Knowledge Base

Topic: Security
CVE-2020-0601 Curveball Vulnerability Guidance

Immediate Action Required 1/22/2020 Microsoft has released a security update to fix “a broad cryptographic vulnerability” impacting the Windows operating system. The bug was discovered and reported by the US National Security Agency (NSA) THE CVE-2020-0601 BUG The vulnerability, (also known as “Curveball”) tracked as CVE-2020-0601, impacts the Windows CryptoAPI, a core component of the Windows operating system that handles cryptographic operations. According to a Microsoft security advisory, a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.
Certificates

CONS3RT sites supporting government users (e.g HmC) requires the use of PKI certificate credentials for authentication. These can include: DoD Common Access Card (CAC) External Certificate Authority (ECA) (https://public.cyber.mil/eca/) DoD External and Federal PKI Interoperability approved organization (https://public.cyber.mil/pki-pke/) MITRE corporate credentials The 6 sections below cover most common user questions regarding certificates. How to Register with a Certificate Obtaining an ECA Certificate Logging in to HmC with a Certificate Adding a New Certificate or CAC to your account Managing your Account Certificates Troubleshooting Certificate issues If you can’t answer your question by perusing this KB, please feel free to submit a support ticket to support@cons3rt.
Firewall Default Configuration

The default firewall configuration of a machine in a deployment run is set as follows: Linux inbound ports allowed on the cons3rt-net 22 TCP 5902 TCP ICMP Windows inbound ports allowed on the cons3rt-net 3389 TCP/UDP 5902 TCP All other incoming traffic on the cons3rt-net is either blocked or rejected All outgoing traffic on the cons3rt-net is not filtered Traffic on all other interfaces is not filtered Using firewalld The default firewall configuration is handled on Linux using iptables and iptables-service.
IATT-like Connectivity

IATT-like Connectivity By default, teams can not access systems inside of HmC from an external source other than through the HmC portal. This is by design and part of the security accreditation. However, for organization with short term test and evaluation needs, there is an Interim Authority to Test (IATT)-like process for granting temporary inbound access from specific sources. Users can request specific, event based exceptions to temporarily allow inbound traffic into their HmC cloudspace for the purposes of a preplanned, coordinated test event.
Password Complexity Rules

Complexity Rules: Password must be more than 14 and fewer than 121 characters in length Password can not be the same as, nor contain, the user name Password must contain at least two uppercase letters Password must contain at least two lowercase letters Password must contain at least two numbers Passwords must contain at least two special characters
Anti-Virus Whitelist Process

Submit a ticket Scan your file at http://virusscan.jotti.org/en. If it is more than ClamAV, it is your responsibility to remediate. If only ClamAV has a finding, you can request a whitelist Submit the file to site admins (via ticket, email or other delivery) Site admin will scans your file. If it passes, add your file name to whitelist. If it fails, reject the request