IBM Aspera Platform 4.2 Security Technical Implementation Guide
Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]
Details
Version / Release: V1R1
Published: 2022-02-16
Updated At: 2022-04-06 01:05:43
Actions
Download
Filter
Findings
| Severity | Open | Not Reviewed | Not Applicable | Not a Finding |
|---|---|---|---|---|
| Overall | 0 | 0 | 0 | 0 |
| Low | 0 | 0 | 0 | 0 |
| Medium | 0 | 0 | 0 | 0 |
| High | 0 | 0 | 0 | 0 |
Drop CKL or SCAP (XCCDF) results here.
| Vuln | Rule | Version | CCI | Severity | Title | Description | Status | Finding Details | Comments |
|---|---|---|---|---|---|---|---|---|---|
| SV-252556r817838_rule | ASP4-00-010100 | CCI-001844 | MEDIUM | The IBM Aspera Platform must be configured to support centralized management and configuration. | Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The con | ||||
| SV-252557r817841_rule | ASP4-00-010110 | CCI-000381 | MEDIUM | The IBM Aspera Platform must not have unnecessary services and functions enabled. | Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are | ||||
| SV-252558r817844_rule | ASP4-CS-040110 | CCI-001948 | MEDIUM | IBM Aspera Console must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. | For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication | ||||
| SV-252559r817847_rule | ASP4-CS-040120 | CCI-000162 | MEDIUM | The IBM Aspera Console must protect audit information from unauthorized read access. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured n | ||||
| SV-252560r817850_rule | ASP4-CS-040130 | CCI-001493 | MEDIUM | The IBM Aspera Console must protect audit tools from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface w | ||||
| SV-252561r817853_rule | ASP4-CS-040140 | CCI-000764 | MEDIUM | IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges. | User account and privilege validation must be centralized in order to prevent unauthorized access using changed or revoked privileges. IBM Aspera Console must use an IdP for authentication for security best practices. The IdP must not be installed on the | ||||
| SV-252562r817856_rule | ASP4-CS-040150 | CCI-000068 | HIGH | The IBM Aspera Console feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co | ||||
| SV-252563r817859_rule | ASP4-CS-040160 | CCI-001133 | MEDIUM | IBM Aspera Console interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat | ||||
| SV-252564r817862_rule | ASP4-CS-040170 | CCI-000192 | MEDIUM | IBM Aspera Console must enforce password complexity by requiring at least fifteen characters, with at least one upper case letter, one lower case letter, one number, and one symbol. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. | ||||
| SV-252565r817865_rule | ASP4-CS-040180 | CCI-000044 | MEDIUM | IBM Aspera Console must lock accounts after three unsuccessful login attempts within a 15-minute timeframe. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | ||||
| SV-252566r817868_rule | ASP4-CS-040190 | CCI-000054 | MEDIUM | IBM Aspera Console must prevent concurrent logins for all accounts. | Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple sys | ||||
| SV-252567r817871_rule | ASP4-CS-040200 | CCI-000200 | MEDIUM | IBM Aspera Console passwords must be prohibited from reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password | ||||
| SV-252568r817874_rule | ASP4-CS-040210 | CCI-000199 | MEDIUM | IBM Aspera Console user account passwords must have a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be c | ||||
| SV-252569r817877_rule | ASP4-CS-040220 | CCI-000382 | MEDIUM | The IBM Aspera Console must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po | ||||
| SV-252570r817880_rule | ASP4-CS-040230 | CCI-001453 | HIGH | The IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern | ||||
| SV-252571r817883_rule | ASP4-CS-040240 | CCI-002165 | MEDIUM | The IBM Aspera Console private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. | ||||
| SV-252572r817886_rule | ASP4-CS-040250 | CCI-002165 | MEDIUM | The IBM Aspera Console private/secret cryptographic keys file must be owned by root to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. | ||||
| SV-252573r817889_rule | ASP4-CS-040260 | CCI-002165 | MEDIUM | The IBM Aspera Console private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. | ||||
| SV-252574r817892_rule | ASP4-CS-040270 | CCI-001494 | MEDIUM | The IBM Aspera Console feature audit tools must be protected from unauthorized modification or deletion. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface w | ||||
| SV-252575r817895_rule | ASP4-FA-050100 | CCI-001133 | MEDIUM | IBM Aspera Faspex interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat | ||||
| SV-252576r817898_rule | ASP4-FA-050110 | CCI-002165 | MEDIUM | The IBM Aspera Faspex private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. | ||||
| SV-252577r817901_rule | ASP4-FA-050120 | CCI-002041 | MEDIUM | IBM Aspera Faspex must allow the use of a temporary password for logins with an immediate change to a permanent password. | Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial login. Temporary passwords are typicall | ||||
