80% of analyzed information security breaches could have been mitigated by the P1 controls.
A - Exploitation of Default Credentials
Exploitation of default credentials is addressed by following controls and is described here.
- M1.3.7 - P2 - ADDRESSING SECURITY IN THIRD PARTY AGREEMENTS
- T4.5.3 - P1 - SEGREGATION IN NETWORK
- T4.5.4 - P2 - SECURITY OF WIRELESS NETWORKS
- T5.2.4 - P1- REVIEW OF USER ACCESS RIGHTS
- T4.4.7
- T5.5.1 - P1 - SECURE LOG-ON PROCEDURES
- T5.5.3 - P1 - USER CREDENTIALS MANAGEMENT SYSTEM
- T6.1.1 - P4 - THIRD PARTY SECURITY POLICY
- T6.2.2 - P2 -MONITORING AND REVIEW OF THIRD PARTY SERVICES
- T6.3.2 - P2 - SERVICE DELIVERY AGREEMENTS WITH CLOUD PROVIDERS
B - Send Data to External Entity
- T1.4.1 - P1 - MANAGEMENT OF REMOVABLE MEDIA
- T4.5.1 - P1 - NETWORK CONTROLS
- T5.4.2 - P1 -USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
- T5.4.5 - P1- NETWORK CONNECTION CONTROL
- T5.5.1 - P1 - SECURE LOG-ON PROCEDURES
- T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
- T5.5.3 - P1 - USER CREDENTIALS MANAGEMENT SYSTEM
- T6.2.1 - P2 - SERVICE DELIVERY
- T6.2.2 - P2 -MONITORING AND REVIEW OF THIRD PARTY SERVICES
- T6.2.3 - P2 - MANAGING CHANGES TO THIRD PARTY SERVICES
- T6.3.1 - P2 - INFORMATION SECURITY REQUIREMENTS FOR CLOUD ENVIRONMENTS
- T6.3.2 - P2 - SERVICE DELIVERY AGREEMENTS WITH CLOUD PROVIDERS
C - Disable or interfere with security controls
- T2.2.1 - P2 - PHYSICAL SECURITY PERIMETER
- T2.2.2 - P2 - PHYSICAL ENTRY CONTROLS
- T2.2.3 - P2 - SECURING OFFICES, ROOMS AND FACILITIES
- T2.2.5 - P3 - WORKING IN SECURE AREAS
- T2.2.6 - P3 - PUBLIC ACCESS, DELIVERY AND LOADING AREAS
- T2.3.8 - P2 - UNATTENDED USER EQUIPMENT
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.2.4 - P2 - SEGREGATION OF DUTIES
- T3.6.2 - P2 - AUDIT LOGGING
- T5.2.3 - P1 - USER SECURITY CREDENTIALS MANAGEMENT
- T5.2.4 - P1- REVIEW OF USER ACCESS RIGHTS
- T5.3.1 - P1 - USE OF SECURITY CREDENTIALS
- T5.4.2 - P1 -USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
- T7.3.3 - P2 - MESSAGE INTEGRITY
- T7.6.2 - P3 - TECHNICAL REVIEW OF APPLICATIONS AFTER OPERATING SYSTEM CHANGES
- T7.6.3 - P2 - RESTRICTIONS ON CHANGES TO SOFTWARE PACKAGES
- T7.7.1 - P1 - CONTROL OF TECHNICAL VULNERABILITIES
D - Brute Force and Dictionary Attacks
- T5.1.1 - P2 - ACCESS CONTROL POLICY
- T5.2.1 - P1 - USER REGISTRATION
- T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
- T5.2.3 - P1 - USER SECURITY CREDENTIALS MANAGEMENT
- T5.2.4 - P1- REVIEW OF USER ACCESS RIGHTS
- T5.3.1 - P1 - USE OF SECURITY CREDENTIALS
- T5.4.2 - P1 -USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
- T5.5.1 - P1 - SECURE LOG-ON PROCEDURES
- T5.5.3 - P1 - USER CREDENTIALS MANAGEMENT SYSTEM
