Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • CIS Control 6: Access Control Management
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach

CIS Control 6: Access Control Management

4 years ago David Lu
CIS Control 6: Access Control Management

CIS Control 6 merges some aspects of CIS Control 4 (admin privileges) and CIS Control 14 (access based on need to know) into a single access control management group. Access control management is a critical component in maintaining information and system security, restricting access to assets based on role and need. It is important to grant, refuse, and remove access in a standardized, timely, and repeatable way across an entire organization. Privileged accounts, such as administrators, should be protected with multi-factor authentication. Enforcing and maintaining access control policies can be made significantly less painful with automated tools. In the same vein as protecting data assets, users and service accounts are also assets that need to be protected.

Many of the Safeguards in Control 6 are foundational, and even the smallest organizations should implement them. Organizations with more resources or assets that are subject to regulatory and compliance oversight or who may face threats from sophisticated adversaries should strive to implement centralized role-based access control measures.

CIS Benchmarks, which are available for many product families, are best-practice security configuration guides that are mapped to the controls and walk you through configuration remediation step-by-step.

Key Takeaways for Control 6

An access control management plan should at least implement processes to:

  1. Ensure that access is granted and revoked in a systematic and preferably automated way.
  2. Enable multi-factor authentication for all users with privileged or remote access as well as externally-exposed or third-party applications.

A more comprehensive plan should incorporate centralization, automation, a maintained inventory, and role-based access.

Safeguards for Control 6

6.1) Establish an Access Granting Process

Description: Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.

Notes: This Implementation Group 1 (IG1) Safeguard intends to protect enterprise assets, ensuring that users are provisioned appropriate access in a regulated manner. Every organization should implement this Safeguard.

6.2) Establish an Access-Revoking Process

Description: Establish and follow a process, preferably automated, for revoking access to enterprise assets through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts instead of deleting accounts may be necessary to preserve audit trails.

Notes: This IG1 Safeguard also intends to protect enterprise assets by ensuring that user access is deprovisioned in a regulated manner. Every organization should implement this Safeguard.

6.3) Require MFA for Externally-Exposed Accounts

Description: Require all externally exposed or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.

Notes: This IG1 Safeguard intends to protect accounts by requiring at least a second authorization mechanism. Every organization should implement this Safeguard.

6.4) Require MFA for Remote Network Access

Description: Require MFA for remote network access.

Notes: This IG1 Safeguard intends to protect enterprise assets by requiring users accessing the network remotely to have multi-factor authentication. Every organization should implement this Safeguard

6.5) Require MFA for Administrative Access

Description: Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.

Notes: This IG1 Safeguard intends to protect enterprise assets by requiring privileged users, such as administrator accounts, using multi-factor authentication. Every organization should implement this Safeguard.

6.6) Establish and Maintain an Inventory of Authentication and Authorization Systems

Description: Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory at minimum annually or more frequently.

Notes: This Implementation Group 2 (IG2) Safeguard intends to supplement the protection of other control Safeguards within organizations that have increased operational complexity. In larger or more complex organizations, authentication and authorization systems should be maintained and inventoried on a systematic and regular basis. Organizations that have regulatory compliance burdens or store and process sensitive client data should implement this Safeguard.

6.7) Centralize Access Control

Description: Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.

Notes: This IG2 Safeguard intends to protect enterprise assets by ensuring that access controls are centralized, making them easier to automate and maintain. Organizations that have increased operational complexity, have regulatory compliance burdens, or store and process sensitive client data should implement this Safeguard.

6.8) Define and Maintain Role-Based Access Control

Description: Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized on a recurring schedule at a minimum annually, or more frequently.

Notes: This Implementation Group 3 (IG3) Safeguard intends to protect enterprise assets by ensuring access rights are role-based and maintained in a standardized and reliable manner. Organizations with assets that are subject to regulatory and compliance oversight as well as those targeted by sophisticated adversaries such as APTs should implement this Safeguard.

See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading the CIS Controls guide here.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

The post ” CIS Control 6: Access Control Management” appeared first on TripWire

Source:TripWire – David Lu

Tags: Critical Severity, TripWire

Continue Reading

Previous Keep Attackers Out of VPNs: Feds Offer Guidance
Next Cybersecurity Firm Group-IB’s CEO Arrested Over Treason Charges in Russia

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

14 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

15 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

17 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

How Samsung Knox Helps Stop Your Network Security Breach

18 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

20 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Data Breach
  • Vulnerabilities

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

23 hours ago [email protected] (The Hacker News)

Recent Posts

  • China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
  • CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
  • Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
  • How Samsung Knox Helps Stop Your Network Security Breach
  • Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT