ANNEX D: SECURITY (HBSS + ACAS) QUESTIONS AND ANSWERS 2023

ANNEX D: SECURITY (HBSS + ACAS) QUESTIONS AND ANSWERS 2023 Security Technical Information Guide (STIG) A carefully crafted document that includes not only DoD policies and security regulations, but also up-todate best practices and configuration guidelines. These guidelines are used for securing a specific system or application in accordance with DoD requirements. Host-Based Security Systems (HBSS) A host based security system, which means it is located on the individual workstation or the host. Uses multiple different modules to monitor, detect, and counter against known cyber threats. Assured Compliance Assessment Solution (ACAS) Consists of a suite of products to include Red Hat Enterprise Linux, Security Center, Nessus Scanner and the Nessus Network Monitor (formerly the Passive Vulnerability Scanner) which is provided by DISA to DoD Customers. Public Key Infrastructure (PKI) A framework that consists of hardware, software, people, processes, and policies, that together helps identify and solve information security problems for you by establishing safe and reliable environment for electronic transactions in the internet. Public Key Encryption Protects the confidentiality, integrity, authenticity and non-repudiation of data. Why do we use HBSS US Cyber Command (USCYBERCOM) mandates that HBSS be installed on every DoD system. HBSS Components ePolicy Orchestrator Server, the McAfee Agent, the distributed repositories, and the registered servers. McAfee Agent Its job is to provide a secure communication channel to the ePO and manages all of the other modules that will be installed on the client machine (VSE, HIPS, etc.). Agent to Server Communication Interval (ASCI) Determines how often the agent checks in with the ePO. Default is 60 minutes. Agent to Server Communication (ASCI) Encrypted communication using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). All encryption is 128-bit strength and, except for Mac OS X, is FIPS 140-2 compliant. Wake-up calls When the ePO forces the managed machine to initiate an ASCI outside of its normal interval. ACAS Repositories Proprietary data files, residing on the security center, that store scan results. Every time a scan is initiated, the scan results are imported into one repository. ACAS Repository Types Local, Remote, and Offline Repositories Local Repository Active repositories of Security Center data collected via scanners attached to the local Security Center. Remote Repository Contain IP address and vulnerability information obtained via network synchronization with a second (remote) Security Center. Offline Repository Enable Security Center to obtain repository data via manual file export/import from a remote Security Center that is not network-accessible. Audit Files Text files that contain the specific configuration, file permission, and access control tests to be performed. They are an attachment to a scan policy used with credentials to audit a host's configuration. Public Key Infrastructure (PKI) A framework that consists of hardware, software, people, processes, and policies, that together helps identify and solve information security problems for you by establishing safe and reliable environment for electronic transactions in the internet. Importance of PKI Allows us to take advantage of the speed and immediacy of the Internet while assuring that we will be alerted if sensitive information has been tampered with and preventing unauthorized disclosure. PKI Components AUTHENTICATION - Proof that senders are who they claim to be CONFIDENTIALITY - Assurance that the person receiving is intended recipient AUTHORIZATION - Protection against unauthorized use DATA INTEGRITY - Verification that no unauthorized modification of data has occurred NON-REPUDIATION - Assurance for the legal community that the person sending cannot deny participation (DOD Consent) Types of cryptographic methods Symmetric & Asymmetric Symmetric-key This type of encryption uses the same key to encrypt and decrypt Asymmetric-key Uses a key pair to do the encryption and decryption. It includes two keys one is public key and the other one is private key. Active Directory Certificate Service The Microsoft solution for PKI. It is collection of role services to use to design the PKI for your organization. Common Access Card (CAC) A Smart Card which is the standard ID card for DoD military, civilian, and eligible contractor personnel. Elements of the CAC Indentification elements, organization elements, card management elements, benefit elements, and PKI elements. Nessus Network Monitor (NNM) Monitors network traffic in real-time. It determines server and client side vulnerabilities and sends these to Security Center in real-time. It continuously looks for new hosts, new applications, and new vulnerabilities without requiring the need for active scanning. 80 Agent to Server communication (TCP) Inbound TCP. The ePO server listens for requests from McAfee Agents 443 Agent to Server secure communication (TLS) 591 Agent Wakeup Call 8005 Agent Handler Communication 8007 Console-to-application (HTTPS) 8443 Rogue system detection sensor (HTTPS) 1433 (Outbound) SQL Server TCP Port 389 Default LDAP server port 636 Default LDAP server port 1433 (Inbound) Default for SQL communication 1434 Default for SQL port negotiation (TCP and UDP) Two ways to categorize a repository IP Address, MDM (Master Data Management Tool) Primary function of repositories Stores scan results What users can create new repositories in Assured Compliance Assessment Solution. (ACAS) Administrators 4 primary reasons to use multiple repositories 1. Restrict access to data 2. Improve reporting time (Smaller data set) 3. Separate compliance & vulnerability of data 4. Resolve technical issues When is a remote repository is used? To replicate a security center's repository data How does DISA determine its STIGS? Security recommendations from software vendors (ei: Microsoft, Cisco, etc.)