| SV-252578r817904_rule | ASP4-FA-050130 | CCI-000048 | LOW | IBM Aspera Faspex must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. | Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standard | ||||
| SV-252579r817907_rule | ASP4-FA-050140 | CCI-000795 | MEDIUM | IBM Aspera Faspex must disable account identifiers after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user acco | ||||
| SV-252580r817910_rule | ASP4-FA-050150 | CCI-001948 | MEDIUM | IBM Aspera Faspex must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. | For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication | ||||
| SV-252581r817913_rule | ASP4-FA-050170 | CCI-000044 | MEDIUM | IBM Aspera Faspex must lock accounts after three unsuccessful login attempts within a 15-minute timeframe. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | ||||
| SV-252582r817916_rule | ASP4-FA-050180 | CCI-000054 | MEDIUM | IBM Aspera Faspex must prevent concurrent logins for all accounts. | Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple sys | ||||
| SV-252583r818123_rule | ASP4-FA-050190 | CCI-000192 | MEDIUM | IBM Aspera Faspex must require password complexity features to be enabled. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. | ||||
| SV-252584r818985_rule | ASP4-FA-050200 | CCI-000804 | MEDIUM | IBM Aspera Faspex must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users | ||||
| SV-252585r817925_rule | ASP4-FA-050210 | CCI-000200 | MEDIUM | IBM Aspera Faspex passwords must be prohibited from reuse for a minimum of five generations. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password | ||||
| SV-252586r817928_rule | ASP4-FA-050220 | CCI-000199 | MEDIUM | IBM Aspera Faspex user account passwords must have a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be c | ||||
| SV-252587r817931_rule | ASP4-FA-050230 | CCI-000068 | HIGH | The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co | ||||
| SV-252588r817934_rule | ASP4-FA-050240 | CCI-000382 | MEDIUM | IBM Aspera Faspex must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po | ||||
| SV-252589r817937_rule | ASP4-FA-050250 | CCI-000764 | MEDIUM | IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga | ||||
| SV-252590r817940_rule | ASP4-FA-050260 | CCI-001453 | HIGH | IBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern | ||||
| SV-252591r817943_rule | ASP4-FA-050270 | CCI-001199 | MEDIUM | IBM Aspera Faspex must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern | ||||
| SV-252592r817946_rule | ASP4-FA-050280 | CCI-000162 | MEDIUM | IBM Aspera Faspex must protect audit information from unauthorized modification. | If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must | ||||
| SV-252593r817949_rule | ASP4-FA-050290 | CCI-002165 | MEDIUM | The IBM Aspera Faspex private/secret cryptographic keys file must be group-owned by faspex to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. | ||||
| SV-252594r817952_rule | ASP4-FA-050300 | CCI-002165 | MEDIUM | The IBM Aspera Faspex private/secret cryptographic keys file must be owned by faspex to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. | ||||
| SV-252595r817955_rule | ASP4-FA-050310 | CCI-000213 | MEDIUM | The IBM Aspera Faspex Server must restrict users from using transfer services by default. | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst | ||||
| SV-252596r817958_rule | ASP4-FA-050320 | CCI-000213 | MEDIUM | The IBM Aspera Faspex Server must restrict users read, write, and browse permissions by default. | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst | ||||
| SV-252597r817961_rule | ASP4-SH-060100 | CCI-001133 | MEDIUM | The IBM Aspera Shares interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat | ||||
| SV-252598r817964_rule | ASP4-SH-060110 | CCI-000048 | LOW | IBM Aspera Shares must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. | Display of a standardized and approved use notification before granting access to the publicly accessible network element ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, pol | ||||
| SV-252599r817967_rule | ASP4-SH-060120 | CCI-001948 | MEDIUM | IBM Aspera Shares must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. | For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication | ||||
| SV-252600r817970_rule | ASP4-SH-060130 | CCI-000044 | MEDIUM | IBM Aspera Shares must lock accounts after three unsuccessful login attempts within a 15-minute timeframe. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. | ||||
| SV-252601r817973_rule | ASP4-SH-060140 | CCI-000192 | MEDIUM | IBM Aspera Shares must require password complexity features to be enabled. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. | ||||
| SV-252602r817976_rule | ASP4-SH-060150 | CCI-000804 | MEDIUM | IBM Aspera Shares must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users | ||||
| SV-252603r817979_rule | ASP4-SH-060160 | CCI-000199 | MEDIUM | IBM Aspera Shares user account passwords must have a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be c | ||||
| SV-252604r817982_rule | ASP4-SH-060170 | CCI-000068 | HIGH | The IBM Aspera Shares feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co | ||||
