Guidance
10 Steps: Managing User Privileges
From: UK CESG, Department for Business, Innovation & Skills, Cabinet Office and Centre for the Protection of National Infrastructure
First published: 5 September 2012
Last updated: 16 January 2015
Part of: Cyber security
1.Summary
It is good practice for an organisation to manage the access privileges that users have to an Information and Communications Technologies (ICT), the information it holds and the services it provides. All users of ICT systems should only be provided with the privileges that they need to do their job. This principle is often referred to as ‘Least Privilege’. A failure to manage user privileges appropriately may result in an increase in the number of deliberate and accidental attacks.
2.What is the risk?
Businesses and organisations should understand what access employees need to information, services and resources in order to do their job. Otherwise they will not be able to grant ICT system rights and permissions to individual users or groups of users that are proportionate to their role within the organisation. Failure to effectively manage user privileges could result in the following risks being realised:
Misuse of privileges
Authorised users can misuse the privileges assigned to them to either deliberately or accidentally compromise ICT systems. For example to make unauthorised changes to the configuration of systems, leading to a loss of the confidentiality, integrity or availability of information or ICT systems
Increased attacker capability
Attackers will use unused or compromised user accounts to carry out their attacks and, if allowed to, they will return and reuse the compromised account on numerous occasions, or sell the access to others. The system privileges provided to the original user of the compromised account will be available to the attacker to use. Ultimately attackers will seek to gain access to root or administrative accounts to allow them full access to all system information, services and resources
Negating established security controls
Where attackers have privileged access to ICT systems they will attempt to cover their tracks by making changes to security controls or deleting accounting and audit logs so that their activities are not detected
3.How can the risk be managed?
3.1Set up a personnel screening process
All users need to undergo some form of pre-employment screening to a level that is commensurate with the sensitivity of the information they will have access to.
3.2Establish effective account management processes
Corporate processes and procedures should manage and review user accounts from creation and modification through to eventual deletion when a member of staff leaves. Unused or dormant accounts, perhaps provided for temporary staff or for testing purposes, should be removed or suspended in-line with corporate policy.
3.3Establish policy and standards for user identification and access control
The quality of user passwords and their lifecycle should be determined by a corporate policy. Ideally they should be machine generated, randomised passwords. If this is not possible, password complexity rules should be enforced by the system. For some ICT systems an additional authentication factor (such as a physical token) may be necessary and this should be identified in the risk assessment. Access controls should be allocated on the basis of business need and ‘Least Privilege’.
3.4Limit user privileges
Users should only be provided with the rights and permissions to systems, services, information and resources that they need to fulfil their business role.
3.5Limit the number and use of privileged accounts
Strictly control the number of privileged accounts for roles such as system or database administrators. Ensure that this type of account is not used for high risk or day to day user activities, for example to gain access to external email or browse the Internet. Provide administrators with normal accounts for business use. The requirement to hold a privileged account should be reviewed more frequently than ‘standard user’ accounts.
3.6Monitor all users
Monitor user activity, particularly all access to sensitive information and the use of privileged account actions, such as the creation of new user accounts, changes to user passwords or the deletion of accounts and audit logs.
3.7Limit access to the audit system and the system activity logs
Activity logs from network devices should be sent to a dedicated accounting and audit system that is separated from the core network. Access to the audit system and the logs should be strictly controlled to preserve the integrity and availability of the content and all privileged user access recorded.
3.8Educate users and maintain their awareness
Without exception, all users should be aware of the policy regarding acceptable account usage and their personal responsibility to adhere to corporate security policies and the disciplinary measures that could be applied for failure to do so.
Guidance
10 Steps: Network Security
From: UK CESG, Department for Business, Innovation & Skills, Cabinet Office and Centre for the Protection of National Infrastructure
First published: 5 September 2012
Last updated: 16 January 2015
Part of: Cyber security
1.Summary
Connecting to untrusted networks (such as the Internet) exposes corporate networks to attacks that seek to compromise the confidentiality, integrity and availability of Information and Communications Technologies (ICT) and the information they store and process. This can be prevented by developing policies and risk management approaches to protect corporate networks by applying security controls that are commensurate with the risks that have been identified and the organisation’s risk appetite.
2.What is the risk?
