remote support ba vulnerability scan reports
TRANSCRIPT
![Page 1: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/1.jpg)
Remote Support 21.1.BaVulnerability Scan Reports
©2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified in this document are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
TC:1/12/2021
![Page 2: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/2.jpg)
21.1.1 Remote Support FISMACompliance Report
ThisreportincludesimportantsecurityinformationaboutFISMAcomplianceofBeyondtrustRemoteSupport21.1.1
[US] Federal Information Security Mgmt. Act (FISMA)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM
![Page 3: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/3.jpg)
Regulations
Federal Information Security Management Act (FISMA)
Summary
TheFederalInformationSecurityManagementAct(FISMA)waspassedbyCongressandsignedintolawbythePresidentaspartoftheElectronicGovernmentActof2002.Itprovidesaframeworktoensurecomprehensivemeasuresaretakentosecurefederalinformationandassets.Itrequireseachfederalagencytodevelop,document,andimplementanagency-wideprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency,includingthoseprovidedormanagedbyanotheragency,contractor,orothersource.
TheOfficeofManagementandBudget(OMB)requiresfederalagenciestopreparePlansofActionandMilestonesProcess(POAandMs)reportsforallprogramsandsystemswheretheyhavefoundanITsecurityweakness.CIOsandagencyprogramofficialsmustdevelop,implement,andmanagePOAandMsforallprogramsandsystemstheyoperateandcontrol.ProgramofficialsmustregularlyupdatetheagencyCIOontheirprogresssotheCIOcanmonitoragency-wideremediationeffortsandprovidetheagency’squarterlyupdatetoOMB.
AgenciesmustsubmitareporttotheOMBthatsummarizestheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.
OMBusesthereportstohelpevaluategovernment-widesecurityperformance,developitsannualsecurityreporttoCongress,assistinimprovingandmaintainingadequateagencysecurityperformance,andinformdevelopmentoftheE-GovernmentScorecardunderthePresident’sManagementAgenda.ThereportmustsummarizetheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.
FISMArequiresthatfederalagencyofficialsunderstandthecurrentstatusoftheirsecurityprogramsandthesecuritycontrolsplannedorinplacetoprotecttheirinformationandinformationsystemsinordertomakeinformedjudgmentsandinvestmentsthatappropriatelymitigaterisktoanacceptablelevel.Theultimateobjectiveistoconducttheday-to-dayoperationsoftheagencyandtoaccomplishtheagency'sstatedmissionswithadequatesecurity,orsecuritycommensuratewithrisk,includingthemagnitudeofharmresultingfromtheunauthorizedaccess,use,disclosure,disruption,modification,ordestructionofinformation.
FISMAImplementation
PhaseI:StandardsandGuidelinesDevelopment
ThefirstphaseoftheFISMAImplementationProjectfocusesonthedevelopmentandupdatingofthesecurity
12/31/2020 1
![Page 4: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/4.jpg)
standardsandguidancerequiredtoeffectivelyimplementtheprovisionsofthelegislation.TheimplementationoftheNISTstandardsandguidancewillhelpagenciescreateandmaintainrobustinformationsecurityprogramsandeffectivelymanagerisktoagencyoperations,agencyassets,andindividuals.
PhaseII:ImplementationandAssessmentAids
ThesecondphaseoftheFISMAImplementationProjectisfocusedonprovidinginformationsystemimplementationandassessmentreferencematerialsforbuildingcommonunderstandinginapplyingtheNISTsuiteofpublicationssupportingtheRiskManagementFramework(RMF).
NISTImplementationDocuments
NISTdevelopsandissuesstandards,guidelinesandotherpublicationstoassistfederalagenciesinimplementingFISMA,includingminimumrequirements,forprovidingadequateinformationsecurityforallagencyoperationsandassetsbutsuchstandardsandguidelinesshallnotapplytonationalsecuritysystems.
FederalInformationProcessingStandards(FIPS)areapprovedbytheSecretaryofCommerceandissuedbyNISTinaccordancewithFISMA.FIPSarecompulsoryandbindingforfederalagencies.FISMArequiresthatfederalagenciescomplywiththesestandards,andtherefore,agenciesmaynotwaivetheiruse.FIPS200mandatestheuseofSpecialPublication800-53,asamended.
