Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CSF PROTECT.Access Control (PR.AC)

by Megan Daudelin
February 26, 2016

Access control is a critical part of every network security plan. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of objectives that allow an organization to build a comprehensive security plan to protect against security threats. This Assurance Report Card (ARC) addresses the user access and least privilege aspects of the NIST Cybersecurity Framework category PROTECT.Access Control (PR.AC), which provides accurate information on the access control measures in use and identifies potentially vulnerable areas that may need to be addressed.

No matter the size of an organization, user management and access control can be a daunting task. Access controls are security features that aim to regulate which users can access specific data or resources. Having effective password, account transition, and least privilege policies can help reduce the vulnerabilities an organization is exposed to. Organizations that do not maintain strict access controls could be leaving their network vulnerable to attack, intrusion, or infection.

This ARC assists organizations in improving their access control measures. Systems and vulnerabilities are identified using a combination of active scans by Nessus and passive scans by the Passive Vulnerability Scanner (PVS). PVS can detect hosts that may be missed by active scans, such as hosts that are only connected to the network intermittently. Policy statements are included that report on systems that are successfully reporting user statistics, systems that are using administrative accounts over the network, and systems with unused or disabled accounts. Additional policy statements report on various compliance checks related to user accounts, access controls, and least privilege policies. Noncompliant, misused, or misconfigured accounts can leave a network exposed to malicious activity. Ensuring that systems are reporting user statistics is key to monitoring and addressing systems within a network that have vulnerable accounts. 

The information provided in this ARC provides a baseline to measure the effectiveness of an organization's access control efforts and identifies whether the policies that are currently being enforced are effective. Policy statements can be customized as needed to meet organizational requirements.

This ARC is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:

  • SecurityCenter 5.2.0
  • Nessus 6.5.4
  • LCE 4.6.1
  • PVS 4.4.0

Tenable's SecurityCenter Continuous View (SecurityCenter CV) is the market-defining continuous network monitoring platform. SecurityCenter CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Passive Vulnerability Scanner (PVS), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network assets, connections, and services.

ARC Policy Statements:

At least 95% of systems report active user statistics: This policy statement displays the number of systems that report user statistics to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. LCE can gather user statistics from systems on a network. All systems should be reporting user statistics to LCE to ensure that access controls can be effectively implemented and monitored.

Less than 10% of systems using administrative accounts over the network: This policy statement displays the number of systems using administrative accounts over the network to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy monitors systems for the use of administrative accounts over the network, which should be limited to a defined list of systems. Any unexpected systems using administrative accounts over the network should be considered suspicious.

Less than 5% of password compliance checks failed: This policy statement displays the number of failed to total password compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Password settings may include password length, complexity, and age requirements, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:

  • NIST 800-53 control IA-5 (AUTHENTICATOR MANAGEMENT)
  • DoD Instruction 8500.2 control IAIA (Individual Identification and Authentication)
  • PCI DSS requirement 8.2 (Ensure proper user-authentication management)

Less than 5% of account lockout compliance checks failed: This policy statement displays the number of failed to total account lockout compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Account lockout settings may include failed logon counts and lockout duration requirements, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:

  • NIST 800-53 control AC-7 (UNSUCCESSFUL LOGON ATTEMPTS)
  • SANS/Council on CyberSecurity Critical Security Control 16-9 (Account Monitoring and Control: Lockouts)
  • DoD Instruction 8500.2 control ECLO (Logon)
  • PCI DSS requirement 8.1.6 (Limit repeated access attempts by locking out the user)
  • PCI DSS requirement 8.1.7 (Set the lockout duration)

Less than 5% of session lock/termination compliance checks failed: This policy statement displays the number of failed to total session lock and termination compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Session lock and termination settings may include screen lock and idle time requirements, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:

  • NIST 800-53 control AC-11 (SESSION LOCK)
  • NIST 800-53 control AC-12 (SESSION TERMINATION)
  • SANS/Council on CyberSecurity Critical Security Control 16-5 (Account Monitoring and Control: Auto logout)
  • DoD Instruction 8500.2 control PESL-1 (Screen Lock)
  • PCI DSS requirement 8.1.8 (Idle session requires re-authentication)

Less than 5% of least privilege compliance checks failed: This policy statement displays the number of failed to total least privilege compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Least privilege settings may include requirements to disable certain rights and privileges for specific users, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:

  • Cybersecurity Framework PR.AC-4 (Access permissions are managed, incorporating the principles of least privilege and separation of duties)
  • NIST 800-53 control AC-6 (LEAST PRIVILEGE)
  • SANS/Council on CyberSecurity Critical Security Control 12 (Controlled Use of Administrative Privileges)
  • DoD Instruction 8500.2 control ECLP (Least Privilege)

Less than 5% of Windows systems have unused or disabled accounts: This policy statement displays the number of Windows systems that have unused or disabled accounts to total Windows systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Unused or disabled accounts are vulnerable to exploitation and should be deleted in order to ensure that they are not used for malicious purposes.