| SV-252605r817985_rule | ASP4-SH-060180 | CCI-000382 | MEDIUM | IBM Aspera Shares must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po | ||||
| SV-252606r817988_rule | ASP4-SH-060190 | CCI-000764 | MEDIUM | IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organ | ||||
| SV-252607r817991_rule | ASP4-SH-060200 | CCI-001453 | HIGH | IBM Aspera Shares feature must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern | ||||
| SV-252608r817994_rule | ASP4-SH-060210 | CCI-001199 | MEDIUM | IBM Aspera Shares must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern | ||||
| SV-252609r817997_rule | ASP4-SH-060220 | CCI-000162 | MEDIUM | IBM Aspera Shares must protect audit information from unauthorized deletion. | If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must | ||||
| SV-252610r818000_rule | ASP4-SH-060230 | CCI-002165 | MEDIUM | The IBM Aspera Shares private/secret cryptographic keys file must be group-owned by nobody to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. | ||||
| SV-252611r818003_rule | ASP4-SH-060240 | CCI-002165 | MEDIUM | The IBM Aspera Shares private/secret cryptographic keys file must be owned by nobody to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. | ||||
| SV-252612r818006_rule | ASP4-SH-060250 | CCI-002165 | MEDIUM | The IBM Aspera Shares private/secret cryptographic keys file must have a mode of 0400 or less permissive to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. | ||||
| SV-252613r818009_rule | ASP4-TE-030100 | CCI-000068 | HIGH | The IBM Aspera High-Speed Transfer Endpoint must be configured to comply with the required TLS settings in NIST SP 800-52. | SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploi | ||||
| SV-252614r818012_rule | ASP4-TE-030110 | CCI-000382 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po | ||||
| SV-252615r818015_rule | ASP4-TE-030120 | CCI-001184 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must be configured to protect the authenticity of communications sessions. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the ne | ||||
| SV-252616r818018_rule | ASP4-TE-030140 | CCI-000068 | HIGH | The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern | ||||
| SV-252617r818021_rule | ASP4-TE-030150 | CCI-002475 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR). | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252618r818024_rule | ASP4-TE-030160 | CCI-000213 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must enable password protection of the node database. | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252619r818027_rule | ASP4-TE-030170 | CCI-001453 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must have a master-key set to encrypt the dynamic token encryption key. | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252620r818030_rule | ASP4-TE-030180 | CCI-000054 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. | Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addres | ||||
| SV-252621r818033_rule | ASP4-TE-030190 | CCI-002475 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must not store group content-protection secrets in plain text. | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252622r818036_rule | ASP4-TE-030200 | CCI-002475 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must not store node content-protection secrets in plain text. | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252623r818039_rule | ASP4-TE-030210 | CCI-002475 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must not store user content-protection secrets in plain text. | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252624r818042_rule | ASP4-TE-030220 | CCI-000213 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must restrict users from using transfer services by default. | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst | ||||
| SV-252625r818045_rule | ASP4-TE-030230 | CCI-000213 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must restrict users read, write, and browse permissions by default. | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst | ||||
| SV-252626r818048_rule | ASP4-TE-030240 | CCI-002007 | MEDIUM | The IBM Aspera High-Speed Transfer Endpoint must prohibit the use of cached authenticators after an organization-defined time period. | If the cached authenticator information is out of date, the validity of the authentication information may be questionable. This requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that | ||||
| SV-252627r818051_rule | ASP4-TS-020100 | CCI-000068 | HIGH | The IBM Aspera High-Speed Transfer Server must be configured to comply with the required TLS settings in NIST SP 800-52. | SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploi | ||||
| SV-252628r818054_rule | ASP4-TS-020110 | CCI-000382 | MEDIUM | The IBM Aspera High-Speed Transfer Server must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po | ||||
| SV-252629r818057_rule | ASP4-TS-020120 | CCI-001184 | MEDIUM | The IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the ne | ||||