AppScanandFISMA
AppScan'sFISMAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeminimumsecuritycontrolsrecommendationsassetinthesecuritycatalogofNISTSpecialPublication80053.ThisreportwasconstructedaccordingtotheHIGH-IMPACTInformationSystemsbaseline.Organizationsthatuselowormoderatecontrolbaselinemayhavetoadjusttheresultsaccordingly.
CoveredEntities
AllFederalagenciesandorganizationswhichpossessoruseFederalinformation--orwhichoperate,use,orhaveaccesstoFederalinformationsystems--onbehalfofaFederalagency,includingcontractors,grantees,Stateandlocalgovernments,andindustrypartners.
EffectiveDate
December2002
ComplianceRequiredby
FederalagenciesmustsubmittheirannualITreviewreportstotheOMBbyOctoberofeachyear.
12/31/2020 2
![Page 5: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/5.jpg)
Regulators/Auditors
TheOfficeofManagementandBudget(OMB).
Formoreinformationonsecuringwebapplications,pleasevisit:http://www-03.ibm.com/software/products/en/category/application-security
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
Violated SectionIssuesdetectedacross0/23sectionsoftheregulation:
SectionsNumberofIssues
Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency;
0
Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident;
0
NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies.
0
NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions.
0
NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber].
0
NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures.
0
NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections.
0
NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,and
0
12/31/2020 3
![Page 6: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/6.jpg)
approvesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures.NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices].
0
NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers).
0
NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod].
0
NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity].
0
NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse.
0
NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation.
0
NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported.
0
NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards].
0
NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation.
0
NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards.
0
NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode;
0
NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures;
0
NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries;
0
Section Violation By Issue0Uniqueissuesdetectedacross0/23sectionsoftheregulation:
URL Entity Issue Type Sections
12/31/2020 4
![Page 7: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/7.jpg)
Detailed Security Issues by Sections
Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency; 0
Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident; 0
NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies. 0
NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions. 0
NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber]. 0
12/31/2020 5
![Page 8: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/8.jpg)
NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures. 0
NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections. 0
NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,andapprovesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures. 0
NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices]. 0
12/31/2020 6
![Page 9: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/9.jpg)
NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers). 0
NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod]. 0
NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity]. 0
NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse. 0
NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation. 0
NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported. 0
12/31/2020 7
![Page 10: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/10.jpg)
NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards]. 0
NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation. 0
NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards. 0
NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0
NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode; 0
NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures; 0
12/31/2020 8
![Page 11: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/11.jpg)
NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0
NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries; 0
12/31/2020 9
![Page 12: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/12.jpg)
21.1.1 Remote Support GDPRCompliance Report
ThisreportincludesimportantsecurityinformationaboutGDPRcomplianceofBeyondtrustRemoteSupport21.1.1
[EU] Regulation 2016/679 Of The European Parliament And OfThe Council (GDPR) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM
![Page 13: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/13.jpg)
Regulations
Regulation 2016/679 Of The European Parliament And Of TheCouncil - General Data Protection Regulation (GDPR)LearnmoreaboutIBMownGDPRreadinessjourneyandourGDPRcapabilitiesandofferingshere:https://ibm.com/gdpr
LearnmoreaboutGDPRontheEropeanUnion'sDataProtectionwebsitehere:https://ec.europa.eu/info/law/law-topic/data-protection_en
Please note that the table header 'Number of Issues' carries that naming due to technical reasons. It does notnecessarily indicate actual legal issues in the context GDPR, but rather points out areas of interest. A legally bindingassessment of applicability of any areas of interest shown in this report can and should only be made by a legalprofessional.
GDPR ArticlesIssuesdetectedacross0/4sectionsoftheregulation:
SectionsNumberofIssues
Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects.
0
Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata.
0
Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices.
