800-53|AC-23

Title

DATA MINING PROTECTION

Description

The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining.

Supplemental

Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites.

Reference Item Details

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P0

Audit Items

View all Reference Audit Items

NamePluginAudit Name
AS24-U2-000680 - The Apache web server must restrict inbound connections from nonsecure zones.UnixDISA STIG Apache Server 2.4 Unix Site v2r4 Middleware
AS24-U2-000680 - The Apache web server must restrict inbound connections from nonsecure zones.UnixDISA STIG Apache Server 2.4 Unix Site v2r4
F5BI-AS-000157 - To protect against data mining, the BIG-IP ASM module must be configured to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers.F5DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-AS-000159 - To protect against data mining, the BIG-IP ASM module must be configured to prevent code injection attacks launched against application objects, including, at a minimum, application URLs and application code when providing content filtering to virtual servers.F5DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-AS-000161 - To protect against data mining, The BIG-IP ASM module must be configured to prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields when providing content filtering to virtual servers.F5DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-AS-000163 - To protect against data mining, The BIG-IP ASM module must be configured to detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers.F5DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-AS-000165 - To protect against data mining, The BIG-IP ASM module must be configured to detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields when providing content filtering to virtual servers.F5DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-AS-000167 - The BIG-IP ASM module must be configured to detect code injection attacks launched against application objects including, at a minimum, application URLs and application code, when providing content filtering to virtual servers.F5DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-LT-000157 - To protect against data mining, the BIG-IP Core implementation must be configured to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers.F5DISA F5 BIG-IP Local Traffic Manager STIG v2r3
F5BI-LT-000159 - To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to prevent code injection attacks from being launched against application objects, including, at a minimum, application URLs and application code.F5DISA F5 BIG-IP Local Traffic Manager STIG v2r3
F5BI-LT-000161 - To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to prevent SQL injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, and database fields.F5DISA F5 BIG-IP Local Traffic Manager STIG v2r3
F5BI-LT-000163 - To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to detect code injection attacks being launched against data storage objects.F5DISA F5 BIG-IP Local Traffic Manager STIG v2r3
F5BI-LT-000165 - To protect against data mining, the BIG-IP Core implementation providing content filtering must be configured to detect SQL injection attacks being launched against data storage objects, including, at a minimum, databases, database records, and database fields.F5DISA F5 BIG-IP Local Traffic Manager STIG v2r3
F5BI-LT-000167 - The BIG-IP Core implementation must be configured to detect code injection attacks being launched against application objects, including, at a minimum, application URLs and application code, when providing content filtering to virtual servers.F5DISA F5 BIG-IP Local Traffic Manager STIG v2r3
JUSX-IP-000011 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must prevent code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.JuniperDISA Juniper SRX Services Gateway IDPS v2r1
JUSX-IP-000012 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must prevent code injection attacks launched against application objects, including, at a minimum, application URLs and application code.JuniperDISA Juniper SRX Services Gateway IDPS v2r1
JUSX-IP-000013 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.JuniperDISA Juniper SRX Services Gateway IDPS v2r1
JUSX-IP-000014 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.JuniperDISA Juniper SRX Services Gateway IDPS v2r1
JUSX-IP-000015 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must detect code injection attacks launched against application objects, including, at a minimum, application URLs and application code.JuniperDISA Juniper SRX Services Gateway IDPS v2r1
JUSX-IP-000016 - To protect against unauthorized data mining, the Juniper Networks SRX Series Gateway IDPS must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.JuniperDISA Juniper SRX Services Gateway IDPS v2r1
MS.DEFENDER.4.1v2 - A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.4.2v1 - The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.4.3v1 - The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.EXO.1.1v1 - Automatic forwarding to external domains SHALL be disabled.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.6.1v1 - Contact folders SHALL NOT be shared with all domains.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.6.2v1 - Calendar details SHALL NOT be shared with all domains.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.1v2 - A DLP solution SHALL be used.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.2v2 - The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.3v1 - The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.4v1 - At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.POWERPLATFORM.1.1v1 - The ability to create production and sandbox environments SHALL be restricted to admins.microsoft_azureCISA SCuBA Microsoft 365 Power Platform v1.5.0
MS.POWERPLATFORM.2.1v1 - A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.microsoft_azureCISA SCuBA Microsoft 365 Power Platform v1.5.0
MS.POWERPLATFORM.2.2v1 - Non-default environments SHOULD have at least one DLP policy affecting them.microsoft_azureCISA SCuBA Microsoft 365 Power Platform v1.5.0
MS.SHAREPOINT.1.1v1 - External sharing for SharePoint SHALL be limited to Existing guests or Only people in your organization.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.2v1 - External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.3v1 - External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.4v1 - Guest access SHALL be limited to the email the invitation was sent to.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.2.1v1 - File and folder default sharing scope SHALL be set to Specific people (only the people the user specifies).microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.3.1v1 - Expiration days for Anyone links SHALL be set to 30 days or less.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.TEAMS.3.1v1 - Contact with Skype users SHALL be blocked.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.6.1v1 - A DLP solution SHALL be enabled. The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.6.2v1 - The DLP solution SHALL protect personally identifiable information (PII)microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
PANW-AG-000080 - To protect against data mining, the Palo Alto Networks security platform must detect and prevent SQL and other code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.Palo_AltoDISA STIG Palo Alto ALG v3r2
PANW-AG-000081 - To protect against data mining, the Palo Alto Networks security platform must detect and prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.Palo_AltoDISA STIG Palo Alto ALG v3r2
PANW-IP-000032 - To protect against unauthorized data mining, the Palo Alto Networks security platform must detect and prevent SQL and other code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.Palo_AltoDISA STIG Palo Alto IDPS v3r1