E - Exploitation of backdoor or command and control channels
- M4.4.3 - P1 - REMOVAL OF ACCES RIGHTS
- T1.4.1 - P1 - MANAGEMENT OF REMOVABLE MEDIA
- T1.4.2 - P2 - DISPOSAL OF MEDIA
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.2.4 - P2 - SEGREGATION OF DUTIES
- T3.5.1 - P1 - INFORMATION BACKUP
- T3.6.2 - P2 - AUDIT LOGGING
- T3.6.3 - P1 - MONITORING SYSTEM USE
- T3.6.4 - P2 - PROTECTION OF LOG INFORMATION
- T3.6.5 - P2 - ADMINISTRATOR AND OPERATOR LOGS
- T4.5.1 - P1 - NETWORK CONTROLS
- T4.5.2 - P2 - SECURITY OF NETWORK SERVICES
- T4.5.3 - P1 - SEGREGATION IN NETWORK
- T5.2.1 - P1 - USER REGISTRATION
- T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
- T5.2.3 - P1 - USER SECURITY CREDENTIALS MANAGEMENT
- T5.2.4 - P1- REVIEW OF USER ACCESS RIGHTS
- T5.3.1 - P1 - USE OF SECURITY CREDENTIALS
- T5.4.2 - P1 -USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
- T5.4.3 - P1 - EQUIPMENT INDENTIFICATION NETWORKS
- T5.4.5 - P1- NETWORK CONNECTION CONTROL
- T5.5.1 - P1 - SECURE LOG-ON PROCEDURES
- T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
- T5.5.3 - P1 - USER CREDENTIALS MANAGEMENT SYSTEM
- T5.6.1 - P1 - INFORMATION ACCESS RESTRICTION
- T5.6.2 - P2 - SENSITIVE SYSTEM ISOLATION
- T7.7.1 - P1 - CONTROL OF TECHNICAL VULNERABILITIES
F - Backdoor or Command and Control
- M4.4.3 - P1 - REMOVAL OF ACCES RIGHTS
- T1.4.1 - P1 - MANAGEMENT OF REMOVABLE MEDIA
- T1.4.2 - P2 - DISPOSAL OF MEDIA
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.2.4 - P2 - SEGREGATION OF DUTIES
- T3.5.1 - P1 - INFORMATION BACKUP
- T3.6.2 - P2 - AUDIT LOGGING
- T3.6.3 - P1 - MONITORING SYSTEM USE
- T3.6.4 - P2 - PROTECTION OF LOG INFORMATION
- T3.6.5 - P2 - ADMINISTRATOR AND OPERATOR LOGS
- T4.5.1 - P1 - NETWORK CONTROLS
- T4.5.2 - P2 - SECURITY OF NETWORK SERVICES
- T4.5.3 - P1 - SEGREGATION IN NETWORK
- T4.5.4 - P2 - SECURITY OF WIRELESS NETWORKS
- T5.2.1 - P1 - USER REGISTRATION
- T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
- T6.2.3 - P2 - MANAGING CHANGES TO THIRD PARTY SERVICES
- T5.2.4 - P1- REVIEW OF USER ACCESS RIGHTS
- T5.3.1 - P1 - USE OF SECURITY CREDENTIALS
- T5.4.2 - P1 -USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
- T5.4.3 - P1 - EQUIPMENT INDENTIFICATION NETWORKS
- T5.4.5 - P1- NETWORK CONNECTION CONTROL
- T5.4.7 - P2 - WIRELESS ACCESS
- T5.5.1 - P1 - SECURE LOG-ON PROCEDURES
- T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
- T5.5.3 - P1 - USER CREDENTIALS MANAGEMENT SYSTEM
- T5.6.1 - P1 - INFORMATION ACCESS RESTRICTION
- T5.6.2 - P2 - SENSITIVE SYSTEM ISOLATION
- T7.7.1 - P1 - CONTROL OF TECHNICAL VULNERABILITIES
G - Pretexting
Pretexting is addressed here and following controls are applicable.
