| V-76395 | | Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined geographic regions. | Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes ... |
| V-76397 | | Kona Site Defender must immediately use updates made to policy enforcement mechanisms to block traffic from organizationally defined IP addresses (i.e., IP blacklist). | Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes ... |
| V-76399 | | Kona Site Defender must immediately use updates made to policy enforcement mechanisms to allow traffic from organizationally defined IP addresses (i.e., IP whitelist). | Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes ... |
| V-76403 | | To protect against data mining, Kona Site Defender providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launche... |
| V-76405 | | To protect against data mining, Kona Site Defender providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launche... |
| V-76407 | | To protect against data mining, Kona Site Defender providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launche... |
| V-76409 | | To protect against data mining, Kona Site Defender providing content filtering must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched... |
| V-76411 | | To protect against data mining, Kona Site Defender providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched... |
| V-76413 | | To protect against data mining, Kona Site Defender providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched... |
| V-76415 | | Kona Site Defender must off-load audit records onto a centralized log server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-76419 | | Kona Site Defender must not strip origin-defined HTTP session headers. | Lack of authentication enables anyone to gain access to the network or possibly a network element that provides the opportunity for intruders to compr... |
| V-76421 | | Kona Site Defender providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis. | If the network does not provide safeguards against DoS attacks, network resources may not be available to users during an attack.
Installation of con... |
| V-76423 | | Kona Site Defender providing content filtering must protect against known types of denial-of-service (DoS) attacks by employing signatures. | If the network does not provide safeguards against DoS attacks, network resources may not be available to users during an attack.
Installation of con... |
| V-76425 | | Kona Site Defender that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies. | Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observed deviations in the norma... |
| V-76429 | | Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptogr... |
| V-76435 | | Kona Site Defender providing content filtering must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures. | Malicious code protection mechanisms include but are not limited to anti-virus and malware detection software. To minimize any potential negative impa... |
| V-76437 | | Kona Site Defender providing content filtering must block malicious code upon detection. | Taking an appropriate action based on local organizational incident handling procedures minimizes the impact of malicious code on the network.
This r... |
| V-76439 | | Kona Site Defender providing content filtering must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection. | Without an alert, security personnel may be unaware of an impending failure of the audit capability. This will impede the ability to perform forensic ... |
| V-76443 | | Kona Site Defender providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions. | If inbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traff... |
| V-76445 | | Kona Site Defender providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss ... |
| V-76447 | | Kona Site Defender providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss ... |
| V-76449 | | Kona Site Defender providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial-of-service (DoS) incidents are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss ... |
| V-76451 | | Kona Site Defender must check the validity of all data inputs except those specifically identified by the organization. | Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process ... |
| V-76455 | | Kona Site Defender must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. | Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traff... |
| V-76417 | | Kona Site Defender must off-load audit records onto a centralized log server in real time. | Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in ... |
| V-76441 | | Kona Site Defender providing content filtering must be configured to integrate with a system-wide intrusion detection system. | Without coordinated reporting between separate devices, it is not possible to identify the true scale and possible target of an attack.
Integration o... |
| V-76391 | | Kona Site Defender must immediately use updates made to policy enforcement mechanisms to enforce that all traffic flows over HTTPS port 443. | Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes ... |
| V-76393 | | Kona Site Defender must immediately apply updates to the Kona Rule Set to block designated traffic of interest in response to new or emerging threats. | Information flow policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changes ... |
| V-76401 | | Kona Site Defender that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52. | NIST SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or inco... |
| V-76427 | | Kona Site Defender providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptogr... |
| V-76431 | | Kona Site Defender providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptogr... |
| V-76433 | | Kona Site Defender providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions. | Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place that are sufficient ... |
| V-76453 | | Kona Site Defender must reveal error messages only to the ISSO, ISSM, and SCA. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
