the SAs and ISSO when accounts are created, or enabled when previously disabled.
AC-2 - Medium - CCI-002132 - V-76477 - SV-91173r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002132
Version
AKSD-DM-000017
Vuln IDs
  • V-76477
Rule IDs
  • SV-91173r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies the SAs and ISSO. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. In order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event.
Checks: C-76137r1_chk

Verify that the portal is sending the expected Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "account creation". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.

Fix: F-83155r1_fix

Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the boxes for applicable alerts. 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit".

b
The Akamai Luna Portal must audit the execution of privileged functions.
AC-6 - Medium - CCI-002234 - V-76479 - SV-91175r1_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002234
Version
AKSD-DM-000018
Vuln IDs
  • V-76479
Rule IDs
  • SV-91175r1_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Checks: C-76139r1_chk

Verify that the portal is sending the expected Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "execution of privileged functions". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.

Fix: F-83157r1_fix

Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the boxes for applicable alerts. 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit".

a
The Akamai Luna Portal must provide audit record generation capability for DoD-defined auditable events within the network device.
AU-12 - Low - CCI-000169 - V-76481 - SV-91177r1_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
AKSD-DM-000020
Vuln IDs
  • V-76481
Rule IDs
  • SV-91177r1_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., process, module). Certain specific device functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the device will provide an audit record generation capability as the following: (i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); (ii) Access actions, such as successful and unsuccessful login attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logins from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and (iii) All account creation, modification, disabling, and termination actions.
Checks: C-76141r1_chk

Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on the DoD-defined auditable events individually. 5. Verify that the applicable events are selected by clicking the "Settings" button. If the Luna Control Center event notifications are not enabled, this is a finding.

Fix: F-83159r1_fix

Enable Luna Event notifications. 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check each of the applicable boxes for the DoD-defined auditable events. 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit".

a
The Akamai Luna Portal must generate audit records when successful/unsuccessful attempts to access privileges occur.
AU-12 - Low - CCI-000172 - V-76483 - SV-91179r1_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
AKSD-DM-000022
Vuln IDs
  • V-76483
Rule IDs
  • SV-91179r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-76143r1_chk

Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on the event name that meets the criteria above. 5. Verify that the applicable events are selected by clicking the "Settings" button. If the Luna Control Center event notifications are not enabled, this is a finding.

Fix: F-83161r1_fix

Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the applicable boxes. 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit".

b
The Akamai Luna Portal must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-76485 - SV-91181r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
AKSD-DM-000028
Vuln IDs
  • V-76485
Rule IDs
  • SV-91181r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-76145r1_chk

Verify the minimum 15-character length for passwords. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the minimum password length is not 15-character, this is a finding.

Fix: F-83163r1_fix

Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"

b
If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one upper-case character be used.
IA-5 - Medium - CCI-000192 - V-76487 - SV-91183r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
AKSD-DM-000029
Vuln IDs
  • V-76487
Rule IDs
  • SV-91183r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-76147r1_chk

Verify the password must contain at least one upper-case character. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the password does not require at least one upper-case character, this is a finding.

Fix: F-83165r1_fix

Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"

b
If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one lower-case character be used.
IA-5 - Medium - CCI-000193 - V-76489 - SV-91185r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
AKSD-DM-000030
Vuln IDs
  • V-76489
Rule IDs
  • SV-91185r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-76149r1_chk

Verify the password must contain at least one lower-case character. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the password does not require at least one lower-case character, this is a finding.

Fix: F-83167r1_fix

Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"

b
If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-76491 - SV-91187r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
AKSD-DM-000031
Vuln IDs
  • V-76491
Rule IDs
  • SV-91187r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-76151r1_chk

Verify the password must contain at least one numeric character. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the password does not require at least one numeric character, this is a finding.

Fix: F-83169r1_fix

Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"

b
If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-76493 - SV-91189r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
AKSD-DM-000032
Vuln IDs
  • V-76493
Rule IDs
  • SV-91189r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-76153r1_chk

Verify the password must contain at least one special character. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the password does not require at least one special character, this is a finding.

Fix: F-83171r1_fix

Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"

b
The Akamai Luna Portal must enforce a 60-day maximum password lifetime restriction.
IA-5 - Medium - CCI-000199 - V-76495 - SV-91191r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
AKSD-DM-000035
Vuln IDs
  • V-76495
Rule IDs
  • SV-91191r1_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the network device does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the passwords could be compromised. This requirement does not include emergency administration accounts, which are meant for access to the network device in case of failure. These accounts are not required to have maximum password lifetime restrictions.
Checks: C-76155r1_chk

Verify the 60-day maximum password lifetime restriction is enforced. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the 60-day maximum password lifetime restriction is not enforced, this is a finding.

Fix: F-83173r1_fix

Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"

b
The Akamai Luna Portal must prohibit password reuse for a minimum of five generations.
IA-5 - Medium - CCI-000200 - V-76497 - SV-91193r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
AKSD-DM-000036
Vuln IDs
  • V-76497
Rule IDs
  • SV-91193r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the network device allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.
Checks: C-76157r1_chk

Verify password reuse for a minimum of five generations is prohibited. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the password reuse for a minimum of five generations is not prohibited, this is a finding.