Corporate networks need to be protected against both internal and external threats. The level to which networks are protected should be considered in the context of the organisation’s risk appetite, risk assessment and corporate security policies.
Businesses that fail to protect their networks appropriately could be subject to a number of risks, including:
Leakage of sensitive corporate information
Poor network design could be exploited by both internal and external attackers to compromise information or conduct unauthorised releases of sensitive information resulting in compromises in confidentiality, integrity and availability
Import and export of malware
Failure to put in place appropriate boundary security controls could lead to the import of malware and the compromise of business systems. In addition, users could deliberately or accidentally release malware or other malicious content to business partners or the general public via network connections that are poorly designed and managed
Denial of service
Networks that are connected to untrusted networks (such as the Internet) are vulnerable to denial of services attacks, where access to services and information is denied to legitimate users, compromising the availability of the system or service
Exploitation of vulnerable systems
Attackers will exploit poorly protected networks to gain unauthorised access to compromise the confidentiality, integrity and availability of systems, services and information
Damage or defacement of corporate resources
Attackers that have successfully compromised the network can damage internal and externally facing systems and information (such as defacing corporate websites), harming the organisation’s reputation and customer confidence
3.How can the risk be managed?
Produce, implement and maintain network security policies that align with the organisation’s broader information risk management policies and objectives. Follow recognised network design principles (ie ISO/IEC 27033-1:2009) to help define the necessary security qualities for the perimeter and internal network segments and ensure that all network devices are configured to the secure baseline build.
3.1Police the network perimeter
Limit access to network ports, protocols and applications filtering and inspecting all traffic at the network perimeter to ensure that only traffic which is required to support the business is being exchanged. Control and manage all inbound and outbound network connections and deploy technical controls to scan for malware and other malicious content.
Install firewalls
Firewalls should be deployed to form a buffer zone between the untrusted external network and the internal network used by the business. The firewall rule set should deny traffic by default and a whitelist should be applied that only allows authorised protocols, ports and applications to communicate with authorised networks and network addresses. This will reduce the exposure of ICT systems to network based attacks.
Prevent malicious content
Deploy antivirus and malware checking solutions to examine both inbound and outbound data at the perimeter in addition to antivirus and malware protection deployed on internal networks and on host systems. The antivirus and malware solutions used at the perimeter should be different to those used to protect internal networks and systems in order to provide some additional defence in depth.
3.2Protect the internal network
Ensure that there is no direct network connectivity between internal systems and systems hosted on untrusted networks (such as the Internet), limit the exposure of sensitive information and monitor network traffic to detect and react to attempted and actual network intrusions.
Segregate network as sets
Identify, group and isolate critical business information assets and services and apply appropriate network security controls to them.
Secure wireless devices
Wireless devices should only be allowed to connect to trusted wireless networks. All wireless access points should be secured. Security scanning tools should have the ability to detect and locate unauthorised wireless access points.
Protect internal Internet Protocol (IP) addresses
Implement capabilities (such as Network Address Translation) to prevent internal IP addresses from being exposed to external networks and attackers and ensure that it is not possible to route network traffic directly from untrusted networks to internal networks.
Enable secure administration
Administrator access to any network component should only be carried out over dedicated network infrastructure and secure channels using communication protocols that support encryption.
Configure the exception handling processes
Ensure that error messages returned to internal or external systems or users do not include sensitive information that may be useful to attackers.
Monitor the network
Tools such as network intrusion detection and network intrusion prevention should be placed on the network and configured by qualified staff to monitor traffic for unusual or malicious incoming and outgoing activity that could be indicative of an attack or an attempt. Alerts generated by the system should be promptly managed by appropriately trained staff.
Assurance processes
Conduct regular penetration tests of the network infrastructure and undertake simulated cyber attack exercises to ensure that all security controls have been implemented correctly and are providing the necessary levels of security.
Guidance
10 Steps: Secure Configuration
From: UK CESG, Department for Business, Innovation & Skills, Cabinet Office and Centre for the Protection of National Infrastructure
First published: 5 September 2012
Last updated: 16 January 2015
Part of: Cyber security
1. Summary
By putting in place corporate policies and processes to develop secure baseline builds and manage the configuration and the ongoing functionality of all Information and Communications Technologies (ICT), organisations can greatly improve the security of their ICT systems. Good corporate practice is to develop a strategy to remove or disable unnecessary functionality from ICT systems and keep them patched against known vulnerabilities. Failure to do so is likely to result in increased exposure of the business and its ICT to threats and vulnerabilities and therefore increased risk to the confidentiality, integrity and availability of systems and information.
