Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CNBV – User and Access Management

by Cesar Navas
July 14, 2020

CNBV – User and Access Management

The National Banking and Securities Commission (CNBV) Annex 72 is a collection of Key Risk Indicators (KRI) that establish compliance standards for financial institutions operating in Mexico. Financial institutions in Mexico should be prepared to divulge cyber risk KRIs to CNBV when requested. This dashboard relates to KRI0005 but continues to build on assisting a security operations teams in monitoring user privilege, access and user related compliance checks.

Financial institutions are naturally at a higher risk of being targeted and attacked. In an effort to minimize organizational risk tracking assets, (including vulnerabilities, misconfigurations, and other security health indicators) is vital to a successful risk management program. KRI0005 describes knowing about amount users and their assigned roles and permissions. Tenable.sc provides many mechanisms for understanding credential hygiene. The Local Check Plugins provide group membership, local user access, and user account information including information about inactivity and password change status. Local checks can also identify inactive and duplicate accounts on Linux and UNIX systems. Tenable.sc uses audit files to determine the state of logging on hosts and the associated risks. Separation of duties can be inferred by understanding the group memberships and other checks.

Administrative privileges should be controlled and limited specifically to those with a need, to limit the risk from account compromise. Each user of a system should have a unique account assigned to them. Sharing of user accounts limits accountability for actions. Administrator credentials should only be used to log on to workstations specifically designated for administrative work and all actions by the administrator should be logged. This limits the risk of account compromise via non-hardened workstations and ensures an appropriate audit trail exists in case of credential use by a bad actor. Following the principle of least privilege, users should only have the access specifically needed and no more. Similarly, user privileges should be separated by functional groups preventing fraud by ensuring that no individual has unnecessary authority to perform critical functions.

This Dashboard is available in the Tenable.sc feed, which is a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The Dashboard can be easily located in the Tenable.sc feed under the Executive category. The dashboard requirements are as follows:

  • Tenable.sc 5.14.1
  • Nessus 8.10.1
  • Compliance Data

This dashboard provides the organization with a clear and simplified method to identify and establish compliance according to Annex 72 by CNBV. The data can be Analyzed to provide more detail in non-compliant areas, which facilitates the Fix and Measuring steps to the Cyber Exposure Lifecycle. Tenable.sc is the On-prem solution for understanding the picture of the network, while keeping the data under the organization’s control. Built on leading Nessus technology, Tenable.sc discovers unknown assets and vulnerabilities, and monitors unexpected network changes before they turn into breaches.

Components

CIS Linux and UNIX - Audit Warnings: The Audit Warnings indicators trigger if one or more vulnerabilities are found to exist. Common checks included are: Duplicate UID/GID, Inactive User Account, and Unsupported OS. Indications can be customized to highlight specific CIS Linux and Unix vulnerabilities as the organization sees fit.

CSF - Account and Group Information: This table displays detections of account and group information, such as accounts that have never been logged into, disabled accounts, and group user lists. This information is obtained through Nessus credentialed scans. Most of these detections will contain lists of accounts in their output. The Obtains the Password Policy detection will contain the retrieved password policy in its output. Clicking on the Browse Component Data icon on the component will bring up the vulnerability analysis screen to display the detections and allow further investigation. In the analysis screen, setting the tool to Vulnerability Detail List will display the full details for each detection, including its description and output.

Authentication and Access Control - Top Subnets with Vulnerabilities: This component displays the top Class C subnets with actively and passively detected vulnerabilities related to authentication and access control. These vulnerabilities may include password vulnerabilities, default account and credential vulnerabilities, and other authentication-related vulnerabilities. Presenting these interactions by subnet allows easy understanding of which areas of the network are more vulnerable. Clicking on the Browse Component Data icon will bring up the vulnerability analysis screen to allow further investigation. If desired, the analysis tool can be changed to present the authentication and access control vulnerabilities by vulnerability, IP address, or asset list.

Logging Issues by Network: Logging Issues by Network shows a breakdown of logging issues by CIDR range. The Class C tool is used to group audit checks related to logging.

Authentication and Access Control - Compliance Checks: This component displays compliance information in the areas of user access, least privilege, password and authentication requirements, and administrative/root account control. The displayed compliance information is either based on keywords, or is related to relevant areas in security standards such as NIST SP 800-53, the CIS Critical Security Controls, the Cybersecurity Framework, and ISO/IEC 27001. For each row, the columns provide the number of hosts audited, whether an audit scan was run in the last seven days, the ratios of passed audit checks (in green), checks that require manual verification (in orange), and failed audit checks (in red), and the count of hosts with failed checks. Clicking on a highlighted indicator in the Hosts with Fails column will bring up the vulnerability analysis screen to display the systems with failed audit checks and allow further investigation. Note that in order for data to appear in this component, appropriate audit/compliance scans must first be run on the network.

Account Weakness - Authentication Vulnerabilities (Active Detection): This matrix shows active detections of authentication vulnerabilities. Each indicator highlights those vulnerabilities with the given keyword(s) in their name.

Account Weakness - Authentication Vulnerabilities (Passive Detection): This matrix shows passive detections of authentication vulnerabilities. Each indicator highlights those vulnerabilities with the given keyword(s) in their name.

CSF - User Access and Least Privilege Compliance Checks: This component displays user access and least privilege compliance information in areas such as password requirements, lockout policy after failed logins, and controlled use of administrative privileges. The first rows display compliance information by keyword. The last rows display user access and least privilege compliance information related to several standards: NIST 800-53 (IA family and selected AC controls), CIS Critical Security Controls (v6.0, CSC 5 and 16), and the Cybersecurity Framework (PR.AC-1 and PR.AC-4). For each row, the columns provide the number of hosts audited, whether an audit scan was run in the last seven days, the ratios of passed audit checks (in green), checks that require manual verification (in orange), and failed audit checks (in red), and the count of hosts with failed checks. Clicking on a highlighted indicator in the Hosts with Fails column will bring up the vulnerability analysis screen to display the systems with failed audit checks and allow further investigation. Note that in order for data to appear in this component, appropriate audit/compliance scans must first be run on the network.

Account Status Indicators - Users and SID Information: This component provides easy access to several plugins used to collect information about user accounts and security identifiers (SID).  Listed below are the details for plugins identified in this matrix:

Account Status Indicators - Group Memberships: There are several default groups such as the administrators, server operators, account operators, backup operators, print operators, and replicator; this matrix provides an easy method to monitor these memberships.

CNBV - Top 10 Failed User Audit Checks: Logging Top 10 shows the Top 10 logging issues. Audit checks are filtered for those related to logging issues and displayed.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.