QW: Very sensitive data, such as passwords and router, switch, and firewall configurations and rulesets, should be encrypted or stored offline
Vis/Attrib: Enforce detailed audit logging for access to non-public data and special authentication for sensitive data to frustrate attackers who have penetrated important sites.
Config/Hygiene: Periodically, create a standard user account on file servers and other application servers in the organization. Then, while logged into that test account, have authorized personnel determine whether they can access files owned by other users on the system, as well as critical operating system and application software on the machine.
Procedures and tools for implementing this control:
This control is often tested using built-in operating system administrative features, with security personnel scheduling a periodic test on a regular basis, such as monthly. For the test, the security team creates at least two non-superuser accounts on a sample of server and workstation systems. With the first test account, the security personnel create a directory and a file that should be viewable only by that account. They then login to each machine using the second test account to see whether they are denied access to the files owned by the first account. Similar but more complex test procedures could be devised to verify that accounts with different levels of access to sensitive data are in fact restricted to accessing only the data at the proper classification/sensitivity level.
Critical Control 10: Continuous Vulnerability Testing and Remediation
How do attackers exploit the lack of this control?
Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and then launch that code against targets of interest. Any significant delays in finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through, gaining control over the vulnerable machines and getting access to the sensitive data they contain.