Security

STIG Examples and Asset Prioritization

Perimeter Router Security Technical Implementation Guide : : Release: 32 Benchmark Date: 25 Jan 2019

 

 

Vulnerability (In Order of Importance)

 

 

Severity

 

 

Reasoning

Vul ID: V-3160

STIG ID: NET0700

The network element must be running a current and supported operating system with all IAVMs addressed.

 

 

CAT II

 

Since the router is missing the last Cat 111 IAVM, the device is not configured to protect against network attacks.

 

Vul ID: V-3013

STIG ID: NET0340

Network devices must display the DoD-approved login banner warning.

 

 

CAT II

 

Due to the lack of a warning banner, unauthorized users will not be informed of the device’s ability to monitor and detect unauthorized usage.

 

Vul ID: V-3072

STIG ID: NET1624

The running configuration must be synchronized with the startup configuration after changes have been made and implemented.

 

CAT III

Due to the different running and boot configurations, the startup and running configurations are not synchronized; due to this, any changes made will be lost in the event of a router malfunction.
 

 

Vul ID: V-3967

STIG ID: NET1624

The network element must time out access to the console port after 10 minutes of inactivity.

 

 

 

 

CAT II

Due to the device’s current 12-minute timeout setting for console connection, it allows 2 additional minutes for an unauthorized user to gain access if the authorized prior user left the console unattended.

Firewall: Firewall Security Requirements Guide : : Release: 3 Benchmark Date: 25 Jan 2019

 

 

Vulnerability (In Order of Importance)

 

 

Severity

 

 

Reasoning

Vul ID: V-79489

STIG ID: SRG-NET-000392-FW-000042

The firewall must generate an alert that can be forwarded to, at a minimum, the ISSO, and ISSM when denial-of-service (DoS) incidents are detected.

 

 

 

CAT III

 

Due to the firewall’s configuration not allowing for automated alerts, it is up to the network administrator to check for incidents; relying solely on human-based monitoring is not optimal.

 

Vul ID: V-79487

STIG ID: SRG-NET-001130FW-000005

The firewall must be configured to allow the system administrator to select a subset of DoD-required auditable events.

 

 

 

CAT III

Due to the of selectable audit subsets, in the event of a security breach or to identify trends, the system administrator will not be able to quickly and accurately search and view logs, leading to a vast number of potential issues and risks.
Vul ID: V-79441

STIG ID: SRG-NET-00077-FW-000012

The firewall must generate traffic log entries containing information to establish the source of the events, such as the source IP address at a minimum.

 

 

 

CAT III

Due to the firewall’s inability to identify nodes within log events, log entries will not be able to fully identify, troubleshoot, and defend against errors, attacks, and other events (when viewing an audit log).

Layer 2 Switch Security Technical Implementation Guide : : Release: 27 Benchmark Date: 25 Jan 2019

 

 

Vulnerability (In Order of Importance)

 

 

Severity

 

 

Reasoning

Vul ID: V-15434

STIG ID: SV-16261r5_rule

The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online.

 

 

 

 

CAT I

Due to the switch’s lack of an emergency administration account, in the event of a emergency or unexpected downtime (authentication server not online), the administrator will not be able to access the switch and perform necessary administrative functions.

Asset Prioritization for Mitigation or Remediation

Asset (In Order of Importance) Reasoning
 

 

 

Layer 2 Switch

Having the only CAT I severity level, the switch’s lack of an emergency administration account needs to be addressed immediately, as the implications and risks involved in not being able to access the switch during server downtime are not acceptable and could result in disaster.
 

 

 

Firewall

Due to the firewall’s essential intrusion protection and defensive capabilities, the lack of automated alerts, inability to create log subsets, and not being able to identify nodes, all significantly reduce the firewall’s effectiveness, thus diminishing the security of the entire network.
 

 

Router 1

While still critical for network operations, fixing the router’s vulnerabilities can be postponed until the above two assets are complete, due to many of the vulnerabilities’ less serious risks (like the lack of a banner and an additional two minutes of timeout time).

