by Stephanie Dunn
January 24, 2017
One of the primary reasons why organizations are breached is due to the lack of proper access controls in place. As organizations continue to grow, many will see continuous changes such as employee turnover, temporary access changes, and internal job changes that can be easily overlooked by system administrators. Failure to monitor these changes can result in a large number of accounts with excessive privileges that can provide both attackers or malicious insiders access to critical systems and data. This dashboard aligns with the NIST 800-53 controls that support enforcing access controls, managing user and group changes, and ensuring least privileges.
The National Institute of Standards and Technology (NIST) developed the NIST Special Publication (SP) 800-53 revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations” to provide federal information systems and organizations with security controls and processes to protect against a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors. By integrating these controls, organizations will be able to achieve a more consistent level of security and flexibility that can be customized for use with specific industries, standards, and business requirements, and complement other established information security standards. Data presented within this dashboard aligns with NIST 800-53 controls that will help organizations better understand the effectiveness of existing authentication and access controls in use. This dashboard aligns with the following controls:
- Access Enforcement (AC-3)
- Account Management (AC-2)
- Identification And Authentication (IA-Family)
- Least Privilege (AC-6)
- Separation Of Duties (AC-5)
- Session Lock (AC-11)
- Session Termination (AC-12)
- System Use Notification (AC-8)
- Unsuccessful Logon Attempts (AC-7)
Monitoring authentication and access control changes within a network can be difficult and overwhelming for any analyst to sort through. Using active scanning, passive listening, and event monitoring, analysts will obtain an accurate picture of user and group changes, and can highlight unauthorized changes that could affect critical systems or data. Data will provide analysts with additional insight and awareness of changes from local and domain groups, new users, and administrative events.
Analysts will be able to quickly detect when a user has logged into a system for the first time, when a user has been added to a group, or when an account has expired. While many of these scenarios should be results from authorized and coordinated change control boards, analysts can use this data to identify unauthorized changes. Audit checks will provide information on potentially weak or misconfigured access controls on systems that should be investigated by the analyst. Information presented within this dashboard will assist analysts in monitoring user changes, and prevent malicious activity.
This dashboard is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The dashboard requirements are:
- Tenable.sc 5.4.2
- Nessus 8.4.0
- LCE 6.0.0
- NNM 5.9.0
Tenable's Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring solution, and assists in securing an organization’s internal network. Tenable.sc CV is continuously updated with information about advanced threats, zero-day vulnerabilities, and new regulatory compliance data. Active scanning periodically examines systems to determine vulnerabilities and compliance concerns. Agent scanning enables scanning and detection of vulnerabilities on transient and isolated devices. Passive listening provides real-time discovery of vulnerabilities on operating systems, protocols, network services, wireless devices, web applications, and critical infrastructure. Host data and data from other security products is analyzed to monitor the network for malware, intrusions, and other forms of malicious activity. Tenable.sc CV provides an organization with the most comprehensive view of the network and the intelligence needed to protect authentication and access control methods within the network.
The following components are included within this dashboard:
- Daily Host Alerts by User (Last 5 Days): Most users in an organization have a typical pattern of when they use an organization’s resources. This component shows when users generate alerts with hosts in the organization. Using this component, analysts can quickly determine user activity outside of expected work hours.
- CSF - New Users and User Changes: This component presents data on new and existing user events on the network over the past 72 hours. The LCE normalized events of ‘User_Added’, ‘User_Change’, ‘User_Removed’ and ‘New_Login’ are included within this table. These detected event changes will display information on new user accounts, user account password changes, rights access, and new user logins seen for the first time. The data within this component will be highly valuable to any analyst in determining the presence of unauthorized accounts on the network.
- CSF - Account and Group Information: This table displays detections of account and group information, such as accounts that have never been logged into, disabled accounts, and group user lists. This information is obtained through Nessus credentialed scans. Most of these detections will contain lists of accounts in their output. The Obtains the Password Policy detection will contain the retrieved password policy in its output. Clicking on the Browse Component Data icon on the component will bring up the vulnerability analysis screen to display the detections and allow further investigation. In the analysis screen, setting the tool to Vulnerability Detail List will display the full details for each detection, including its description and output.
- CSC - Users with Admin Events (Last 72 Hours): This table presents those users associated with events that indicate performed or attempted administrative actions. The table is sorted so that the users with the most detected events are at the top. The user associated with an event cannot always be determined, so there will likely be a large number of events for the "(unknown)" user. Any unexpected users in this list should be further investigated to determine why and how they are executing administrative actions.
- Authentication and Access Control - Top Subnets with Vulnerabilities: This component displays the top Class C subnets with actively and passively detected vulnerabilities related to authentication and access control. These vulnerabilities may include password vulnerabilities, default account and credential vulnerabilities, and other authentication-related vulnerabilities. Presenting these interactions by subnet allows easy understanding of which areas of the network are more vulnerable. Clicking on the Browse Component Data icon will bring up the vulnerability analysis screen to allow further investigation. If desired, the analysis tool can be changed to present the authentication and access control vulnerabilities by vulnerability, IP address, or asset list.
- Authentication and Access Control - Compliance Checks: This component displays compliance information in the areas of user access, least privilege, password and authentication requirements, and administrative/root account control. The displayed compliance information is either based on keywords, or is related to relevant areas in security standards such as NIST SP 800-53, the CIS Critical Security Controls, the Cybersecurity Framework, and ISO/IEC 27001. For each row, the columns provide the number of hosts audited, whether an audit scan was run in the last seven days, the ratios of passed audit checks (in green), checks that require manual verification (in orange), and failed audit checks (in red), and the count of hosts with failed checks. Clicking on a highlighted indicator in the Hosts with Fails column will bring up the vulnerability analysis screen to display the systems with failed audit checks and allow further investigation. Note that in order for data to appear in this component, appropriate audit/compliance scans must first be run on the network.
- CSF - Access Information and Changes (Last 72 Hours): This matrix component can help an analyst quickly pull up information on systems where certain user access-related events and changes have occurred. This includes such information as the first time users logged into a system, and systems on which passwords expired, accounts were disabled, and privileges or group memberships were changed. If an event occurred in the last 72 hours, the indicator will be highlighted purple; an analyst can use this to determine whether an expected behavior such as workstations locking or accounts expiring is happening at all. Also, LCE keeps track of all users that logged into each host and all systems that logged into other systems using administrative accounts; this information is available by clicking on the Users per IP and Admin Systems indicators, respectively.