0
Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularofthe 0
12/31/2020 1
![Page 14: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/14.jpg)
risksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed
Section Violation By Issue0Uniqueissuesdetectedacross0/4sectionsoftheregulation:
URL Entity Issue Type Sections
Detailed Security Issues by Sections
Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects. 0
Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata. 0
12/31/2020 2
![Page 15: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/15.jpg)
Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices. 0
Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularoftherisksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed 0
12/31/2020 3
![Page 16: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/16.jpg)
21.1.1 Remote Support HIPPACompliance Report
ThisreportincludesimportantsecurityinformationaboutHIPPAcomplianceofBeyondtrustRemoteSupport21.1.1
[US] Healthcare Services (HIPAA) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM
![Page 17: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/17.jpg)
Regulations
The Health Insurance Portability and Accountability Act(HIPAA) of 1996 - Security and Privacy Regulations
Summary
HIPAAprovidesfederalprotectionsforpersonalhealthinformationheldbycoveredentitiesandgivespatientsasetofrightswithrespecttothatinformation.However,HIPAAdoespermitthedisclosureofpersonalhealthinformationneededforpatientcareandotherimportantandnecessarypurposes.
TitleIofHIPAAprotectshealthinsurancecoverageforworkersandtheirfamilieswhentheychangeorlosetheirjobs.TitleIIofHIPAA,knownastheAdministrativeSimplificationprovisions,requirestheestablishmentofnationalstandardsforelectronichealthcaretransactionsandnationalidentifiersforproviders,healthinsuranceplans,andemployers.
TheAdministrationSimplificationprovisionsalsoaddressthesecurityandprivacyofhealthdata.Thestandardsaremeanttoimprovetheefficiencyandeffectivenessofthehealthcaresystem.
TheUnitedStatesDepartmentofHealthandHumanServices(HHS)hasissuedregulationsimplementingthoseprovisionsofHIPAAregulatingtheprivacyandsecurityofindividuals’medicalrecords.
CoveredInformation
TheRuleslimittheuseanddisclosureofpersonalhealthinformationbyCoveredEntities.Protectedhealthinformationisindividuallyidentifiablehealthinformationthatistransmittedormaintainedinanyformormedium,andwhichrelatestothepast,presentorfuturephysicalormentalheathorconditionofanindividual,theprovisionofheathcaretoanindividual,orthepast,presentorfuturepaymentfortheprovisionofhealthcare.Informationis“individuallyidentifiable”ifitactuallyidentifiesanindividualorcontainsinformationthatcouldreasonablybeusedtoidentifyandindividual.
HIPAArequiresmeasurestobetakentosecurethisinformationwhileinthecustodyofcoveredentitiesaswellasintransitbetweencoveredentitiesandfromcoveredentitiestoothers.
ThePrivacyRulerequiresthatcoveredentities,amongotherthings(i)obtainpriorwrittenauthorizationtouseordisclosecertainpersonalhealthinformationforanypurposeotherthanpayment,healthcaretreatmentorhealthcareoperations,(ii)givepatientsaccesstocertainpersonalhealthinformationuponrequest,(iii)instituteproceduralsafeguardstoprotectpersonalhealthinformation,and(iv)limittheuseanddisclosureofsuchinformationtotheminimumnecessarytoachievetheintendedpurposeforsuchinformation.
12/31/2020 1
![Page 18: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/18.jpg)
TheSecurityRulerequiresthatcoveredentities,amongotherthings,implementadministrative,technical,andphysicalsafeguardsto(i)ensuretheconfidentiality,integrityandavailabilityofallelectronicprotectedhealthinformationthecoveredentitycreates,receives,maintains,ortransmits;(ii)protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation;(iii)protectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredtheSecurityRule;and(iv)ensurecompliancewiththeSecurityRulebythecoveredentity'sworkforce.
InrecognitionofthesecuritythreatstoElectronicProtectedHealthInformation(EPHI),HHShaspublishedHIPAAPrivacyandSecurityRules`guidancedocumentstoimplementprivacyandsecurityframeworkforelectronicexchangeofindividuallyidentifiablehealthinformation.Theseguidancedocumentsdiscusshowtheprivacyandsecurityrulescanfacilitatethesafeandadequateexchangeofelectronichealthinformationandhowtodealwiththechallengesthattheuseandexchangeofelectronichealthinformationposses.
CoveredEntities
TheRulesapplytofourtypesofentities:healthcareproviders,healthplans,healthcareclearinghousesandprescriptiondrugcardsponsors(collectively"CoveredEntities").Thisgenerallymeansthoseprovidinghealthcare,thosepayingfor(insuring)healthcareanddataprocessorsthatassistinthepreceding.
