IBM Aspera Platform 4.2 Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2022-02-16

Updated At: 2022-04-06 01:05:43

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-252556r817838_rule ASP4-00-010100 CCI-001844 MEDIUM The IBM Aspera Platform must be configured to support centralized management and configuration. Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The con
    SV-252557r817841_rule ASP4-00-010110 CCI-000381 MEDIUM The IBM Aspera Platform must not have unnecessary services and functions enabled. Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are
    SV-252558r817844_rule ASP4-CS-040110 CCI-001948 MEDIUM IBM Aspera Console must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication
    SV-252559r817847_rule ASP4-CS-040120 CCI-000162 MEDIUM The IBM Aspera Console must protect audit information from unauthorized read access. Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured n
    SV-252560r817850_rule ASP4-CS-040130 CCI-001493 MEDIUM The IBM Aspera Console must protect audit tools from unauthorized access. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface w
    SV-252561r817853_rule ASP4-CS-040140 CCI-000764 MEDIUM IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges. User account and privilege validation must be centralized in order to prevent unauthorized access using changed or revoked privileges. IBM Aspera Console must use an IdP for authentication for security best practices. The IdP must not be installed on the
    SV-252562r817856_rule ASP4-CS-040150 CCI-000068 HIGH The IBM Aspera Console feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co
    SV-252563r817859_rule ASP4-CS-040160 CCI-001133 MEDIUM IBM Aspera Console interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-252564r817862_rule ASP4-CS-040170 CCI-000192 MEDIUM IBM Aspera Console must enforce password complexity by requiring at least fifteen characters, with at least one upper case letter, one lower case letter, one number, and one symbol. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
    SV-252565r817865_rule ASP4-CS-040180 CCI-000044 MEDIUM IBM Aspera Console must lock accounts after three unsuccessful login attempts within a 15-minute timeframe. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
    SV-252566r817868_rule ASP4-CS-040190 CCI-000054 MEDIUM IBM Aspera Console must prevent concurrent logins for all accounts. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple sys
    SV-252567r817871_rule ASP4-CS-040200 CCI-000200 MEDIUM IBM Aspera Console passwords must be prohibited from reuse for a minimum of five generations. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password
    SV-252568r817874_rule ASP4-CS-040210 CCI-000199 MEDIUM IBM Aspera Console user account passwords must have a 60-day maximum password lifetime restriction. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be c
    SV-252569r817877_rule ASP4-CS-040220 CCI-000382 MEDIUM The IBM Aspera Console must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po
    SV-252570r817880_rule ASP4-CS-040230 CCI-001453 HIGH The IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern
    SV-252571r817883_rule ASP4-CS-040240 CCI-002165 MEDIUM The IBM Aspera Console private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
    SV-252572r817886_rule ASP4-CS-040250 CCI-002165 MEDIUM The IBM Aspera Console private/secret cryptographic keys file must be owned by root to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
    SV-252573r817889_rule ASP4-CS-040260 CCI-002165 MEDIUM The IBM Aspera Console private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
    SV-252574r817892_rule ASP4-CS-040270 CCI-001494 MEDIUM The IBM Aspera Console feature audit tools must be protected from unauthorized modification or deletion. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface w
    SV-252575r817895_rule ASP4-FA-050100 CCI-001133 MEDIUM IBM Aspera Faspex interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-252576r817898_rule ASP4-FA-050110 CCI-002165 MEDIUM The IBM Aspera Faspex private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
    SV-252577r817901_rule ASP4-FA-050120 CCI-002041 MEDIUM IBM Aspera Faspex must allow the use of a temporary password for logins with an immediate change to a permanent password. Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial login. Temporary passwords are typicall
    SV-252578r817904_rule ASP4-FA-050130 CCI-000048 LOW IBM Aspera Faspex must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standard
    SV-252579r817907_rule ASP4-FA-050140 CCI-000795 MEDIUM IBM Aspera Faspex must disable account identifiers after 35 days of inactivity. Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user acco
    SV-252580r817910_rule ASP4-FA-050150 CCI-001948 MEDIUM IBM Aspera Faspex must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication
    SV-252581r817913_rule ASP4-FA-050170 CCI-000044 MEDIUM IBM Aspera Faspex must lock accounts after three unsuccessful login attempts within a 15-minute timeframe. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
    SV-252582r817916_rule ASP4-FA-050180 CCI-000054 MEDIUM IBM Aspera Faspex must prevent concurrent logins for all accounts. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple sys
    SV-252583r818123_rule ASP4-FA-050190 CCI-000192 MEDIUM IBM Aspera Faspex must require password complexity features to be enabled. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
    SV-252584r818985_rule ASP4-FA-050200 CCI-000804 MEDIUM IBM Aspera Faspex must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users
    SV-252585r817925_rule ASP4-FA-050210 CCI-000200 MEDIUM IBM Aspera Faspex passwords must be prohibited from reuse for a minimum of five generations. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password
    SV-252586r817928_rule ASP4-FA-050220 CCI-000199 MEDIUM IBM Aspera Faspex user account passwords must have a 60-day maximum password lifetime restriction. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be c
    SV-252587r817931_rule ASP4-FA-050230 CCI-000068 HIGH The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co
    SV-252588r817934_rule ASP4-FA-050240 CCI-000382 MEDIUM IBM Aspera Faspex must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po