Fix: F-83175r1_fix

Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"

b
The Akamai Luna Portal must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 15 minutes of inactivity except to fulfill documented and validated mission requirements.
SC-10 - Medium - CCI-001133 - V-76499 - SV-91195r1_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
AKSD-DM-000038
Vuln IDs
  • V-76499
Rule IDs
  • SV-91195r1_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-76159r1_chk

Verify that all portal users have the session timeout duration set to 15 minutes: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Manage Users & Groups. 3. Select each user and inspect the "Timeout" setting to verify it reads "After 15 Minutes". If the session timeout is not set to 15 minutes, this is a finding.

Fix: F-83177r1_fix

Set the session timeout duration to 15 minutes: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Manage Users & Groups. 3. Select each user and adjust the "Timeout" setting to "After 15 Minutes".

c
The Akamai Luna Portal must employ Security Assertion Markup Language (SAML) to automate central management of administrators.
CM-6 - High - CCI-000366 - V-76501 - SV-91197r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
AKSD-DM-000117
Vuln IDs
  • V-76501
Rule IDs
  • SV-91197r1_rule
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.
Checks: C-76161r1_chk

Confirm that only SAML logins are enabled. 1. Log in to the Akamai Luna Portal (Caution-https://control.akamai.com). 2. Click "Configure" >> "Manage SSO with SAML" 3. Verify "SAML-only login:" is set to "enabled" If the "SAML only logins:" is set to disabled, this is a finding. NOTE: During the initial deployment and testing of the Luna Portal implementation, it will be necessary to allow other logins. However, production environments must meet this requirement.

Fix: F-83179r1_fix

Configure logins to require SAML integration. 1. Log in to the Akamai Luna Portal (Caution-https://control.akamai.com). 2. Click "Configure" >> "Manage SSO with SAML" 3. Click the "Enable" button next to the "SAML-only login:" label. 4. Click "Yes" when asked if you want to enable SAML-only login.

c
The Akamai Luna Portal must employ Single Sign On (SSO) with Security Assertion Markup Language (SAML) integration to verify authentication settings.
CM-6 - High - CCI-000366 - V-76503 - SV-91199r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
AKSD-DM-000118
Vuln IDs
  • V-76503
Rule IDs
  • SV-91199r1_rule
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.
Checks: C-76163r1_chk

Verify that the Luna portal is configured to use single sign-on (SSO) with SAML. 1. Log in to the Akamai Luna Portal (Caution-https://control.akamai.com). 2. Click "Configure" >> "Manage SSO with SAML" 3. Verify the identity Provider's current SSO settings are configured properly. If SSO with SAML is not configured, then this is a finding.

Fix: F-83181r1_fix

Configure the Luna portal to use single sign-on with SAML. 1. Log in to the Akamai Luna Portal (Caution-https://control.akamai.com). 2. Click "Configure" >> "Manage SSO with SAML" 3. Configure the identity Provider's SSO settings as follows: a. The strings in some fields—such as the local user attribute name (“userid”) and the last part of the service provider endpoint address (“.luna-sp.com”)—are pre-specified by Luna Control Center. Using the information about your identity provider (IDP). Fill in the first three fields: - Service Provider End-point - Entity ID - Single Sign-On URL b. The next field, "Single Logout URL", is optional. If your SAML metadata includes this information and you wish to configure for a Single Logout, you may enter it here. c. Enter an email address that should receive notifications from Luna Control Center. d. Enter thex509c Certificate key. e. The next field, Alternate x509c Certificate Key, is optional. If you have an alternate x509c Certificate key, you may enter it here. Having a second key can be convenient if your current key is nearing expiration and your IDP supports key rotation. f. When the required information has been entered, click "Save" or click "Save & Activate". - Click Save if you want to keep a draft of your configuration without activating it yet. In the Manage Single Sign-On with SAML application’s main panel, “Inactive” then appears in the Status column of the new configuration. This means it has been saved but is not yet activated. - You may repeat all steps to this point, to create as many additional inactive SSO configurations as desired. They’ll all be listed and accessible from the main panel. (A filter is provided for convenience when dealing with long lists.) - When you want to activate one of your saved but inactive configurations, simply select "Activate" from its gear icon. This action results in a progression of status messages—which may take up to 48 hours—starting with "Pending activation" then "Pending activation (DNS)" and finally "Active." - Click "Save & Activate" if you want to immediately request activation of the new configuration. In the "Manage Single Sign-On with SAML" application’s main panel, "Pending activation" then appears in the "Status" column of the new configuration, indicating that it has been saved and is awaiting activation. - This action results in a progression of status messages, starting with "Pending activation (DNS)" and ending with "Active." - You may repeat all steps to this point, to create as many additional active configurations as desired.