- M3.4.1
- M4.1.1 - P2 - HUMAN RESOURCES SECURITY POLICY
- M4.3.1 - P2 - MANAGEMENT RESPONSIBILITIES
- M4.3.2 - P2 - DISCIPLINARY PROCESS
- T5.1.1 - P2 - ACCESS CONTROL POLICY
- T5.6.1 - P1 - INFORMATION ACCESS RESTRICTION
- T5.6.3 - P3 - PUBLICY ACCESSIBLE CONTENT
H - Retrieval of Recycled or Discarded Media
- M4.4.2 - P1- RETURN OF ASSETS
- T1.1.1 - P2 - ASSET MANAGEMENT POLICY
- T1.2.1 - P2 - INVENTORY OF ASSETS
- T1.4.1 - P1 - MANAGEMENT OF REMOVABLE MEDIA
- T1.4.2 - P2 - DISPOSAL OF MEDIA
- T2.3.6 - P3 - SECURE DISPOSAL OR RE-USE OF EQUIPMENT
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.2.4 - P2 - SEGREGATION OF DUTIES
I - Intentional Leaks/Sharing of Data by Staff
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- M4.1.1 - P2 - HUMAN RESOURCES SECURITY POLICY
- M4.2.1 - P2 - SCREENING
- M4.3.2 - P2 - DISCIPLINARY PROCESS
- M5.2.3 - P2 - PROTECTION OF ORGANIZATIONAL RECORDS
- M5.2.4 - P3 -DATA PROTECTION AND PRIVACY OF PERSONAL INFORMATION
- T3.6.3 - P1 - MONITORING SYSTEM USE
- T5.1.1 - P2 - ACCESS CONTROL POLICY
- T5.2.2 - P1 - PRIVILEGE MANAGEMENT
- T5.2.4 - P1- REVIEW OF USER ACCESS RIGHTS
- T5.4.2 - P1 -USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
- T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
- T5.6.1 - P1 - INFORMATION ACCESS RESTRICTION
- T7.6.4 - P2 - INFORMATION LEAKAGE
J - Use of Unapproved Hardware/Devices
- M1.3.1 - P2 - AUTHORIZATION PROCESS FOR INFORMATION SYSTEMS
- M1.3.6 - P2 - ADRESSING SECURITY WHEN DEALING WITH CUSTOMERS
- M1.1.3 - P1 - ROLES AND RESPONSIBILITIES FOR INFORMATION SECURITY
- M5.2.5 - P3 - PREVENTIONS OF MISUSE OF INFORMATION SYSTEM
- T1.1.1 - P2 - ASSET MANAGEMENT POLICY
- T1.2.1 - P2 - INVENTORY OF ASSETS
- T1.2.2 - P2- OWNERSHIP OF ASSETS
- T1.2.3 - P2 - ACCEPTABLE USE OF ASSETS
- T1.3.3 - P3 - HANDLING OF INFORMATION ASSETS
- T2.3.4 - P3 - EQUIPMENT MAINTENANCE
- T3.2.4 - P2 - SEGREGATION OF DUTIES
- T3.3.2 - P3 - SYSTEM ACCEPTANCE AND TESTING
- T3.6.3 - P1 - MONITORING SYSTEM USE
- T5.4.3 - P1 - EQUIPMENT INDENTIFICATION NETWORKS
- T7.7.1 - P1 - CONTROL OF TECHNICAL VULNERABILITIES
K - Abuse of System Access/Privileges
- M4.4.1 - P1- TERMINATION RESPONSIBILITIES
- M4.4.3 - P1 - REMOVAL OF ACCES RIGHTS
- T3.2.4 - P2 - SEGREGATION OF DUTIES
- T4.5.1 - P1 - NETWORK CONTROLS
- T4.5.3 - P1 - SEGREGATION IN NETWORK
- T5.2.1 - P1 - USER REGISTRATION
- T5.2.2 - P1 - PRIVILEGE MANAGEMENT
- T5.2.3 - P1 - USER SECURITY CREDENTIALS MANAGEMENT
- T5.2.4 - P1- REVIEW OF USER ACCESS RIGHTS
- T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
- T7.6.4 - P2 - INFORMATION LEAKAGE
L - SYSTEM/NETWORK UTILITIES
- T2.3.2 - P4 - SUPPORTING UTILITIES
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.4.2
- T4.5.1 - P1 - NETWORK CONTROLS
- T4.5.2 - P2 - SECURITY OF NETWORK SERVICES
- T4.5.4 - P2 - SECURITY OF WIRELESS NETWORKS
- T5.4.7 - P2 - WIRELESS ACCESS
- T5.5.4 - P4 - USE OF SYSTEM UTILITIES
- T5.6.2 - P2 - SENSITIVE SYSTEM ISOLATION
M - RAM SCRAPER
- T2.3.9 - P3 - CLEAR DESK AND CLEAR SCREEN POLICY