CompliancePenalties
AfinemaybeimposedonanypersonorcoveredentitythatviolatesanyHIPAArequirement.Thecivilmonetarypenaltyforviolatingtransactionstandardsisupto$100perpersonperviolationandupto$25,000perpersonperviolationofasinglestandardpercalendaryear.
Thefinemaybereducedorwaivedentirelyiftheviolationwasnotduetowillfulneglectoftherequirements,andiftheentitycorrectsitwithin30daysofbecomingawareofit.
Federalcriminalpenaltiescanalsobeplaceduponhealthplans,providersandhealthcareclearinghousesthatknowinglyandimproperlydiscloseinformationorobtaininformationunderfalsepretenses.Penaltieswouldbehigherforactionsdesignedtogeneratemonetarygain.
Criminalpenaltiesareupto$50,000andoneyearinprisonforobtainingordisclosingprotectedhealthinformation;upto$100,000anduptofiveyearsinprisonforobtainingprotectedhealthinformationunder"falsepretenses";andupto$250,000anduptotenyearsinprisonforobtainingordisclosingprotectedhealthinformationwiththeintenttosell,transferoruseitforcommercialadvantage,personalgainormaliciousharm.
Effectivedate
April14,2001
SecurityRule–April21,2003
PrivacyRule–April14,2003
12/31/2020 2
![Page 19: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/19.jpg)
ComplianceRequiredby
Privacyprovisions-April14,2003
Securityprovisions-April20,2005
Administrativeprovisions–July1,2005
Regulators/Administrators
UnitedStatesDepartmentofHealthandHumanServices
OfficeforCivilRights
AppScan'sHIPAAComplianceReport
AppScan'sHIPAAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeHIPAASecurityRulerequirementsandrelatedrequiredactivitiesasdescribedintheNISTresourceguideforHIPAAsecurityruleimplementation.
Note
AddressableIssue-asappearsinthisreportmeansacoveredentitymust-
(i)Assesswhethereachimplementationspecificationisareasonableandappropriatesafeguardinitsenvironment,whenanalyzedwithreferencetothelikelycontributiontoprotectingtheentity'selectronicprotectedhealthinformation;and
(ii)Asapplicabletotheentity-
(A)Implementtheimplementationspecificationifreasonableandappropriate;or
(B)Ifimplementingtheimplementationspecificationisnotreasonableandappropriate-
(1)Documentwhyitwouldnotbereasonableandappropriatetoimplementtheimplementationspecification;and
(2)Implementanequivalentalternativemeasureifreasonableandappropriate.
PossibleIssue-asappearsinthisreportmeansthedetectedresultsmayimplythatarequiredimplementationspecificationisnotmet.
Formoreinformationonsecuringwebapplications,pleasevisithttp://www-03.ibm.com/software/products/en/category/application-security
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole
12/31/2020 3
![Page 20: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/20.jpg)
responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
Violated SectionIssuesdetectedacross0/12sectionsoftheregulation:
SectionsNumberofIssues
S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation.
0
S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed.
0
S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule.
0
S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism.
0
S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords
0
S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4).
0
S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation.
0
NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity.
0
S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction
0
S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed
0
S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork.
0
S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate
0
Section Violation By Issue0Uniqueissuesdetectedacross0/12sectionsoftheregulation:
12/31/2020 4
![Page 21: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/21.jpg)
URL Entity Issue Type Sections
Detailed Security Issues by Sections
S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation. 0
S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed. 0
S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule. 0
S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism. 0
12/31/2020 5
![Page 22: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/22.jpg)
S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords0
S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4). 0
S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation. 0
NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity. 0
S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction 0
S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed 0
12/31/2020 6
![Page 23: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/23.jpg)
S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork. 0
S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate 0
12/31/2020 7
![Page 24: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/24.jpg)
21.1.1 Remote Support OWASP Top10 Report
ThisreportincludesimportantsecurityinformationabouttestcoverageoftheOWASPtop10weaknessesbyBeyondtrustRemoteSupport21.1.1
OWASP Top 10 2017 ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM
![Page 25: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/25.jpg)
Regulations
OWASP Top Ten 2017 – The Ten Most Critical WebApplication Security Risks
SummaryDescription
ThegoaloftheTop10projectistoraiseawarenessaboutapplicationsecuritybyidentifyingsomeofthemostcriticalrisksfacingorganizations.Developmentprojectsshouldaddressthesepotentialrisksintheirrequirementsdocumentsanddesign,buildandtesttheirapplicationstoensurethattheyhavetakenthenecessarymeasurestoreducetheseriskstotheminimum.Projectmanagersshouldincludetimeandbudgetforapplicationsecurityactivitiesincludingdevelopertraining,applicationsecuritypolicydevelopment,securitymechanismdesignanddevelopment,penetrationtesting,andsecuritycodereviewaspartovertheoverallefforttoaddresstherisks.