    SV-252589r817937_rule ASP4-FA-050250 CCI-000764 MEDIUM IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-252590r817940_rule ASP4-FA-050260 CCI-001453 HIGH IBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern
    SV-252591r817943_rule ASP4-FA-050270 CCI-001199 MEDIUM IBM Aspera Faspex must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern
    SV-252592r817946_rule ASP4-FA-050280 CCI-000162 MEDIUM IBM Aspera Faspex must protect audit information from unauthorized modification. If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must
    SV-252593r817949_rule ASP4-FA-050290 CCI-002165 MEDIUM The IBM Aspera Faspex private/secret cryptographic keys file must be group-owned by faspex to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
    SV-252594r817952_rule ASP4-FA-050300 CCI-002165 MEDIUM The IBM Aspera Faspex private/secret cryptographic keys file must be owned by faspex to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
    SV-252595r817955_rule ASP4-FA-050310 CCI-000213 MEDIUM The IBM Aspera Faspex Server must restrict users from using transfer services by default. Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst
    SV-252596r817958_rule ASP4-FA-050320 CCI-000213 MEDIUM The IBM Aspera Faspex Server must restrict users read, write, and browse permissions by default. Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst
    SV-252597r817961_rule ASP4-SH-060100 CCI-001133 MEDIUM The IBM Aspera Shares interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-252598r817964_rule ASP4-SH-060110 CCI-000048 LOW IBM Aspera Shares must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. Display of a standardized and approved use notification before granting access to the publicly accessible network element ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, pol
    SV-252599r817967_rule ASP4-SH-060120 CCI-001948 MEDIUM IBM Aspera Shares must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication
    SV-252600r817970_rule ASP4-SH-060130 CCI-000044 MEDIUM IBM Aspera Shares must lock accounts after three unsuccessful login attempts within a 15-minute timeframe. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
    SV-252601r817973_rule ASP4-SH-060140 CCI-000192 MEDIUM IBM Aspera Shares must require password complexity features to be enabled. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
    SV-252602r817976_rule ASP4-SH-060150 CCI-000804 MEDIUM IBM Aspera Shares must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users
    SV-252603r817979_rule ASP4-SH-060160 CCI-000199 MEDIUM IBM Aspera Shares user account passwords must have a 60-day maximum password lifetime restriction. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be c
    SV-252604r817982_rule ASP4-SH-060170 CCI-000068 HIGH The IBM Aspera Shares feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co
    SV-252605r817985_rule ASP4-SH-060180 CCI-000382 MEDIUM IBM Aspera Shares must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po
    SV-252606r817988_rule ASP4-SH-060190 CCI-000764 MEDIUM IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organ
    SV-252607r817991_rule ASP4-SH-060200 CCI-001453 HIGH IBM Aspera Shares feature must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern
    SV-252608r817994_rule ASP4-SH-060210 CCI-001199 MEDIUM IBM Aspera Shares must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern
    SV-252609r817997_rule ASP4-SH-060220 CCI-000162 MEDIUM IBM Aspera Shares must protect audit information from unauthorized deletion. If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must
    SV-252610r818000_rule ASP4-SH-060230 CCI-002165 MEDIUM The IBM Aspera Shares private/secret cryptographic keys file must be group-owned by nobody to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
    SV-252611r818003_rule ASP4-SH-060240 CCI-002165 MEDIUM The IBM Aspera Shares private/secret cryptographic keys file must be owned by nobody to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
    SV-252612r818006_rule ASP4-SH-060250 CCI-002165 MEDIUM The IBM Aspera Shares private/secret cryptographic keys file must have a mode of 0400 or less permissive to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
    SV-252613r818009_rule ASP4-TE-030100 CCI-000068 HIGH The IBM Aspera High-Speed Transfer Endpoint must be configured to comply with the required TLS settings in NIST SP 800-52. SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploi
    SV-252614r818012_rule ASP4-TE-030110 CCI-000382 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po
    SV-252615r818015_rule ASP4-TE-030120 CCI-001184 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must be configured to protect the authenticity of communications sessions. Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the ne
    SV-252616r818018_rule ASP4-TE-030140 CCI-000068 HIGH The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern
    SV-252617r818021_rule ASP4-TE-030150 CCI-002475 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR). Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252618r818024_rule ASP4-TE-030160 CCI-000213 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must enable password protection of the node database. Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252619r818027_rule ASP4-TE-030170 CCI-001453 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must have a master-key set to encrypt the dynamic token encryption key. Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252620r818030_rule ASP4-TE-030180 CCI-000054 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addres
    SV-252621r818033_rule ASP4-TE-030190 CCI-002475 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must not store group content-protection secrets in plain text. Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252622r818036_rule ASP4-TE-030200 CCI-002475 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must not store node content-protection secrets in plain text. Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252623r818039_rule ASP4-TE-030210 CCI-002475 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must not store user content-protection secrets in plain text. Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252624r818042_rule ASP4-TE-030220 CCI-000213 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must restrict users from using transfer services by default. Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst
    SV-252625r818045_rule ASP4-TE-030230 CCI-000213 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must restrict users read, write, and browse permissions by default. Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst
    SV-252626r818048_rule ASP4-TE-030240 CCI-002007 MEDIUM The IBM Aspera High-Speed Transfer Endpoint must prohibit the use of cached authenticators after an organization-defined time period. If the cached authenticator information is out of date, the validity of the authentication information may be questionable. This requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that
    SV-252627r818051_rule ASP4-TS-020100 CCI-000068 HIGH The IBM Aspera High-Speed Transfer Server must be configured to comply with the required TLS settings in NIST SP 800-52. SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploi
    SV-252628r818054_rule ASP4-TS-020110 CCI-000382 MEDIUM The IBM Aspera High-Speed Transfer Server must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical po
    SV-252629r818057_rule ASP4-TS-020120 CCI-001184 MEDIUM The IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions. Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the ne
    SV-252630r818060_rule ASP4-TS-020140 CCI-000068 HIGH The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an extern
    SV-252631r818063_rule ASP4-TS-020150 CCI-002696 MEDIUM The IBM Aspera High-Speed Transfer Server must configure the SELinux context type to allow the "aspshell". Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the
    SV-252632r818066_rule ASP4-TS-020160 CCI-002475 MEDIUM The IBM Aspera High-Speed Transfer Server must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR). Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252633r818069_rule ASP4-TS-020170 CCI-000213 MEDIUM The IBM Aspera High-Speed Transfer Server must enable password protection of the node database. Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252634r818072_rule ASP4-TS-020180 CCI-000068 MEDIUM The IBM Aspera High-Speed Transfer Server must enable the use of dynamic token encryption keys. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The dynamic token encryption key is used for encrypting authorization tokens dynamically for improved security an
    SV-252635r818075_rule ASP4-TS-020190 CCI-001453 MEDIUM The IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key. Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252636r818078_rule ASP4-TS-020200 CCI-000054 MEDIUM The IBM Aspera High-Speed Transfer Server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types. Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addres
    SV-252637r818081_rule ASP4-TS-020210 CCI-002475 MEDIUM The IBM Aspera High-Speed Transfer Server must not store group content-protection secrets in plain text. Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252638r819065_rule ASP4-TS-020220 CCI-002475 MEDIUM The IBM Aspera High-Speed Transfer Server must not store node content-protection secrets in plain text. Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252639r819067_rule ASP4-TS-020230 CCI-002475 MEDIUM The IBM Aspera High-Speed Transfer Server must not store user content-protection secrets in plain text. Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive securi
    SV-252640r818090_rule ASP4-TS-020240 CCI-000382 MEDIUM The IBM Aspera High-Speed Transfer Server must not use the root account for transfers. By incorporating a least privilege approach to the configuration of the Aspera HSTS platform, this will reduce the exposure of privileged accounts. By default, all system users can establish a FASP connection and are only restricted by file permissions.
    SV-252641r818093_rule ASP4-TS-020250 CCI-000382 MEDIUM The IBM Aspera High-Speed Transfer Server must restrict Aspera transfer users to a limited part of the server's file system. By restricting the transfer users to a limited part of the server's file system, this prevents unauthorized data transfers. By default, all system users can establish a FASP connection and are only restricted by file permissions.
    SV-252642r818096_rule ASP4-TS-020260 CCI-000764 MEDIUM The IBM Aspera High-Speed Transfer Server must restrict the transfer user(s) to the "aspshell". By default, all system users can establish a FASP connection and are only restricted by file permissions. Restrict the user's file operations by assigning them to use aspshell, which permits only the following operations: Running Aspera uploads and downlo
    SV-252643r818099_rule ASP4-TS-020270 CCI-000213 MEDIUM The IBM Aspera High-Speed Transfer Server must restrict users from using transfer services by default. Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst
    SV-252644r818102_rule ASP4-TS-020280 CCI-000213 MEDIUM The IBM Aspera High-Speed Transfer Server must restrict users read, write, and browse permissions by default. Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD syst
    SV-252645r818105_rule ASP4-TS-020290 CCI-000382 MEDIUM The IBM Aspera High-Speed Transfer Server must set the default docroot to an empty folder. By restricting the default document root for the Aspera HSTS, this allows for explicit access to be defined on a per user basis. By default, all system users can establish a FASP connection and are only restricted by file permissions.
    SV-252646r818108_rule ASP4-TS-020300 CCI-002165 MEDIUM The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and ma
    SV-252647r818111_rule ASP4-TS-020310 CCI-002165 MEDIUM The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be owned by root to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and ma
    SV-252648r818114_rule ASP4-TS-020320 CCI-002165 MEDIUM The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access. Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and ma
    SV-252649r818117_rule ASP4-TS-020330 CCI-002007 MEDIUM The IBM Aspera High-Speed Transfer Server must prohibit the use of cached authenticators after an organization-defined time period. If the cached authenticator information is out of date, the validity of the authentication information may be questionable. This requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that