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.4.2;
- T3.6.3 - P1 - MONITORING SYSTEM USE
- T3.6.4 - P2 - PROTECTION OF LOG INFORMATION
- T3.6.5 - P2 - ADMINISTRATOR AND OPERATOR LOGS
- T4.3.1 - P2 - ELETRONIC COMMERCE
- T4.3.2 - P3 - ON-LINE TRANSACTIONS
- T4.5.2 - P2 - SECURITY OF NETWORK SERVICES
- T5.4.2 - P1 -USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
- T5.5.1 - P1 - SECURE LOG-ON PROCEDURES
- T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
- T7.4.1 - P2 - POLICY ON THE USE OF CRYPTOGRAPHIC CONTROLS
- T7.4.2 - P2 - KEY MANAGEMENT
- T7.6.4 - P2 - INFORMATION LEAKAGE
- T7.7.1 - P1 - CONTROL OF TECHNICAL VULNERABILITIES
N - Phishing
The phishing is addressed here and following controls apply:
- M3.3.3 - P2 - TRAINING EXECUTION
- M3.4.1 - P2 - AWARENESS CAMPAIGN
- M4.1.1 - P2 - HUMAN RESOURCES SECURITY POLICY
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.4.2
- T4.1.1 - P3 - COMMMUNICATIONS POLICY
- T4.2.1 - P2 - INFORMATION TRANSFER PROCEDURES
- T5.1.1 - P2 - ACCESS CONTROL POLICY
- T5.5.1 - P1 - SECURE LOG-ON PROCEDURES
- T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
- T5.5.3 - P1 - USER CREDENTIALS MANAGEMENT SYSTEM
O - ABUSE OF FUNCTIONALITY
- T5.2.2 - P1 - PRIVILEGE MANAGEMENT
- T5.2.3 - P1 - USER SECURITY CREDENTIALS MANAGEMENT
- T5.2.4 - P1- REVIEW OF USER ACCESS RIGHTS
- T5.3.1 - P1 - USE OF SECURITY CREDENTIALS
- T5.5.4 - P4 - USE OF SYSTEM UTILITIES
- T5.4.5 - P1- NETWORK CONNECTION CONTROL
- T5.5.1 - P1 - SECURE LOG-ON PROCEDURES
- T5.7.1 - P4 - ACCESS CONTROL FOR MOBILE DEVICES
- T7.3.4 - P2 - OUTPUT DATA VALIDATION
- T7.4.1 - P2 - POLICY ON THE USE OF CRYPTOGRAPHIC CONTROLS
- T7.4.2 - P2 - KEY MANAGEMENT
- T7.6.3 - P2 - RESTRICTIONS ON CHANGES TO SOFTWARE PACKAGES
- T7.8.3 - P4 - LIMITATION OF HARM
P - REMOTE FILE INCLUSION
- T3.2.1 - P2 - COMMON SYSTEMS CONFIGURATION GUIDELINES
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.4.2;
- T4.5.1 - P1 - NETWORK CONTROLS
- T4.5.2 - P2 - SECURITY OF NETWORK SERVICES
- T7.4.1 - P2 - POLICY ON THE USE OF CRYPTOGRAPHIC CONTROLS
- T7.4.2 - P2 - KEY MANAGEMENT
- T7.7.1 - P1 - CONTROL OF TECHNICAL VULNERABILITIES
Q - DOWNLOAD/INSTALL ON SYSTEM
- T1.4.1 - P1 - MANAGEMENT OF REMOVABLE MEDIA
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.4.2;
- T3.5.1 - P1 - INFORMATION BACKUP
- T5.2.1 - P1 - USER REGISTRATION
- T5.2.2 - P1 - PRIVILEGE MANAGEMENT
- T5.2.3 - P1 - USER SECURITY CREDENTIALS MANAGEMENT
- T5.2.4 - P1- REVIEW OF USER ACCESS RIGHTS
- T5.3.1 - P1 - USE OF SECURITY CREDENTIALS
- T7.5.3 - P3 - ACCESS CONTROL TO PROGRAM SOURCE CODE
- T7.6.3 - P2 - RESTRICTIONS ON CHANGES TO SOFTWARE PACKAGES
- T7.6.5 - P3 - OUTSOURCED SOFTWARE DEVELOPMENT
R - CAPTURE DATA RESIDENT ON SYSTEM
- T3.2.5 - P2 - SEPARATION OF DEVELOPMENT, TEST AND OPERATIONAL FACILITIES
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.4.2;
- T3.6.4 - P2 - PROTECTION OF LOG INFORMATION
- T5.4.3 - P1 - EQUIPMENT INDENTIFICATION NETWORKS
S - REDIRECT TO ANOTHER SITE/ADDRESS
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.4.2;
