compliance controls are associated with this Policy definition 'Azure DDoS Protection should be enabled' (a7aca53f-2ed4-4466-a25e-0b45ade68efd)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
AU_ISM |
1431 |
AU_ISM_1431 |
AU ISM 1431 |
Guidelines for Networking - Service continuity for online services |
Denial of service strategies - 1431 |
|
n/a |
Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:
• their capacity to withstand denial-of-service attacks
• any costs likely to be incurred as a result of denial-of-service attacks
• thresholds for notification of denial-of-service attacks
• thresholds for turning off online services during denial-of-service attacks
• pre-approved actions that can be undertaken during denial-of-service attacks
• denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible. |
link |
1 |
Azure_Security_Benchmark_v1.0 |
1.4 |
Azure_Security_Benchmark_v1.0_1.4 |
Azure Security Benchmark 1.4 |
Network Security |
Deny communications with known malicious IP addresses |
Customer |
Enable DDoS Standard protection on your Azure Virtual Networks to guard against DDoS attacks. Use Azure Security Center Integrated Threat Intelligence to deny communications with known malicious IP addresses.
Deploy Azure Firewall at each of the organization's network boundaries with Threat Intelligence enabled and configured to "Alert and deny" for malicious network traffic.
Use Azure Security Center Just In Time Network access to configure NSGs to limit exposure of endpoints to approved IP addresses for a limited period.
Use Azure Security Center Adaptive Network Hardening to recommend NSG configurations that limit ports and source IPs based on actual traffic and threat intelligence.
How to configure DDoS protection:
https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection
How to deploy Azure Firewall:
https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal
Understand Azure Security Center Integrated Threat Intelligence:
https://docs.microsoft.com/azure/security-center/security-center-alerts-service-layer
Understand Azure Security Center Adaptive Network Hardening:
https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening
Understand Azure Security Center Just In Time Network Access Control:
https://docs.microsoft.com/azure/security-center/security-center-just-in-time |
n/a |
link |
3 |
Azure_Security_Benchmark_v2.0 |
NS-4 |
Azure_Security_Benchmark_v2.0_NS-4 |
Azure Security Benchmark NS-4 |
Network Security |
Protect applications and services from external network attacks |
Customer |
Protect Azure resources against attacks from external networks, including distributed denial of service (DDoS) Attacks, application specific attacks, and unsolicited and potentially malicious internet traffic. Azure includes native capabilities for this:
- Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations.
- Use Web Application Firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services, and APIs against application layer attacks.
- Protect your assets against DDoS attacks by enabling DDoS protection on your Azure virtual networks.
- Use Azure Security Center to detect misconfiguration risks related to the above.
Azure Firewall Documentation: https://docs.microsoft.com/azure/firewall/
How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/overview
Manage Azure DDoS Protection using the Azure portal: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection |
n/a |
link |
14 |
Azure_Security_Benchmark_v3.0 |
NS-5 |
Azure_Security_Benchmark_v3.0_NS-5 |
Microsoft cloud security benchmark NS-5 |
Network Security |
Deploy DDOS protection |
Shared |
**Security Principle:**
Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks.
**Azure Guidance:**
Enable DDoS protection plan on your VNet to protect resources that are exposed to the public networks.
**Implementation and additional context:**
Manage Azure DDoS Protection using the Azure portal:
https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection |
n/a |
link |
1 |
CCCS |
SC-5 |
CCCS_SC-5 |
CCCS SC-5 |
System and Communications Protection |
Denial of Service Protection |
|
n/a |
(A) The information system protects against or limits the effects of the following denial of service attempts that attack bandwidth, transactional capacity and storage by employing geo-replication, IP address blocking, and network-based DDoS protections. |
link |
1 |
FedRAMP_High_R4 |
SC-5 |
FedRAMP_High_R4_SC-5 |
FedRAMP High SC-5 |
System And Communications Protection |
Denial Of Service Protection |
Shared |
n/a |
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards].
Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7.
References: None. |
link |
5 |
FedRAMP_Moderate_R4 |
SC-5 |
FedRAMP_Moderate_R4_SC-5 |
FedRAMP Moderate SC-5 |
System And Communications Protection |
Denial Of Service Protection |
Shared |
n/a |
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards].
Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7.
References: None. |
link |
5 |
IRS_1075_9.3 |
.16.4 |
IRS_1075_9.3.16.4 |
IRS 1075 9.3.16.4 |
System and Communications Protection |
Denial of Service Protection (SC-5) |
|
n/a |
The information system must protect against or limit the effects of denial of service attacks.
Refer to NIST SP 800-61 R2, Computer Security Incident Handling Guide, for additional information on denial of service. |
link |
1 |
|
mp.s.4 Protection against denial of service |
mp.s.4 Protection against denial of service |
404 not found |
|
|
|
n/a |
n/a |
|
7 |
New_Zealand_ISM |
18.4.7.C.02 |
New_Zealand_ISM_18.4.7.C.02 |
New_Zealand_ISM_18.4.7.C.02 |
18. Network security |
Intrusion Detection and Prevention - Intrusion Detection and Prevention strategy (IDS/IPS) |
|
n/a |
An IDS/IPS when configured correctly |
|
2 |
NIST_SP_800-53_R4 |
SC-5 |
NIST_SP_800-53_R4_SC-5 |
NIST SP 800-53 Rev. 4 SC-5 |
System And Communications Protection |
Denial Of Service Protection |
Shared |
n/a |
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards].
Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7.