Explanation of Vulnerability Prioritization

Perimeter Router

Per the STIG, the router had four vulnerabilities that required attention, ranging from CAT II-III. I chose Vul ID: V-3160 as the primary concern, as the lack of the last CAT III IAVM (information assurance vulnerability alert), indicates that the router is not running the most current and approved software version, thus significantly impacting the risk of threats and errors. The second most-critical vulnerability is Vul ID: V-3013, due to the confidentiality and legal implications of not having a DoD-approved logon banner; without the user being aware that they are not allowed access (unless authorized), an unsuspecting individual might proceed to enter the system and access sensitive data and/or damage critical configurations. Also, if the user is unaware of the fact that they are not authorized to enter the system and that they will be monitored while doing so, there can be plausible-deniability in the legal process if any legal actions are taken against the individual. Vul ID: 3072 is the next vulnerability of most-importance, as having varying running and boot configurations, in the event of an unexpected downtime, crash, or error, can delete any changes made to the system upon reboot (due to lack of synchronization). Finally, Vul ID: 3967, while being a higher severity level (CAT II) than the previous Vul ID: 3072 (CAT III), is of least importance, since the extra two minutes before a timeout can be avoided by merely logging out, and also, while any time the authorized user is not present and the system is open is dangerous, two additional minutes isn’t going to be a disaster (but it should still be set at ten minutes as soon as possible).

Firewall

Per the STIG, the firewall had three CAT III vulnerabilities that required attention. I chose Vul ID: V-79489 to be the greatest threat due to the importance of automated alerts in the monitoring process of attacks, errors, and maintenance tasks. Even if the administrator checked the system relentlessly, the probability of human error is too high. Firewalls need to be monitored 24/7 (preferably by multiple individuals), and the easiest way to achieve this is to merely set up an automatic notification system to be alerted of any changes, errors, configuration problems, or attacks (like DoS). Next, Vul ID: 79487 should be addressed, as in the audit process, being able to narrow down searches and minimize the sheer amount of data involved is vital to finding where errors occurred and attacks originated. With the changes of the previous Vul ID: V-79489 enabling automatic notifications, the systems administrator can then, once alerted, easily comb through the logs by creating a specific subset for the search; this will lead to enhanced troubleshooting, maintenance, and security. Finally, Vul ID: V-79441 is of least importance, yet still needs to be quickly fixed. During the enhanced audit procedures of the previous two vulnerabilities, V-79441 allows for the ability to identify nodes within log events; without this, even the most sophisticated alert and audit procedures will fail to recognize which devices the attack or errors occurred first and how to secure each node based on the node/device’s specific hardware/software.

Layer 2 Switch

Per the STIG, the switch has one vulnerability that needs to be addressed; however, it’s the only CAT I severity level of all the assets. Vul ID: V-15434 is critical to fix because in the event of an unexpected downtime or error, while the authorization server is down, the administrator will not be able to access the switch to perform (potentially disaster-preventing) emergency tasks needed to reconcile the situation.

Reasoning for Asset Prioritization

I chose the layer 2 switch as the primary concern of all other assets due to the STIG including the only CAT I vulnerability, and since in the event of the authorization server going offline, the system could be rendered unusable; this significantly puts this asset’s importance of mitigation and remediation at the top of the list. The next most critical asset is the firewall, due to the device’s protective nature on the entire network and the lack of alerts and weaknesses in the auditing/log process. If an attack happened, the administrator would only become aware if they looked at the logs (which could be several hours later due to operating hours), and even if they did catch it in time, they wouldn’t be able to quickly (due to not being able to use subsets) and accurately find where the attack originated (due to not being able to see individual nodes). Finally, the router would be the least-important asset in terms of vulnerability, as the lack of banner doesn’t block intruders (do warnings ever work?) and the additional two minutes of the timeout time, while still dangerous, doesn’t danger the entire system as much as some of the other asset’s vulnerabilities.

References

Whitman, M. & Mattord, H. (2016). Management of Information Security (6th ed.). Boston, MA: Cengage Learning.

Cyberex-Ma. (2020, January 7). cyberex-ma. Retrieved January 16, 2020, from https://public.cyber.mil/stigs/.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s