| SV-252630r818060_rule | ASP4-TS-020140 | CCI-000068 | HIGH | The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern | ||||
| SV-252631r818063_rule | ASP4-TS-020150 | CCI-002696 | MEDIUM | The IBM Aspera High-Speed Transfer Server must configure the SELinux context type to allow the "aspshell". | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the | ||||
| SV-252632r818066_rule | ASP4-TS-020160 | CCI-002475 | MEDIUM | The IBM Aspera High-Speed Transfer Server must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR). | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252633r818069_rule | ASP4-TS-020170 | CCI-000213 | MEDIUM | The IBM Aspera High-Speed Transfer Server must enable password protection of the node database. | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252634r818072_rule | ASP4-TS-020180 | CCI-000068 | MEDIUM | The IBM Aspera High-Speed Transfer Server must enable the use of dynamic token encryption keys. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The dynamic token encryption key is used for encrypting authorization tokens dynamically for improved security an | ||||
| SV-252635r818075_rule | ASP4-TS-020190 | CCI-001453 | MEDIUM | The IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key. | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252636r818078_rule | ASP4-TS-020200 | CCI-000054 | MEDIUM | The IBM Aspera High-Speed Transfer Server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. | Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addres | ||||
| SV-252637r818081_rule | ASP4-TS-020210 | CCI-002475 | MEDIUM | The IBM Aspera High-Speed Transfer Server must not store group content-protection secrets in plain text. | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252638r819065_rule | ASP4-TS-020220 | CCI-002475 | MEDIUM | The IBM Aspera High-Speed Transfer Server must not store node content-protection secrets in plain text. | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252639r819067_rule | ASP4-TS-020230 | CCI-002475 | MEDIUM | The IBM Aspera High-Speed Transfer Server must not store user content-protection secrets in plain text. | Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi | ||||
| SV-252640r818090_rule | ASP4-TS-020240 | CCI-000382 | MEDIUM | The IBM Aspera High-Speed Transfer Server must not use the root account for transfers. | By incorporating a least privilege approach to the configuration of the Aspera HSTS platform, this will reduce the exposure of privileged accounts. By default, all system users can establish a FASP connection and are only restricted by file permissions. | ||||
| SV-252641r818093_rule | ASP4-TS-020250 | CCI-000382 | MEDIUM | The IBM Aspera High-Speed Transfer Server must restrict Aspera transfer users to a limited part of the server's file system. | By restricting the transfer users to a limited part of the server's file system, this prevents unauthorized data transfers. By default, all system users can establish a FASP connection and are only restricted by file permissions. | ||||
| SV-252642r818096_rule | ASP4-TS-020260 | CCI-000764 | MEDIUM | The IBM Aspera High-Speed Transfer Server must restrict the transfer user(s) to the "aspshell". | By default, all system users can establish a FASP connection and are only restricted by file permissions. Restrict the user's file operations by assigning them to use aspshell, which permits only the following operations: Running Aspera uploads and downlo | ||||
| SV-252643r818099_rule | ASP4-TS-020270 | CCI-000213 | MEDIUM | The IBM Aspera High-Speed Transfer Server must restrict users from using transfer services by default. | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst | ||||
| SV-252644r818102_rule | ASP4-TS-020280 | CCI-000213 | MEDIUM | The IBM Aspera High-Speed Transfer Server must restrict users read, write, and browse permissions by default. | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst | ||||
| SV-252645r818105_rule | ASP4-TS-020290 | CCI-000382 | MEDIUM | The IBM Aspera High-Speed Transfer Server must set the default docroot to an empty folder. | By restricting the default document root for the Aspera HSTS, this allows for explicit access to be defined on a per user basis. By default, all system users can establish a FASP connection and are only restricted by file permissions. | ||||
| SV-252646r818108_rule | ASP4-TS-020300 | CCI-002165 | MEDIUM | The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and ma | ||||
| SV-252647r818111_rule | ASP4-TS-020310 | CCI-002165 | MEDIUM | The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be owned by root to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and ma | ||||
| SV-252648r818114_rule | ASP4-TS-020320 | CCI-002165 | MEDIUM | The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and ma | ||||
| SV-252649r818117_rule | ASP4-TS-020330 | CCI-002007 | MEDIUM | The IBM Aspera High-Speed Transfer Server must prohibit the use of cached authenticators after an organization-defined time period. | If the cached authenticator information is out of date, the validity of the authentication information may be questionable. This requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that | ||||