References: None. |
link |
5 |
NIST_SP_800-53_R5 |
SC-5 |
NIST_SP_800-53_R5_SC-5 |
NIST SP 800-53 Rev. 5 SC-5 |
System and Communications Protection |
Denial-of-service Protection |
Shared |
n/a |
a. [Selection: Protect against;Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and
b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]. |
link |
5 |
NZ_ISM_v3.5 |
NS-5 |
NZ_ISM_v3.5_NS-5 |
NZISM Security Benchmark NS-5 |
Network security |
18.3.19 Content of a Denial of Service (DoS) response plan |
Customer |
n/a |
An VTC or IPT DoS response plan will need to address the following:
how to identify the source of the DoS, either internal or external (location and content of logs);
how to diagnose the incident or attack type and attack method;
how to minimise the effect on VTC or IPT, of a DoS of the data network (e.g. Internet or internal DoS), including separate links to other office locations for VTC and IPT and/or quality of service prioritisation;
strategies that can mitigate the DOS (banning certain devices/Ips at the call controller and firewalls, implementing quality of service, changing VoIP authentication, changing dial-in authentication; and
alternative communication options (such as designated devices or personal mobile phones) that have been identified for use in case of an emergency. |
link |
1 |
NZISM_Security_Benchmark_v1.1 |
NS-5 |
NZISM_Security_Benchmark_v1.1_NS-5 |
NZISM Security Benchmark NS-5 |
Network security |
18.3.19 Content of a Denial of Service (DoS) response plan |
Customer |
A Denial of Service response plan SHOULD include monitoring and use of:
. router and switch logging and flow data;
. packet captures;
. proxy and call manager logs and access control lists;
. VTC and IPT aware firewalls and voice gateways;
. network redundancy;
. load balancing;
. PSTN failover; and
. alternative communication paths. |
An VTC or IPT DoS response plan will need to address the following:
how to identify the source of the DoS, either internal or external (location and content of logs);
how to diagnose the incident or attack type and attack method;
how to minimise the effect on VTC or IPT, of a DoS of the data network (e.g. Internet or internal DoS), including separate links to other office locations for VTC and IPT and/or quality of service prioritisation;
strategies that can mitigate the DOS (banning certain devices/Ips at the call controller and firewalls, implementing quality of service, changing VoIP authentication, changing dial-in authentication; and
alternative communication options (such as designated devices or personal mobile phones) that have been identified for use in case of an emergency. |
link |
1 |
RBI_CSF_Banks_v2016 |
19.6b |
RBI_CSF_Banks_v2016_19.6b |
|
Incident Response & Management |
Recovery From Cyber - Incidents-19.6b |
|
n/a |
Establish and implement a Security Operations Centre for
centralised and coordinated monitoring and management of security
related incidents. |
|
4 |
RBI_CSF_Banks_v2016 |
22.1 |
RBI_CSF_Banks_v2016_22.1 |
|
Forensics |
Forensics-22.1 |
|
n/a |
Have support/ arrangement for network forensics/forensic investigation/DDOS
mitigation services on stand-by. |
|
1 |
RMiT_v1.0 |
11.18 |
RMiT_v1.0_11.18 |
RMiT 11.18 |
Security Operations Centre (SOC) |
Security Operations Centre (SOC) - 11.18 |
Shared |
n/a |
The SOC must be able to perform the following functions:
(a) log collection and the implementation of an event correlation engine with parameter-driven use cases such as Security Information and Event Management (SIEM);
(b) incident coordination and response;
(c) vulnerability management;
(d) threat hunting;
(e) remediation functions including the ability to perform forensic artifact handling, malware and implant analysis; and
(f) provision of situational awareness to detect adversaries and threats including threat intelligence analysis and operations, and monitoring indicators of compromise (IOC). This includes advanced behavioural analysis to detect signature-less and file-less malware and to identify anomalies that may pose security threats including at endpoints and network layers. |
link |
11 |
RMiT_v1.0 |
Appendix_5.7 |
RMiT_v1.0_Appendix_5.7 |
RMiT Appendix 5.7 |
Control Measures on Cybersecurity |
Control Measures on Cybersecurity - Appendix 5.7 |
Customer |
n/a |
Ensure overall network security controls are implemented including the following:
(a) dedicated firewalls at all segments. All external-facing firewalls must be deployed on High Availability (HA) configuration and “fail-close” mode activated. Deploy different brand name/model for two firewalls located in sequence within the same network path;
(b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic;
(c) web and email filtering systems such as web-proxy, spam filter and anti-spoofing controls;
(d) endpoint protection solution to detect and remove security threats including viruses and malicious software;
(e) solution to mitigate advanced persistent threats including zero-day and signatureless malware; and
(f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents. |
link |
21 |
SWIFT_CSCF_v2021 |
1.1 |
SWIFT_CSCF_v2021_1.1 |
SWIFT CSCF v2021 1.1 |
SWIFT Environment Protection |
SWIFT Environment Protection |
|
n/a |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
link |
28 |
SWIFT_CSCF_v2022 |
1.5A |
SWIFT_CSCF_v2022_1.5A |
SWIFT CSCF v2022 1.5A |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
Shared |
n/a |
A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. |
link |
24 |
|
U.09.3 - Detection, prevention and recovery |
U.09.3 - Detection, prevention and recovery |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
|
U.12.1 - Network connections |
U.12.1 - Network connections |
404 not found |
|
|
|
n/a |
n/a |
|
6 |
|
U.12.2 - Network connections |
U.12.2 - Network connections |
404 not found |
|
|
|
n/a |
n/a |
|
6 |
UK_NCSC_CSP |
5.3 |
UK_NCSC_CSP_5.3 |
UK NCSC CSP 5.3 |
Operational security |
Protective Monitoring |
Shared |
n/a |
A service which does not effectively monitor for attack, misuse and malfunction will be unlikely to detect attacks (both successful and unsuccessful). As a result, it will be unable to quickly respond to potential compromises of your environments and data. |
link |
3 |