whether any browsers or e-mail readers are running with high privileges. Such information gathering is often scripted, with short shell scripts running the ps command on Linux or the tasklist command on Windows, and analyzing its output for a dozen or more different browsers, e-mail readers, and document editing programs. Some legitimate system administration activity may require the execution of such programs over the short term, but long-term or frequent use of such programs with administrative privileges could indicate that an administrator is not adhering to this control.
To enforce the requirement for password length (12 characters), built-in operating system features for minimum password length in Windows and Linux can be configured, which prevent users from choosing short passwords. To enforce password complexity (requiring passwords to be a string of pseudo-random characters), built-in Windows Group Policy configuration settings and Linux Pluggable Authentication Modules (PAM) can be employed.
Log analysis tools are used to look for logs indicating changes to system configuration that are not reconcilable with change management systems to identify alterations potentially made by an intruder.
Critical Control 9: Controlled Access Based On Need to Know
How do attackers exploit the lack of this control?
Once an attacker has penetrated a sensitive network, if users have access to all or most of the information, the attacker’s job of finding and exfiltrating important information is greatly facilitated.
How can this control be implemented, automated, and its effectiveness measured?
QW: Establish a multi-level data identification/separation scheme (such as a three-level system with data separated into categories such as public, all authorized employees, and only a small subset of employees).