ForeScout CounterACT NDM Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2017-09-19

Updated At: 2018-09-23 19:13:08

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-90881r1_rule CACT-NM-000020 CCI-000044 MEDIUM For the local account, CounterACT must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Nonlocal account are configured on the authentication server.
    SV-90883r1_rule CACT-NM-000021 CCI-000048 LOW CounterACT must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. Display of the DoD-approved use notification before granting access to CounterACT ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guida
    SV-90885r1_rule CACT-NM-000032 CCI-000194 MEDIUM CounterACT must enforce password complexity by requiring that at least one numeric character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-90887r1_rule CACT-NM-000034 CCI-000199 MEDIUM CounterACT must enforce a 60-day maximum password lifetime restriction. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the network device does not lim
    SV-90889r1_rule CACT-NM-000031 CCI-000200 MEDIUM CounterACT must prohibit password reuse for a minimum of five generations. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the ne
    SV-90891r1_rule CACT-NM-000030 CCI-000205 MEDIUM CounterACT must enforce a minimum 15-character password length. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a passwor
    SV-90893r1_rule CACT-NM-000011 CCI-000345 MEDIUM CounterACT must enforce access restrictions associated with changes to the system components. Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device fo
    SV-90895r1_rule CACT-NM-000010 CCI-000366 LOW CounterACT must generate audit log events for a locally developed list of auditable events. Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or identify an improperly configured network dev
    SV-90897r1_rule CACT-NM-000013 CCI-000366 MEDIUM CounterACT must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner. System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backu
    SV-90899r1_rule CACT-NM-000014 CCI-000366 LOW CounterACT must support organizational requirements to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner. Information system backup is a critical step in maintaining data assurance and availability. Information system and security-related documentation contains information pertaining to system configuration and security settings. If this information were not
    SV-90901r1_rule CACT-NM-000015 CCI-000366 MEDIUM CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider. For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Aut
    SV-90903r1_rule CACT-NM-000016 CCI-000366 MEDIUM CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider. For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Aut
    SV-90905r1_rule CACT-NM-000009 CCI-000366 MEDIUM CounterACT must enable Threat Protection notifications to alert security personnel to Cyber events detected by a CounterACT IAW CJCSM 6510.01B. CJCSM 6510.01B, "Cyber Incident Handling Program", in subsection e.(6)(c) sets forth requirements for Cyber events detected by an automated system. By immediately displaying an alarm message, potential security violations can be identified more quickly e
    SV-90907r1_rule CACT-NM-000041 CCI-000366 HIGH CounterACT appliances performing maintenance functions must restrict use of these functions to authorized personal only. There are security-related issues arising from software brought into the network device specifically for diagnostic and repair actions (e.g., a software packet sniffer installed on a device to troubleshoot system traffic or a vendor installing or running
    SV-90909r1_rule CACT-NM-000044 CCI-000366 MEDIUM CounterACT must employ automated mechanisms to centrally apply authentication settings. The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without
    SV-90911r1_rule CACT-NM-000025 CCI-000382 HIGH CounterACT must disable all unnecessary and/or nonsecure plugins. CounterACT is capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide mu
    SV-90913r1_rule CACT-NM-000001 CCI-001133 MEDIUM CounterACT must terminate all network connections associated with an Enterprise Manager Console session upon Exit, or session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-90915r1_rule CACT-NM-000002 CCI-001133 MEDIUM CounterACT must terminate all network connections associated with an SSH connection session upon Exit, session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-90917r1_rule CACT-NM-000003 CCI-001199 MEDIUM CounterACT must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media. This protection is required to prevent unauthorized alteration, corruption, or disclosure of information when not stored directly on the network device. Files on the network device or on removable media used by the device must have their permissions set
    SV-90919r1_rule CACT-NM-000023 CCI-001348 MEDIUM If any logs are stored locally which are not sent to the centralized audit server, CounterACT must back up audit records at least every seven days onto a different system or system component than the system or component being audited. Protection of log data includes ensuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to ensure, in the event of a catastrophic system fai
    SV-90921r1_rule CACT-NM-000024 CCI-001499 MEDIUM CounterACT must limit privileges to change the software resident within software libraries. Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementi
    SV-90923r1_rule CACT-NM-000033 CCI-001619 MEDIUM CounterACT must enforce password complexity by requiring that at least one special character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-90925r1_rule CACT-NM-000042 CCI-001851 MEDIUM CounterACT must sent audit logs to a centralized audit server (i.e., syslog server). Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
    SV-90927r1_rule CACT-NM-000007 CCI-001890 MEDIUM CounterACT must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC). If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the application include date and time. Time is expressed in UTC.
    SV-90929r1_rule CACT-NM-000038 CCI-000366 MEDIUM CounterACT must be configured to synchronize internal information system clocks with the organizations primary and secondary NTP servers. The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by in
    SV-90931r1_rule CACT-NM-000005 CCI-001914 MEDIUM CounterACT must restrict the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrators role or to other roles or individuals. If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost. This requirement enable
    SV-90933r1_rule CACT-NM-000039 CCI-001967 MEDIUM CounterACT must authenticate any endpoint used for network management before establishing a local, remote, and/or network connection using cryptographically based bidirectional authentication. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of gre
    SV-90935r1_rule CACT-NM-000040 CCI-001967 HIGH CounterACT must authenticate SNMPv3 endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of gre
    SV-90937r1_rule CACT-NM-000027 CCI-001358 MEDIUM In the event the authentication server is unavailable, one local account must be created for use as the account of last resort. Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on CounterACT's local database for use in an emergency, such as when the authentication server is down or connectivity between th
    SV-90939r1_rule CACT-NM-000035 CCI-002238 MEDIUM CounterACT must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
    SV-90941r1_rule CACT-NM-000149 CCI-002142 MEDIUM The network device must terminate shared/group account credentials when members leave the group. A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user th
    SV-90943r1_rule CACT-NM-000086 CCI-000366 LOW The network device must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management. The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without
    SV-90945r1_rule CACT-NM-000022 CCI-000050 LOW CounterACT must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access. The administrator must acknowledge the banner prior to CounterACT allowing the administrator access to CounterACT. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not ack
    SV-90947r1_rule CACT-NM-000036 CCI-001891 MEDIUM CounterACT must compare internal information systems clocks at least every 24 hours with an authoritative time server. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
    SV-90949r1_rule CACT-NM-000012 CCI-000366 MEDIUM Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort). The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without
    SV-90951r1_rule CACT-NM-000147 CCI-000192 MEDIUM If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one upper-case character be used. Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-90953r1_rule CACT-NM-000148 CCI-000193 MEDIUM If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one lower-case character be used. Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group authenticator, this requirement will apply. This requirement applies
    SV-90955r1_rule CACT-NM-000051 CCI-000054 LOW CounterACT must limit the number of concurrent sessions to an organization-defined number for each administrator account type. Network device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator is helpful in limiting risks related to DoS a