Check: CYLN-OP-000025
Arctic Wolf CylanceON-PREM STIG:
CYLN-OP-000025
(in version v1 r1)
Title
CylanceON-PREM must be configured to use TLS 1.2 or higher. (Cat I impact)
Discussion
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. Satisfies: SRG-APP-000014, SRG-APP-000156, SRG-APP-000172, SRG-APP-000179, SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000560, SRG-APP-000565, SRG-APP-000605, SRG-APP-000645
Check Content
Verify Cipher configuration. Administrator privileges are required. 1. Log in to the admin console. 2. Navigate to CONFIGURATION >> Settings. 3. Find CylanceON-PREM Info >> Certificate Cipher. If the value is not set to Modern Mode (TLS 1.2+), this is a finding.
Fix Text
Configure Cipher. Administrator privileges are required. 1. Log in to the admin console. 2. Navigate to CONFIGURATION >> Settings. 3. Find CylanceON-PREM Info >> Certificate Cipher. 4. Click "Change". 5. Select "Modern Mode (TS 1.2+)". 6. Click "Update".
Additional Identifiers
Rule ID: SV-272629r1113430_rule
Vulnerability ID: V-272629
Group Title: SRG-APP-000014
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000068 |
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions. |
| CCI-000185 |
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
| CCI-000197 |
For password-based authentication, transmit passwords only over cryptographically-protected channels. |
| CCI-000382 |
Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services. |
| CCI-000803 |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
| CCI-001184 |
Protect the authenticity of communications sessions. |
| CCI-001453 |
Implement cryptographic mechanisms to protect the integrity of remote access sessions. |
| CCI-001941 |
Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts. |
| CCI-002418 |
Protect the confidentiality and/or integrity of transmitted information. |
| CCI-002420 |
Maintain the confidentiality and/or integrity of information during preparation for transmission. |
| CCI-002421 |
Implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. |
| CCI-002422 |
Maintain the confidentiality and/or integrity of information during reception. |
Controls
| Number | Title |
|---|---|
| AC-17(2) |
Protection of Confidentiality / Integrity Using Encryption |
| CM-7 |
Least Functionality |
| IA-2(8) |
Network Access to Privileged Accounts - Replay Resistant |
| IA-5(1) |
Password-based Authentication |
| IA-5(2) |
Pki-based Authentication |
| IA-7 |
Cryptographic Module Authentication |
| SC-8 |
Transmission Confidentiality and Integrity |
| SC-8(1) |
Cryptographic or Alternate Physical Protection |
| SC-8(2) |
Pre / Post Transmission Handling |
| SC-23 |
Session Authenticity |