Akamai KSD Service Impact Level 2 NDM STIG
Akamai KSD Service Impact Level 2 NDM Security Technical Implementation Guide. Version v1 r1, released Sept. 12, 2017.
AKSD-DM-000005: Upon successful login, the Akamai Luna Portal must notify the administrator of the date and time of the last login.
Verify that the activity log is showing user login data: 1. Log in to the Luna Portal. 2. Verify that one of the four widgets includes the activity log. If the activity log is not showing, this is a finding.
Discussion
Administrators need to be aware of activity that occurs regarding their network device management account. Providing administrators with information regarding the date and time of their last successful login allows them to determine if any unauthorized activity has occurred. This incorporates all methods of login, including but not limited to SSH, HTTP, HTTPS, and physical connectivity.
Fix
Configure the activity log to appear in the "My Akamai" section. 1. Select the gear icon on one of the four widgets. 2. Select the activity log in the left column. 3. Check the box for "All Logins".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000117: The Akamai Luna Portal must employ Security Assertion Markup Language (SAML) to automate central management of administrators.
Confirm that only SAML logins are enabled. 1. Log in to the Akamai Luna Portal (Caution-https://control.akamai.com). 2. Click "Configure" >> "Manage SSO with SAML" 3. Verify "SAML-only login:" is set to "enabled" If the "SAML only logins:" is set to disabled, this is a finding. NOTE: During the initial deployment and testing of the Luna Portal implementation, it will be necessary to allow other logins. However, production environments must meet this requirement.
Discussion
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.
Fix
Configure logins to require SAML integration. 1. Log in to the Akamai Luna Portal (Caution-https://control.akamai.com). 2. Click "Configure" >> "Manage SSO with SAML" 3. Click the "Enable" button next to the "SAML-only login:" label. 4. Click "Yes" when asked if you want to enable SAML-only login.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
AKSD-DM-000008: The Akamai Luna Portal must automatically audit account creation.
Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Verify that the following setting is selected: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.
Discussion
Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.
Fix
Enable account creation alerting: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Select "Manage - Manage Users".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000009: The Akamai Luna Portal must automatically audit account modification.
Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Verify that the following setting is selected: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.
Discussion
Since the accounts in the network device are privileged or system-level accounts, account management is vital to the security of the network device. Account management by a designated authority ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel with the appropriate and necessary privileges. Auditing account modification along with an automatic notification to appropriate individuals will provide the necessary reconciliation that account management procedures are being followed. If modifications to management accounts are not audited, reconciliation of account management procedures cannot be tracked.
Fix
Enable account modification alerting: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Select "Manage - Manage Users".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000035: The Akamai Luna Portal must enforce a 60-day maximum password lifetime restriction.
Verify the 60-day maximum password lifetime restriction is enforced. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the 60-day maximum password lifetime restriction is not enforced, this is a finding.
Discussion
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the network device does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the passwords could be compromised. This requirement does not include emergency administration accounts, which are meant for access to the network device in case of failure. These accounts are not required to have maximum password lifetime restrictions.
Fix
Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000020: The Akamai Luna Portal must provide audit record generation capability for DoD-defined auditable events within the network device.
Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on the DoD-defined auditable events individually. 5. Verify that the applicable events are selected by clicking the "Settings" button. If the Luna Control Center event notifications are not enabled, this is a finding.
Discussion
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the network device (e.g., process, module). Certain specific device functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the device will provide an audit record generation capability as the following: (i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); (ii) Access actions, such as successful and unsuccessful login attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logins from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and (iii) All account creation, modification, disabling, and termination actions.
Fix
Enable Luna Event notifications. 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check each of the applicable boxes for the DoD-defined auditable events. 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit".
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
AKSD-DM-000018: The Akamai Luna Portal must audit the execution of privileged functions.
Verify that the portal is sending the expected Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "execution of privileged functions". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.
Discussion
Misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Fix
Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the boxes for applicable alerts. 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000012: The Akamai Luna Portal must generate alerts that can be forwarded to the SAs and ISSO when accounts are created.
Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "account creation". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.
Discussion
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail that documents the creation of accounts and notifies the SAs and ISSO. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Fix
Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the box that reads "Manage - Manage Users". 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit". Alternatively, custom notifications can be created by using the event manager API at https://developer.akamai.com/api/luna/events/overview.html.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000015: The Akamai Luna Portal must generate alerts that can be forwarded to the SAs and ISSO when accounts are removed.
Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "account removal". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.
Discussion
When application accounts are removed, administrator accessibility is affected. Accounts are used for identifying individual device administrators or for identifying the device processes themselves. In order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.
Fix
Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the box that reads "Manage - Manage Users". 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit". Alternatively, custom notifications can be created by using the event manager API at https://developer.akamai.com/api/luna/events/overview.html.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000006: The Akamai Luna Portal must notify the administrator of the number of successful login attempts.
