Notes from the Field: CIS Control 6 – Access Control Management
Greg Halpin continues the Center for Internet Security (CIS) Controls series by discussing the sixth CIS control. To refresh your memory, the CIS Controls are 18 critical information security controls that all organizations and information security professionals should understand and implement to protect their networks, systems, and data from attackers.
The CIS overview for Access Control Management is – Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Control 6 includes 8 sub-controls or safegaurds, as the CIS document refers to them. The 8 sub-controls are:
6.1 Establish an Access Granting Process
6.2 Establish an Access Revoking Process
6.3 Require MFA for Externally-Exposed Applications
6.4 Require MFA for Remote Network Access
6.5 Require MFA for Administrative Access
6.6 Establish and Maintain Inventory of Authentication and Authorization Systems
6.7 Centralize Access Control
6.8 Define and Maintain Role-Based Access Control
Why is this a critical control?
Granting higher levels of access than necessary to individuals and systems puts the organization at greater risk of a compromise and data breach. Organizations should have standardized and centralized processes for granting, managing, and revoking access based on role. It’s also critical that companies operate on the principle of least privilege when granting access to data and resources. This means individual accounts, service accounts, processes, systems, etc. are only granted access to resources they need to perform their job responsibilities or functions, no more and no less. Companies I work with are generally pretty good in this area.
What I often see companies do is grant new hires a default set of applications during the onboarding process. They also grant read access to a shared folder where company policies are located. For example, a person in the finance department would be granted access to different sets of applications and data than a person in the marketing or sales departments. This would be done via access control groups in Active Directory or other Identity Access Management tool. This process would be driven by helpdesk tickets submitted by the human resources team or the hiring manager. IT staff grant access based on the request.
I recently completed a gap assessment with a company that is just getting started with their information security program. They thought they were running a pretty tight ship. We discovered otherwise shortly into the engagement. During a review of their Active Directory accounts and security groups, I saw that the IT staff used accounts with Domain Admin privileges as their day-to-day accounts for logging on to their own computer to perform common tasks such as email and browsing the web. I had not seen something like that in a long time as most companies moved away from this process a decade or more ago. I pointed out that if an IT staff member fell for a phishing attack, the attacker would not have access to just any account, they would have access to an account with Domain Admin privileges. With this type of account, an attacker would have full access to the domain to do whatever they chose. IT staff need to use a separate account with minimal access for their day-to-day computing activities, and they should only use a privileged account when needed.
The Importance of SSO Solutions, MFA, and Regular Reviews
Companies generally have good processes in place for revoking access when a person leaves an organization. But it’s also very common for processes to break down in this area. Organizations often use single sign-on (SSO) for third-party web applications. SSO is integrated with Active Directory or other Identity Provider services. When IT staff or HR disable the former employee’s account, all of their access is removed.
But not all companies have implemented an SSO solution. An average employee may have access to 10, 20, or more different types of accounts, systems, and web platforms. The people who are notified to create an account for a person are not always notified to disable access when a person is terminated. It’s important that all accounts be inventoried so HR, IT staff, and others responsible know which accounts to disable when a person separates from a company. HR and IT staff members can use checklists via helpdesk tickets to track that all accounts are disabled.
In addition to implementing a SSO solution, I always recommend organizations require multi-factor authentication (MFA) for privileged account usage as per control 6. Anytime someone with Domain Admin or other high privileges logs on to a system or attempts to perform administrative functions, the person should be prompted for a second factor of authentication. That way, if a privileged account is compromised, the attacker still needs the second factor of authentication to use it, presenting a bigger challenge for an attacker. Attackers are much more likely to target organizations where MFA is not in place.
When I reviewed a recent client’s VPN setup, AWS, and cloud environments, MFA was not required for regular user or privileged accounts. I asked them to imagine the damage an attacker could do to their company and its reputation if the attacker obtained control of its internal or AWS environment. The attacker could exfiltrate data and worse – make public sensitive customer data or sell it on the dark web. The attacker could delete all of the EC2 instances, resources, and applications in AWS. What damage could attackers do if they phished the CEO’s Outlook 365 account? The IT staff began to see the risk to their company.
Related to control 6.8, I always recommend that clients perform monthly or quarterly reviews of their accounts and access levels. This is important because no person or process is perfect. Life happens. Sometimes important tasks are missed. Automation fails. A person may leave a company right before a holiday weekend when some key staff member who manages accounts is out of the office, getting an early start on the holiday. Some web platform accounts of a terminated individual may continue to be enabled after the person departs from a company, and they could freely access those accounts over the internet at any time. What if no one discovers this data is exfiltrated or deleted by the former employee or an attacker taking advantage of a dormant account? Perhaps an employee moves from one department to another, yet the individual still has access to sensitive data and resources in their previous department for which they no longer have a need. The monthly or quarterly reviews catch these errors.
Work with KirkpatrickPrice to make sure you’re managing your access controls correctly.
Still not sure if you’re doing everything right when it comes to access management within your organization? We get it, the different aspects of access management can feel overwhelming. Connect with a KirkpatrickPrice expert today to set your organization up for success.