TheprimaryaimoftheOWASPTop10istoeducatedevelopers,designers,architects,managers,andorganizationsabouttheconsequencesofthemostimportantwebapplicationsecurityrisks.TheTop10providesbasicguidanceonhowtoaddressagainsttheserisksandwheretogotolearnmoreonhowtoaddressthem.
Althoughsetoutasaneducationpiece,ratherthanastandardoraregulation,itisimportanttonotethatseveralprominentindustryandgovernmentregulatorsarereferencingtheOWASPtopten.ThesebodiesincludeamongothersVISAUSA,MasterCardInternationalandtheAmericanFederalTradeCommission(FTC).
However,accordingtotheOWASPteamtheOWASPtoptenfirstandforemostaneducationpiece,notastandard.TheOWASPteamsuggeststhatanyorganizationabouttoadopttheTopTenpaperasapolicyorstandardtoconsultwiththeOWASPteamfirst.
WhatChangedFrom2013to2017?
ThethreatlandscapeforapplicationsandAPIsconstantlychanges.Keyfactorsinthisevolutionaretherapidadoptionofnewtechnologies(includingcloud,containers,andAPIs),theaccelerationandautomationofsoftwaredevelopmentprocesseslikeAgileandDevOps,theexplosionofthird-partylibrariesandframeworks,andadvancesmadebyattackers.ThesefactorsfrequentlymakeapplicationsandAPIsmoredifficulttoanalyze,andcansignificantlychangethethreatlandscape.Tokeeppace,theOWASPorganizationperiodicallyupdatetheOWASPTop10.Inthis2017release,followingchangesweremade:
Merged2013-A4:"InsecureDirectObjectReferences"and2013-A7:"MissingFunctionLevelAccessControl"into2017-A5:"BrokenAccessControl".
Dropped2013-A8:"Cross-SiteRequestForgery(CSRF)"asmanyframeworksincludeCSRFdefenses,itwasfoundinonly5%ofapplications.
12/31/2020 1
![Page 26: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/26.jpg)
Dropped2013-A10:"UnvalidatedRedirectsandForwards",whilefoundinapproximatelyin8%ofapplications,itwasedgedoutoverallbyXXE.
Added2017-A4:"XMLExternalEntities(XXE)".
Added2017-A8:"InsecureDeserialization".
Added2017-A10:"InsufficientLoggingandMonitoring".
CoveredEntities
Allcompaniesandotherentitiesthatdevelopanykindofwebapplicationcodeareencouragedtoaddressthetoptenlistaspartoftheiroverallsecurityriskmanagement.AdoptingtheOWASPTopTenisaneffectivefirststeptowardschangingthesoftwaredevelopmentculturewithintheorganizationintoonethatproducessecurecode.
