Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
- action: global
title: Cleartext Protocol Usage
id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
description: Ensure that all account usernames and authentication credentials are
transmitted across networks using encrypted channels. Ensure that an encryption
is used for all sensitive information in transit. Ensure that an encrypted channels
is used for all administrative account access.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
author: Alexandr Yampolskyi, SOC Prime
status: stable
date: 2019/03/26
falsepositives:
- unknown
level: low
tags:
- CSC4
- CSC4.5
- CSC14
- CSC14.4
- CSC16
- CSC16.5
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.AC-1
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.DS-1
- NIST CSF 1.1 PR.DS-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.2.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- ISO 27002-2013 A.8.3.1
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.10.1.1
- PCI DSS 3.2 2.1
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
- PCI DSS 3.2 8.8
- PCI DSS 3.2 1.3
- PCI DSS 3.2 1.4
- PCI DSS 3.2 4.3
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- logsource:
product: netflow
detection:
selection:
destination.port:
- 8080
- 21
- 80
- 23
- 50000
- 1521
- 27017
- 1433
- 11211
- 3306
- 15672
- 5900
- 5901
- 5902
- 5903
- 5904
condition: selection
- logsource:
product: firewall
detection:
selection1:
destination.port:
- 8080
- 21
- 80
- 23
- 50000
- 1521
- 27017
- 3306
- 1433
- 11211
- 15672
- 5900
- 5901
- 5902
- 5903
- 5904
selection2:
action:
- forward
- accept
- 2
condition: selection1 AND selection2
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='destination.port:("8080" OR "21" OR "80" OR "23" OR "50000" OR "1521" OR "27017" OR "1433" OR "11211" OR "3306" OR "15672" OR "5900" OR "5901" OR "5902" OR "5903" OR "5904")')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
s = searchContext.query('query_string', query='(destination.port:("8080" OR "21" OR "80" OR "23" OR "50000" OR "1521" OR "27017" OR "3306" OR "1433" OR "11211" OR "15672" OR "5900" OR "5901" OR "5902" OR "5903" OR "5904") AND action:("forward" OR "accept" OR "2"))')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()