Verify the activity log is showing user login data: 1. Log in to the Luna Portal. 2. Verify that one of the four widgets includes the activity log. If the activity log is not showing, this is a finding.
Discussion
Administrators need to be aware of activity that occurs regarding their network device management account. Providing administrators with information regarding the date and time of their last successful login allows the administrator to determine if any unauthorized activity has occurred. This incorporates all methods of login, including but not limited to SSH, HTTP, HTTPS, and physical connectivity. The organization-defined time period is dependent on the frequency with which administrators typically log in to the network device.
Fix
Configure the activity log to appear in the "My Akamai" section. 1. Select the gear icon on one of the four widgets. 2. Select the activity log in the left column. 3. Check the box for "All Logins".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000016: The Akamai Luna Portal must automatically audit account enabling actions.
Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "account enabling". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.
Discussion
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail that documents the creation of application user accounts and notifies administrators and ISSOs. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.
Fix
Enable Luna Event notifications. 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the box that reads "Manage - Manage Users". 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000118: The Akamai Luna Portal must employ Single Sign On (SSO) with Security Assertion Markup Language (SAML) integration to verify authentication settings.
Verify that the Luna portal is configured to use single sign-on (SSO) with SAML. 1. Log in to the Akamai Luna Portal (Caution-https://control.akamai.com). 2. Click "Configure" >> "Manage SSO with SAML" 3. Verify the identity Provider's current SSO settings are configured properly. If SSO with SAML is not configured, then this is a finding.
Discussion
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.
Fix
Configure the Luna portal to use single sign-on with SAML. 1. Log in to the Akamai Luna Portal (Caution-https://control.akamai.com). 2. Click "Configure" >> "Manage SSO with SAML" 3. Configure the identity Provider's SSO settings as follows: a. The strings in some fields—such as the local user attribute name (“userid”) and the last part of the service provider endpoint address (“.luna-sp.com”)—are pre-specified by Luna Control Center. Using the information about your identity provider (IDP). Fill in the first three fields: - Service Provider End-point - Entity ID - Single Sign-On URL b. The next field, "Single Logout URL", is optional. If your SAML metadata includes this information and you wish to configure for a Single Logout, you may enter it here. c. Enter an email address that should receive notifications from Luna Control Center. d. Enter thex509c Certificate key. e. The next field, Alternate x509c Certificate Key, is optional. If you have an alternate x509c Certificate key, you may enter it here. Having a second key can be convenient if your current key is nearing expiration and your IDP supports key rotation. f. When the required information has been entered, click "Save" or click "Save & Activate". - Click Save if you want to keep a draft of your configuration without activating it yet. In the Manage Single Sign-On with SAML application’s main panel, “Inactive” then appears in the Status column of the new configuration. This means it has been saved but is not yet activated. - You may repeat all steps to this point, to create as many additional inactive SSO configurations as desired. They’ll all be listed and accessible from the main panel. (A filter is provided for convenience when dealing with long lists.) - When you want to activate one of your saved but inactive configurations, simply select "Activate" from its gear icon. This action results in a progression of status messages—which may take up to 48 hours—starting with "Pending activation" then "Pending activation (DNS)" and finally "Active." - Click "Save & Activate" if you want to immediately request activation of the new configuration. In the "Manage Single Sign-On with SAML" application’s main panel, "Pending activation" then appears in the "Status" column of the new configuration, indicating that it has been saved and is awaiting activation. - This action results in a progression of status messages, starting with "Pending activation (DNS)" and ending with "Active." - You may repeat all steps to this point, to create as many additional active configurations as desired.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
AKSD-DM-000032: If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one special character be used.
Verify the password must contain at least one special character. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the password does not require at least one special character, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Fix
Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000036: The Akamai Luna Portal must prohibit password reuse for a minimum of five generations.
Verify password reuse for a minimum of five generations is prohibited. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the password reuse for a minimum of five generations is not prohibited, this is a finding.
Discussion
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the network device allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.
Fix
Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000029: If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one upper-case character be used.
Verify the password must contain at least one upper-case character. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the password does not require at least one upper-case character, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.
Fix
Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000031: If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one numeric character be used.
Verify the password must contain at least one numeric character. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the password does not require at least one numeric character, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Fix
Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000028: The Akamai Luna Portal must enforce a minimum 15-character password length.
Verify the minimum 15-character length for passwords. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the minimum password length is not 15-character, this is a finding.
Discussion
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Fix
Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000007: The Akamai Luna Portal must initiate a session logoff after a 15-minute period of inactivity.
Verify that all portal users have the session timeout duration set to 15 minutes: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Manage Users & Groups. 3. Select each administrator and inspect the "Timeout" setting to verify it reads "After 15 Minutes". 4. Click "Save" button. If any user has a "Timeout" value other than "After 15 Minutes", this is a finding.