FormoreinformationonOWASPTopTen,pleasereviewthe-OWASPTopTen2017–TheTenMostCriticalWebApplicationSecurityRisks,athttp://www.owasp.org
Formoreinformationonsecuringwebapplications,pleasevisithttp://www-03.ibm.com/software/products/en/category/application-security
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
Violated SectionIssuesdetectedacross0/10sectionsoftheregulation:
Sections Number of Issues
A1-Injection 0A2-Brokenauthentication 0A3-SensitiveDataExposure 0A4-XMLExternalEntities(XXE) 0A5-BrokenAccessControl 0A6-SecurityMisconfiguration 0A7-Crosssitescripting(XSS) 0A8-InsecureDeserialization 0A9-UsingComponentswithKnownVulnerabilities 0A10-InsufficientLoggingandMonitoring 0
12/31/2020 2
![Page 27: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/27.jpg)
Section Violation By Issue0Uniqueissuesdetectedacross0/10sectionsoftheregulation:
URL Entity Issue Type Sections
Detailed Security Issues by Sections
A1-Injection 0
A2-Brokenauthentication 0
A3-SensitiveDataExposure 0
A4-XMLExternalEntities(XXE) 0
A5-BrokenAccessControl 0
A6-SecurityMisconfiguration 0
12/31/2020 3
![Page 28: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/28.jpg)
A7-Crosssitescripting(XSS) 0
A8-InsecureDeserialization 0
A9-UsingComponentswithKnownVulnerabilities 0
A10-InsufficientLoggingandMonitoring 0
12/31/2020 4
![Page 29: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/29.jpg)
21.1.1 Remote Support PCICompliance Report
ThisreportincludesimportantsecurityinformationaboutPCIcomplianceofBeyondtrustRemoteSupport21.1.1
The Payment Card Industry Data Security Standard (PCI DSS)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM
![Page 30: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/30.jpg)
Regulations
The Payment Card Industry Data Security Standard (PCI)Version 3.2.1
Summary
ThePaymentCardIndustryDataSecurityStandard(PCIDSS)wasdevelopedtoencourageandenhancecardholderdatasecurityandfacilitatethebroadadoptionofconsistentdatasecuritymeasuresglobally.PCIDSSprovidesabaselineoftechnicalandoperationalrequirementsdesignedtoprotectaccountdata.
PCIDSScomprisesaminimumsetofrequirementsforprotectingcardholderdata,andmaybeenhancedbyadditionalcontrolsandpracticestofurthermitigaterisks,aswellaslocal,regionalandsectorlawsandregulations.Additionally,legislationorregulatoryrequirementsmayrequirespecificprotectionofpersonalinformationorotherdataelements(forexample,cardholdername).PCIDSSdoesnotsupersedelocalorregionallaws,governmentregulations,orotherlegalrequirements.
ThePCIDSSsecurityrequirementsapplytoallsystemcomponentsincludedinorconnectedtothecardholderdataenvironment.Thecardholderdataenvironment(CDE)iscomprisedofpeople,processesandtechnologiesthatstore,process,ortransmitcardholderdataorsensitiveauthenticationdata.
“Systemcomponents”includenetworkdevices,servers,computingdevices,andapplications.Examplesofsystemcomponentsincludebutarenotlimitedtothefollowing:Systemsthatprovidesecurityservices(forexample,authenticationservers),facilitatesegmentation(forexample,internalfirewalls),ormayimpactthesecurityof(forexample,nameresolutionorwebredirectionservers)theCDE.
Virtualizationcomponentssuchasvirtualmachines,virtualswitches/routers,virtualappliances,virtualapplications/desktops,andhypervisors.
Networkcomponentsincludingbutnotlimitedtofirewalls,switches,routers,wirelessaccesspoints,networkappliances,andothersecurityappliances.
Servertypesincludingbutnotlimitedtoweb,application,database,authentication,mail,proxy,NetworkTimeProtocol(NTP),andDomainNameSystem(DNS).
Applicationsincludingallpurchasedandcustomapplications,includinginternalandexternal(forexample,Internet)applications.AnyothercomponentordevicelocatedwithinorconnectedtotheCDE.
CoveredEntities
12/31/2020 1
![Page 31: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/31.jpg)
PCIDSSappliestoallentitiesinvolvedinpaymentcardprocessing—includingmerchants,processors,acquirers,issuers,andserviceproviders,aswellasallotherentitiesthatstore,processortransmitcardholderdata(CHD)and/orsensitiveauthenticationdata(SAD).
PCIDSSrequirementsapplytoorganizationsandenvironmentswhereaccountdata(cardholderdataand/orsensitiveauthenticationdata)isstored,processedortransmitted.SomePCIDSSrequirementsmayalsobeapplicabletoorganizationsthathaveoutsourcedtheirpaymentoperationsormanagementoftheirCDE1.Additionally,organizationsthatoutsourcetheirCDEorpaymentoperationstothirdpartiesareresponsibleforensuringthattheaccountdataisprotectedbythethirdpartypertheapplicablePCIDSSrequirements.
