3.13.15 has a weight of -5 points

(System and Communication Protection Family) 15/16

Protect the authenticity of communications sessions.

Example of Sysytem Security Plan (SSP):

  1. Protection against Man-in-the-Middle Attacks:
  2. Our organization has implemented measures to protect the authenticity of communications sessions, ensuring that they are not susceptible to man-in-the-middle attacks.
  3. These measures include the use of strong cryptographic protocols and certificate validation to verify the identities of communicating parties.
  4. Session Hijacking Prevention:
  5. We have safeguards in place to prevent session hijacking, which involves unauthorized individuals taking control of ongoing communications sessions.
  6. Our security measures include robust session management and the use of secure session tokens or cookies to maintain session integrity.
  7. Preventing False Information Insertion:
  8. We protect communications sessions against the insertion of false information by implementing integrity controls.
  9. The use of cryptographic hashing and digital signatures ensures the integrity of transmitted data and prevents tampering.
  10. Communications Protection at the Session Level:
  11. Our authenticity protection measures extend to the session level, particularly in service-oriented architectures providing web-based services.
  12. We establish grounds for confidence at both ends of communications sessions, ensuring ongoing verification of the identities of other parties and the validity of transmitted information.
  13. Use of Strong Cryptographic Protocols:
  14. We use strong cryptographic protocols to secure communications, providing confidentiality, integrity, and authentication.
  15. This ensures that sensitive information is protected from eavesdropping and unauthorized access.
  16. Certificate Validation:
  17. Our organization performs rigorous certificate validation to verify the authenticity of digital certificates presented during communications sessions.
  18. This process helps establish the trustworthiness of the communicating parties.
  19. Guidance from [SP 800-77], [SP 800-95], and [SP 800-113]:
  20. We follow the guidance provided in [SP 800-77], [SP 800-95], and [SP 800-113] to ensure the secure configuration and management of communications sessions.
  21. These standards provide valuable insights into establishing secure communications and addressing potential vulnerabilities.
  22. Continuous Monitoring and Review:
  23. Our authenticity protection measures for communications sessions are subject to continuous monitoring and review.
  24. We proactively address emerging threats and vulnerabilities to maintain a high level of security.
  25. User Authentication and Access Controls:
  26. We enforce user authentication and access controls to ensure that only authorized individuals can participate in communications sessions.
  27. Role-based access controls and strong authentication mechanisms are employed to prevent unauthorized access.

Example of Plan of Action and Milestones ( POA & M):

 missing 

 

RELEVANT INFORMATION:

Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. [SP 800-77], [SP 800-95], and [SP 800-113] provide guidance on secure communications sessions.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.