Discussion
A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user to manually lock their management session prior to vacating the vicinity, network devices need to be able to identify when a management session has idled and take action to initiate the session lock. Once invoked, the session lock must remain in place until the administrator reauthenticates. No other system activity aside from reauthentication must unlock the management session. When the network device is remotely administered, a session logoff may be the only practical option in lieu of a session lock. For a web portal, a session logoff must be invoked when idle time is exceeded for an administrator. Note that CCI-001133 requires that administrative network sessions be disconnected after 10 minutes of idle time.
Fix
Configure the session timeout duration to 15 minutes: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Manage Users & Groups. 3. Select each user and set the "Timeout" value to "After 15 Minutes".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000030: If multifactor authentication is not supported and passwords must be used, the Akamai Luna Portal must enforce password complexity by requiring that at least one lower-case character be used.
Verify the password must contain at least one lower-case character. Contact the Akamai Professional Services team to verify the changes at 1-877-4-AKATEC (1-877-425-2832). If the password does not require at least one lower-case character, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Fix
Open a ticket through the Akamai Customer Portal (Luna), https://control.akamai.com Select the “Support” link, under the “OPEN A CASE” section, select "Business Support Issue or Question". The "Area" field should be "General Account Management". Service should be "Product Support". Once selected a form will load where the subject should be "Password Security Policy Exception Request" The description should contain the following information with all fields completed. (Please note that if the character limit is exceeded then the following may be submitted as an attachment.) ------------- Requester's name: Requester's title: Requester's organization/command: We request the following exception(s) to the standard Akamai Luna password management policy to be applied to all accounts. - Force password rotations to occur at least every 60 days. - Disable any inactive accounts if they have not been used for 90 consecutive days. - Limit the number of consecutive invalid login attempts to 3. - Enforce a minimum length of 15 characters. - Require that at least one upper-case character be used. - Require that at least one lower-case character be used. - Require that at least one numeric character be used. - Require that at least one special character be used. - Prevent password reuse for at least 5 generations. We understand this is a divergence from the standard, recommended Luna security policy. Please submit this password policy exception request to the Akamai InfoSec team for review. It has been approved by the security officer or administrator for the organization. The following is the approver's information: Approver's Name: Approver's Title: (must security personnel for the organization) Approver's Contact Information (necessary to validate this request): Phone: E-mail: ------------- Complete the contact information fields if they haven't been prepopulated, and then click "Create Case"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000022: The Akamai Luna Portal must generate audit records when successful/unsuccessful attempts to access privileges occur.
Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on the event name that meets the criteria above. 5. Verify that the applicable events are selected by clicking the "Settings" button. If the Luna Control Center event notifications are not enabled, this is a finding.
Discussion
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix
Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the applicable boxes. 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit".
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
AKSD-DM-000011: The Akamai Luna Portal must automatically audit account removal actions.
Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Verify that the following setting is selected: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.
Discussion
Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.
Fix
Enable account removal alerting: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click the "Settings" button and click on "Properties" tab. 5. Select "Manage - Manage Users".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000038: The Akamai Luna Portal must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 15 minutes of inactivity except to fulfill documented and validated mission requirements.
Verify that all portal users have the session timeout duration set to 15 minutes: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Manage Users & Groups. 3. Select each user and inspect the "Timeout" setting to verify it reads "After 15 Minutes". If the session timeout is not set to 15 minutes, this is a finding.
Discussion
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Fix
Set the session timeout duration to 15 minutes: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Manage Users & Groups. 3. Select each user and adjust the "Timeout" setting to "After 15 Minutes".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000013: The Akamai Luna Portal must generate alerts that can be forwarded to the SAs and ISSO when accounts are modified.
Verify that the portal is sending Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "account modification". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.
Discussion
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail that documents the modification of device administrator accounts and notifies the SAs and ISSO. Such a process greatly reduces the risk that accounts will be surreptitiously modified and provides logging that can be used for forensic purposes. The network device must generate the alert. Notification may be done by a management server.
Fix
Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the box that reads "Manage - Manage Users". 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit". Alternatively, custom notifications can be created by using the event manager API at https://developer.akamai.com/api/luna/events/overview.html.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
AKSD-DM-000017: The Akamai Luna Portal must notify the SAs and ISSO when accounts are created, or enabled when previously disabled.
Verify that the portal is sending the expected Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Search/filter for "Luna Control Center Event". 4. Click on "account creation". 5. Verify that the following settings are selected by clicking the "Settings" button: "Manage - Manage Users". If the Luna Control Center event notifications are not enabled, this is a finding.
Discussion
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies the SAs and ISSO. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. In order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event.
Fix
Enable Luna Event notifications: 1. Log in to the Luna Portal as an administrator. 2. Select Configure >> Alerts. 3. Click the "Create New Alert" button. 4. Select "Luna Control Center Event" and press the "Next" button. 5. Check the boxes for applicable alerts. 6. Proceed through the alert creation wizard, filling out the appropriate fields, and then click "Submit".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None