CompliancePenalties
Ifamerchantorserviceproviderdoesnotcomplywiththesecurityrequirementsorfailstorectifyasecurityissue,thecardcompaniesmayfinetheacquiringmember,orimposerestrictionsonthemerchantoritsagent.
ComplianceRequiredBy
PCIDSSversion3.2.1hasreplacedPCIDSSversion3.2andiseffectiveasofMay2018.ThePCIDSSversion3.2maynotbeusedforPCIDSScomplianceafterDecember31,2018.
Regulators
ThePCISecurityStandardsCouncil,anditsfoundingmembersincludingAmericanExpress,DiscoverFinancialServices,JCB,MasterCardWorldwideandVisaInternational.
FormoreinformationonthePCIDataSecurityStandard,pleasevisit:
https://www.pcisecuritystandards.org./index.htm
Formoreinformationonsecuringwebapplications,pleasevisithttp://www-01.ibm.com/software/rational/offerings/websecurity/
Copyright:ThePCIinformationcontainedinthisreportisproprietarytoPCISecurityStandardsCouncil,LLC.AnyuseofthismaterialissubjecttothePCISECURITYSTANDARDSCOUNCIL,LLCLICENSEAGREEMENTthatcanbefoundat:
https://www.pcisecuritystandards.org./tech/download_the_pci_dss.htm
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
12/31/2020 2
![Page 32: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/32.jpg)
Violated SectionIssuesdetectedacross0/32sectionsoftheregulation:
SectionsNumberofIssues
Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters.
0
Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.)
0
Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.
0
Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems.
0
Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata.
0
Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.
0
Requirement6-Developandmaintainsecuresystemsandapplications. 0Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.
0
Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1
0
Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty.
0
Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers.
0
Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction.
0
Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements.
0
Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws.
0
Requirement6.5.2-Bufferoverflow 0
12/31/2020 3
![Page 33: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/33.jpg)
Requirement6.5.3-Insecurecryptographicstorage 0Requirement6.5.4-Insecurecommunications 0Requirement6.5.5-Impropererrorhandling 0Requirement6.5.7-Crosssitescripting(XSS) 0Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions).
0
Requirement6.5.9-Crosssiterequestforgery(CSRF) 0Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement
0
Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.
0
Requirement7-Restrictaccesstodatabybusinessneed-to-know 0Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.
0
Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities.
0
Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric.
0
Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.
0
Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses).
0
Section Violation By Issue0Uniqueissuesdetectedacross0/32sectionsoftheregulation:
URL Entity Issue Type Sections
Detailed Security Issues by Sections
12/31/2020 4
![Page 34: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/34.jpg)
Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters. 0
Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.) 0
Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem. 0
Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0
Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems. 0
Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0
12/31/2020 5
![Page 35: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/35.jpg)
Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata. 0
Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0
Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse. 0
Requirement6-Developandmaintainsecuresystemsandapplications. 0
Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities. 0
Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1 0
12/31/2020 6
![Page 36: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/36.jpg)
Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty. 0
Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers. 0
Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction. 0
Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements. 0
Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws. 0
12/31/2020 7
![Page 37: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/37.jpg)
Requirement6.5.2-Bufferoverflow 0
Requirement6.5.3-Insecurecryptographicstorage 0
Requirement6.5.4-Insecurecommunications 0
Requirement6.5.5-Impropererrorhandling 0
Requirement6.5.7-Crosssitescripting(XSS) 0
Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions). 0
Requirement6.5.9-Crosssiterequestforgery(CSRF) 0
Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement 0
12/31/2020 8
![Page 38: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/38.jpg)
Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic. 0
Requirement7-Restrictaccesstodatabybusinessneed-to-know 0
Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess. 0
Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities. 0
Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric. 0
12/31/2020 9
![Page 39: Remote Support Ba Vulnerability Scan Reports](https://reader034.vdocument.in/reader034/viewer/2022042307/625b4577a563356f861a14ca/html5/thumbnails/39.jpg)
Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents. 0
Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses). 0
12/31/2020 10