X hits on this document

Word document

Twenty Most Important Controls and Metrics for - page 30 / 48





30 / 48


QW: Very sensitive data, such as passwords and router, switch, and firewall configurations and rulesets, should be encrypted or stored offline


Vis/Attrib: Enforce detailed audit logging for access to non-public data and special authentication for sensitive data to frustrate attackers who have penetrated important sites.  


Config/Hygiene: Periodically, create a standard user account on file servers and other application servers in the organization.  Then, while logged into that test account, have authorized personnel determine whether they can access files owned by other users on the system, as well as critical operating system and application software on the machine.

Procedures and tools for implementing this control:

This control is often tested using built-in operating system administrative features, with security personnel scheduling a periodic test on a regular basis, such as monthly.  For the test, the security team creates at least two non-superuser accounts on a sample of server and workstation systems.  With the first test account, the security personnel create a directory and a file that should be viewable only by that account.  They then login to each machine using the second test account to see whether they are denied access to the files owned by the first account.  Similar but more complex test procedures could be devised to verify that accounts with different levels of access to sensitive data are in fact restricted to accessing only the data at the proper classification/sensitivity level.

Critical Control 10: Continuous Vulnerability Testing and Remediation

How do attackers exploit the lack of this control?

Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and then launch that code against targets of interest.  Any significant delays in finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through, gaining control over the vulnerable machines and getting access to the sensitive data they contain.


Document info
Document views148
Page views148
Page last viewedTue Jan 17 19:25:49 UTC 2017