800-53|AC-23

800-53|AC-23

Title

DATA MINING PROTECTION

Description

The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining.

Supplemental

Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P0

Audit Items

Name	Plugin	Audit Name
AS24-U2-000680 - The Apache web server must restrict inbound connections from nonsecure zones.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000680 - The Apache web server must restrict inbound connections from nonsecure zones.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r4
F5BI-AS-000157 - To protect against data mining, the BIG-IP ASM module must be configured to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers.	F5	DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-AS-000159 - To protect against data mining, the BIG-IP ASM module must be configured to prevent code injection attacks launched against application objects, including, at a minimum, application URLs and application code when providing content filtering to virtual servers.	F5	DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-AS-000161 - To protect against data mining, The BIG-IP ASM module must be configured to prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields when providing content filtering to virtual servers.	F5	DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-AS-000163 - To protect against data mining, The BIG-IP ASM module must be configured to detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers.	F5	DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-AS-000165 - To protect against data mining, The BIG-IP ASM module must be configured to detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields when providing content filtering to virtual servers.	F5	DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-AS-000167 - The BIG-IP ASM module must be configured to detect code injection attacks launched against application objects including, at a minimum, application URLs and application code, when providing content filtering to virtual servers.	F5	DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-LT-000157 - To protect against data mining, the BIG-IP Core implementation must be configured to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers.	F5	DISA F5 BIG-IP Local Traffic Manager STIG v2r3
F5BI-LT-000159 - To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to prevent code injection attacks from being launched against application objects, including, at a minimum, application URLs and application code.	F5	DISA F5 BIG-IP Local Traffic Manager STIG v2r3
F5BI-LT-000161 - To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to prevent SQL injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, and database fields.	F5	DISA F5 BIG-IP Local Traffic Manager STIG v2r3
F5BI-LT-000163 - To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to detect code injection attacks being launched against data storage objects.	F5	DISA F5 BIG-IP Local Traffic Manager STIG v2r3
F5BI-LT-000165 - To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to detect SQL injection attacks being launched against data storage objects, including, at a minimum, databases, database records, and database fields.	F5	DISA F5 BIG-IP Local Traffic Manager STIG v2r3
F5BI-LT-000167 - The BIG-IP Core implementation must be configured to detect code injection attacks being launched against application objects, including, at a minimum, application URLs and application code, when providing content filtering to virtual servers.	F5	DISA F5 BIG-IP Local Traffic Manager STIG v2r3
JUSX-IP-000011 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must prevent code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.	Juniper	DISA Juniper SRX Services Gateway IDPS v1r2
JUSX-IP-000012 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must prevent code injection attacks launched against application objects, including, at a minimum, application URLs and application code.	Juniper	DISA Juniper SRX Services Gateway IDPS v1r2
JUSX-IP-000013 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.	Juniper	DISA Juniper SRX Services Gateway IDPS v1r2
JUSX-IP-000014 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.	Juniper	DISA Juniper SRX Services Gateway IDPS v1r2
JUSX-IP-000015 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must detect code injection attacks launched against application objects, including, at a minimum, application URLs and application code.	Juniper	DISA Juniper SRX Services Gateway IDPS v1r2
JUSX-IP-000016 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.	Juniper	DISA Juniper SRX Services Gateway IDPS v1r2
PANW-AG-000080 - To protect against data mining, the Palo Alto Networks security platform must detect and prevent SQL and other code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.	Palo_Alto	DISA STIG Palo Alto ALG v2r4
PANW-AG-000081 - To protect against data mining, the Palo Alto Networks security platform must detect and prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.	Palo_Alto	DISA STIG Palo Alto ALG v2r4
PANW-IP-000032 - To protect against unauthorized data mining, the Palo Alto Networks security platform must detect and prevent SQL and other code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.	Palo_Alto	DISA STIG Palo Alto IDPS v2r3

Name

Plugin

Audit Name

AS24-U2-000680 - The Apache web server must restrict inbound connections from nonsecure zones.

Unix

DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware

AS24-U2-000680 - The Apache web server must restrict inbound connections from nonsecure zones.

Unix

DISA STIG Apache Server 2.4 Unix Site v2r4

F5BI-AS-000157 - To protect against data mining, the BIG-IP ASM module must be configured to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers.

DISA F5 BIG-IP Application Security Manager STIG v2r1

F5BI-AS-000159 - To protect against data mining, the BIG-IP ASM module must be configured to prevent code injection attacks launched against application objects, including, at a minimum, application URLs and application code when providing content filtering to virtual servers.