This is the sixth in a series of posts I'm writing regarding what I see in my work as an information security auditor with clients, specifically how they implement the Center for Internet Security (CIS) Controls. The CIS Controls are 18 critical information security controls that all organizations and information security professionals should understand and implement to protect their networks, systems, and data from attackers. In this post I discuss Control 06 - Access Control Management.
The CIS overview for this control is - Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Control 6 includes 8 sub-controls or safegaurds, as the CIS document refers to them. I listed them below and will discuss some of them.
6.1 Establish an Access Granting Process
6.2 Establish an Access Revoking Process
6.3 Require MFA for Externally-Exposed Applications
6.4 Require MFA for Remote Network Access
6.5 Require MFA for Administrative Access
6.6 Establish and Maintain Inventory of Authentication and Authorization Systems
6.7 Centralize Access Control
6.8 Define and Maintain Role-Based Access Control
Why is this a critical control? Granting higher levels of access than necessary to individuals and systems puts the organization at greater risk of a compromise and data breach. Organizations should have standardized and centralized processes for granting, managing, and revoking access based on role. It's also critical that companies operate on the principle of least privilege when granting access to data and resources. This means individual accounts, service accounts, processes, systems, etc. are only granted access to resources they need to perform their job responsibilities or functions, no more and no less. Companies I work with are generally pretty good in this area.
What I often see companies do is grant new hires a default set of applications during the onboarding process. They also grant read access to a shared folder where company policies are located. For example, a person in the finance department would be granted access to different sets of applications and data than a person in the marketing or sales departments. This would be done via access control groups in Active Directory or other Identity Access Management tool. It would be driven by Helpdesk tickets submitted by the human resources team or the hiring manager. IT staff grant the access based on the request.
 |
| Spring at the Arboretum at Penn State |
I recently completed a gap assessment with a company that is just getting started with their information security program. They thought they were running a pretty tight ship. We discovered otherwise shortly into the engagement. During a review of their Active Directory accounts and security groups, I saw that the IT staff used accounts with Domain Admin privileges as their day-to-day accounts for logging on to their own computer to perform common tasks such as email and browsing the web. I had not seen something like that in a long time as most companies moved away from that a decade or more ago. I pointed out that if an IT staff member fell for a phishing attack, the attacker would not only have access to just any account, it would be an account with Domain Admin privileges. With that account, an attacker would have full access to their domain to do whatever they chose. IT staff need to use a separate account with minimal access for their day-to-day computing activities. They should only use a privileged account when needed.
Companies generally have good processes in place for revoking access when a person leaves an organization. But it's also very common for processes to break down in this area. They often use single sign-on (SSO) for third-party web applications. SSO is integrated with Active Directory or other Identity Provider service. When IT staff or HR disable the former employee's account, all of their access is removed.
But not all companies have implemented an SSO solution. An average employee may have access to 10 or 20 or more different types of accounts, systems, and web platforms. The people who are notified to create an account for a person are not always notified to disable access when a person is terminated. It's important that all accounts be inventoried so HR and IT staff and others responsible know which accounts to disable when a person separates from a company. HR and IT staff members can use checklists via Helpdesk tickets to track that all accounts are disabled.
As per Control 6, I always recommend organizations require multi-factor authentication (MFA) for privileged account usage. Anytime someone with Domain Admin or other high privileges logs on to a system or attempts to perform administrative functions, the person should be prompted for a second factor of authentication. That way if a privileged account is compromised, the attacker still needs the second factor of authentication to use it. That is a bigger challenge for an attacker. Attackers are much more likely to target organizations where MFA is not in place.
When I reviewed a recent client's VPN setup, AWS, and cloud environments, MFA was not required for regular user or privileged accounts. I asked them to imagine the damage an attacker could do to their company and its reputation if the attacker obtained control of its internal or AWS environment. The attacker could exfiltrate data and worse - make public sensitive customer data or sell it on the dark web. The attacker could delete all of the EC2 instances, resources, and applications in AWS. What damage could attackers do if they phished the CEO's Outlook 365 account? The IT staff began to see the risk to their company.
Related to control 6.8, I always recommend to clients that they perform monthly or quarterly reviews of their accounts and access levels. This is important because no one or process is perfect. Life happens. Sometimes important tasks are missed. Automation fails. A person may leave a company right before a holiday weekend, when some key staff who manage accounts are out of the office, getting an early start on the holiday. Some web platform accounts of a terminated individual may continue to be enabled after the person departs a company. They could freely access those accounts over the internet at any time. Unfortunately, no one discovers this data is exfiltrated or deleted, by the former employee or an attacker taking advantage of a dormant account. Perhaps an employee moves from one department to another. Yet the individual still has access to sensitive data and resources in their previous department, for which they no longer have a need. The monthly or quarterly reviews catch these errors.
Next month, I'll discuss Center for Internet Security Control 07 - Continuous Vulnerability Management.
No comments:
Post a Comment