- T5.4.2 - P1 -USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
T - ACCIDENTAL DATA LEAKS BY STAFF
- T
U - EMBEZZLEMENT, SKIMMING, AND RELATED FRAUD
- T1.2.2 - P2- OWNERSHIP OF ASSETS
- T1.2.3 - P2 - ACCEPTABLE USE OF ASSETS
- T1.3.2 - P3 - LABELING OF INFORMATION
- T1.4.1 - P1 - MANAGEMENT OF REMOVABLE MEDIA
- T1.4.2 - P2 - DISPOSAL OF MEDIA
V - MISAPPROPRIATION OF PRIVATE KNOWLEDGE
- M3.3.2 - P3 - IMPLEMENTATION PLAN
- M3.3.3 - P2 - TRAINING EXECUTION
- M3.4.1 - P2 - AWARENESS CAMPAIGN
- T1.3.1 - P3 - CLASSIFICATION OF INFORMATION
- T1.3.2 - P3 - LABELING OF INFORMATION
- T1.4.1 - P1 - MANAGEMENT OF REMOVABLE MEDIA
- T1.4.2 - P2 - DISPOSAL OF MEDIA
- T2.2.1 - P2 - PHYSICAL SECURITY PERIMETER
- T2.2.2 - P2 - PHYSICAL ENTRY CONTROLS
- T2.2.3 - P2 - SECURING OFFICES, ROOMS AND FACILITIES
- T2.2.5 - P3 - WORKING IN SECURE AREAS
- T2.2.6 - P3 - PUBLIC ACCESS, DELIVERY AND LOADING AREAS
- T2.3.6 - P3 - SECURE DISPOSAL OR RE-USE OF EQUIPMENT
- T2.3.8 - P2 - UNATTENDED USER EQUIPMENT
- T4.2.3 - P3 - PHYSICAL MEDIA IN TRANSIT
- T4.3.1 - P2 - ELETRONIC COMMERCE
- T4.3.3 - P4 - PUBLICLY AVAILABLE INFORMATION
- T4.4.1 - P4 - CONNECTIVITY TO INFORMATION SHARPING PLATFORMS
- T4.4.2 - P4 - INFORMATION RELEASED INTO INFORMATION SHARING COMMUNITIES
- T5.2.2 - P1 - PRIVILEGE MANAGEMENT
- T5.2.3 - P1 - USER SECURITY CREDENTIALS MANAGEMENT
- T5.2.4 - P1- REVIEW OF USER ACCESS RIGHTS
- T5.7.1 - P4 - ACCESS CONTROL FOR MOBILE DEVICES
- T5.7.2 - P4 - TELEWORKING
W - INAPPROPIATE WEB/INTERNET USAGE
- M3.4.1 - P2 - AWARENESS CAMPAIGN
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T4.3.1 - P2 - ELETRONIC COMMERCE
- T5.4.6 - P3 - NETWORK ROUTING CONTROL
- T4.5.1 - P1 - NETWORK CONTROLS
- T4.5.2 - P2 - SECURITY OF NETWORK SERVICES
- T5.2.2 - P1 - PRIVILEGE MANAGEMENT
- T5.4.2 - P1 -USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
X - REMOTE SPYING
- M4.4.2 - P1- RETURN OF ASSETS
- M5.2.3 - P2 - PROTECTION OF ORGANIZATIONAL RECORDS
- M5.2.4 - P3 -DATA PROTECTION AND PRIVACY OF PERSONAL INFORMATION
- T3.4.1 - P1 - CONTROLS AGAINST MALWARE
- T3.4.2
- T3.6.1 - P3 - MONITORING POLICY AND PROCEDURES
- T3.6.3 - P1 - MONITORING SYSTEM USE
- T3.6.4 - P2 - PROTECTION OF LOG INFORMATION
- T3.6.5 - P2 - ADMINISTRATOR AND OPERATOR LOGS
- T4.5.1 - P1 - NETWORK CONTROLS
- T4.5.3 - P1 - SEGREGATION IN NETWORK
- T5.1.1 - P2 - ACCESS CONTROL POLICY
- T5.2.1 - P1 - USER REGISTRATION
- T5.2.2 - P1 - PRIVILEGE MANAGEMENT
- T5.3.1 - P1 - USE OF SECURITY CREDENTIALS
- T5.4.2 - P1 -USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
- T5.4.3 - P1 - EQUIPMENT INDENTIFICATION NETWORKS
- T5.4.5 - P1- NETWORK CONNECTION CONTROL
- T5.5.1 - P1 - SECURE LOG-ON PROCEDURES
- T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
- T5.6.1 - P1 - INFORMATION ACCESS RESTRICTION
- T5.6.2 - P2 - SENSITIVE SYSTEM ISOLATION
- T7.4.1 - P2 - POLICY ON THE USE OF CRYPTOGRAPHIC CONTROLS
- T7.4.2 - P2 - KEY MANAGEMENT
- T7.7.1 - P1 - CONTROL OF TECHNICAL VULNERABILITIES
- T7.8.5 - P4 - RELIABLE DELIVERY
