T5 Access Control

OBJECTIVE

To maintain an access control policy covering user authorization procedures to information assets.

PERFORMANCE INDICATOR

Extent of access control policy deployment and adoption across the entity.

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

1. Unsuitable access control policy
2. Unawareness of access control policy among IT staff

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T5.1.1 - P2 - ACCESS CONTROL POLICY

OBJECTIVE

To ensure authorized user access and to prevent unauthorized access to information systems.

PERFORMANCE INDICATOR

Number of delayed access change requests, and when they have been actioned.

AUTOMATION GUIDANCE

One way of automation is to use identity management systems to manage accounts, their authentication, authorization, roles, and privileges. They are available for entities of all sizes and complexity. Selection of the appropriate identity management system requires an entity to understand its technology landscape, integration requirements, and maturity of its IT staff.

Entity should consider which authentication technologies and processes to apply, including smart cards, security tokens, one time passwords, security authentications apps for smartphones, biometric authentication systems, etc.

RELEVANT THREATS AND VULNERABILITIES

1. Use of stolen login credentials
2. Brute force and dictionary attacks
3. Authentication bypass

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T5.2.1 - P1 - USER REGISTRATION

OBJECTIVE

To prevent unauthorized user access, and compromise or theft of information and information systems.

PERFORMANCE INDICATOR

Percentage of users compliant with the users rules of behavior (such as password policy, clean desk policy).

AUTOMATION GUIDANCE

For password management, built-in operating system features for minimum password length can be configured that prevent users from choosing short passwords. To enforce password complexity (requiring passwords to be a string of pseudo-random characters), built-in operating system settings or third-party password complexity enforcement tools can be applied. For critical information and services, two factor authentication systems should be considered.

RELEVANT THREATS AND VULNERABILITIES

1. Intentional leaks and sharing of data by staff
2. Illegal processing of data
3. Abuse of system access and/or privileges

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

T5.3.1 - P1 - USE OF SECURITY CREDENTIALS

OBJECTIVE

To prevent unauthorized access to networked services

PERFORMANCE INDICATOR

Firewall statistics, such as percentage of outbound packets or sessions that are blocked (e.g. attempted access to blacklisted websites; number of potential hacking attacks repelled, categorized into trivial/of some concern/critical)

AUTOMATION GUIDANCE

Some entities use commercial tools that evaluate the rule set of network filtering devices to determine whether they are consistent or in conflict, providing an automated sanity check of network filters and search for errors in rule sets or access controls lists (ACLs) that may allow unintended services through the device. Such tools should be run each time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies.

RELEVANT THREATS AND VULNERABILITIES

1. Unauthorized access to network services by internal or external user
2. KeyLogger / Form-Grabber / Spyware
3. Tampering in network utilities

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T5.4.1 - P2 - POLICY ON USE OF NETWORK SERVICES
• T5.4.4 - P4 - REMOTE DIAGNOSTIC AND CONFIGURATION PROTECTION
• T5.4.6 - P3 - NETWORK ROUTING CONTROL
• T5.4.7 - P2 - WIRELESS ACCESS

OBJECTIVE

To prevent unauthorized access to operating systems.

PERFORMANCE INDICATOR

Number of blocked attempts at unauthorized access to operating systems.

AUTOMATION GUIDANCE

Built-in operating system features can extract lists of accounts with super-user privileges, both locally on individual systems and on overall domain controllers. To verify that users with high-privileged accounts do not use such accounts for day-to-day web surfing and e-mail reading, security personnel should periodically gather a list of running processes to determine whether any browsers or e-mail readers are running with high privileges. Such information gathering can be scripted, with short shell scripts searching for a dozen or more different browsers, e-mail readers, and document editing programs running with high privileges on machines. Some legitimate system administration activity may require the execution of such programs over the short term, but long-term or frequent use of such programs with administrative privileges could indicate that an administrator is not adhering to this control. Monitoring tools can provide such information.

RELEVANT THREATS AND VULNERABILITIES

1. Abuse of system access/privileges
2. Backdoor or Command and Control
3. Disable or interfere with security controls
4. Tampering in network utilities

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T5.5.1 - P1 - SECURE LOG-ON PROCEDURES
• T5.5.4 - P4 - USE OF SYSTEM UTILITIES

OBJECTIVE

To prevent unauthorized access to information held in application systems.

PERFORMANCE INDICATOR

Number of blocked attempts at unauthorized access to applications and information.

AUTOMATION GUIDANCE

Implement an identity management system and integrate it with existing systems where possible to automate the access restrictions based on the entity policies.

RELEVANT THREATS AND VULNERABILITIES

1. Unauthorized access by internal or external user
2. Backdoor or command and control

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T5.6.1 - P1 - INFORMATION ACCESS RESTRICTION
• T5.6.2 - P2 - SENSITIVE SYSTEM ISOLATION
• T5.6.3 - P3 - PUBLICY ACCESSIBLE CONTENT

OBJECTIVE

To ensure information security when using mobile devices.

PERFORMANCE INDICATOR

Percentage of mobile computing equipment (e.g. smart phones, laptops, tablets) that are fully compliant with the relevant requirements in the access control policy.

AUTOMATION GUIDANCE

With asset inventory assembled, many entities use tools to pull information from network assets such as switches and routers regarding the machines connected to the network. Using securely authenticated and encrypted network management protocols, tools can retrieve MAC addresses and other information from network devices that can be reconciled with the entity’s asset inventory of servers, workstations, laptops, and other devices. Once MAC addresses are confirmed, switches should implement 802.1x and NAC to only allow authorized systems that are properly configured to connect to the network.

Going further, effective entities configure free or commercial network scanning tools to perform network sweeps on a regular basis, sending a variety of different packet types to identify devices connected to the network. Before such scanning can take place, entities should verify that they have adequate bandwidth for such periodic scans by consulting load history and capacities for their networks. In conducting inventory scans, scanning tools could send traditional ping packets (ICMP Echo Request) looking for ping responses to identify a system at a given IP address. Because some systems block inbound ping packets, in addition to traditional pings, scanners can also identify devices on the network using transmission control protocol (TCP) synchronize (SYN) or acknowledge (ACK) packets. Once they have identified IP addresses of devices on the network, some scanners provide robust fingerprinting features to determine the operating system type of the discovered machine.

In addition to active scanning tools that sweep the network, other asset identification tools passively listen on network interfaces looking for devices to announce their presence by sending traffic. Such passive tools can be connected to switch span ports at critical places in the network to view all data flowing through such switches, maximizing the chance of identifying systems communicating through those switches.

RELEVANT THREATS AND VULNERABILITIES

1. Capture data resident on system
2. Use of stolen login credentials
3. Remote spying

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T5.7.1 - P4 - ACCESS CONTROL FOR MOBILE DEVICES
• T5.7.2 - P4 - TELEWORKING