2. What is the risk?
Establishing and then actively maintaining the secure configuration of ICT systems should be seen as a key security control. ICT systems that are not locked down, hardened or patched will be particularly vulnerable to attacks that may be easily prevented.
Organisations that fail to produce and implement corporate security policies that manage the secure configuration and patching of their ICT systems are subject to the following risks:
Unauthorised changes to systems
An attacker could make unauthorised changes to ICT systems or information, compromising confidentiality, availability and integrity
Exploitation of unpatched vulnerabilities
New patches are released almost daily and the timely application of security patches is critical to preserving the confidentiality, integrity and availability of ICT systems. Attackers will attempt to exploit unpatched systems to provide them with unauthorised access to system resources and information. Many successful attacks are enabled by exploiting a vulnerability for which a patch had been issued prior to the attack taking place
Exploitation of insecure system configurations
An attacker could exploit a system that has not been locked down or hardened by:
• Gaining unauthorised access to information assets or importing malware
• Exploiting unnecessary functionality that has not been removed or disabled to conduct attacks and gain unauthorised access to systems, services, resources and information
• Connecting unauthorised equipment to exfiltrate information or introduce malware
• Creating a back door to use in the future for malicious purposes
Increases in the number of security incidents
Without an awareness of vulnerabilities that have been identified and the availability (or not) of patches and fixes, the business will be increasingly disrupted by security incidents
3. How can the risk be managed?
3.1 Develop corporate policies to update and patch systems
Use the latest versions of operating systems, web browsers and applications. Develop and implement corporate policies to ensure that security patches are applied in a timeframe that is commensurate with the organisation’s overall risk management approach. Organisations should use automated patch management and software update tools.
3.2 Create and maintain hardware and software inventories
Create inventories of the authorised hardware and software that constitute ICT systems across the organisation. Ideally, suitably configured automated tools should be used to capture the physical location, the business owner and the purpose of the hardware together with the version and patching status of all software used on the system. The tools should also be used to identify any unauthorised hardware or software, which should be removed.
3.3 Lock down operating systems and software
Consider the balance between system usability and security and then document and implement a secure baseline build for all ICT systems, covering clients, mobile devices, servers, operating systems, applications and network devices such as firewalls and routers. Essentially, any services, functionality or applications that are not required to support the business should be removed or disabled. The secure build profile should be managed by the configuration control and management process and any deviation from the standard build should be documented and formally approved.
3.4 Conduct regular vulnerability scans
Organisations should run automated vulnerability scanning tools against all networked devices regularly and remedy any identified vulnerabilities within an agreed time frame. Organisations should also maintain their situational awareness of the threats and vulnerabilities they face.
3.5 Establish configuration control and management
Produce policies and procedures that define and support the configuration control and change management requirements for all ICT systems, including software.
3.6 Disable unnecessary input/output devices and removable media access
Assess business requirements for user access to input/output devices and removable media (this could include MP3 players and Smart phones). Disable ports and system functionality that is not needed by the business (which may include USB ports, CD/DVD/Card media drives)
3.7 Implement whitelisting and execution control
Create and maintain a whitelist of authorised applications and software that can be executed on ICT systems. In addition, ICT systems need to be capable of preventing the installation and execution of unauthorised software and applications by employing process execution controls, software application arbiters and only accepting code that is signed by trusted suppliers;
3.8 Limit user ability to change configuration
Provide users with the minimum system rights and permissions that they need to fulfil their business role. Users with ‘normal’ privileges should be prevented from installing or disabling any software or services running on the system.
Guidance
10 Steps: Information Risk Management Regime
From: UK CESG, Department for Business, Innovation & Skills, Cabinet Office and Centre for the Protection of National Infrastructure
First published: 5 September 2012
Last updated: 16 January 2015
Part of: Cyber security
1. Summary
It is best practice for an organisation to apply the same degree of rigour to assessing the risks to its information assets as it would to legal, regulatory, financial or operational risk. This can be achieved by embedding an information risk management regime across the organisation, which is actively supported by the Board, senior managers and an empowered Information Assurance (IA) governance structure. Defining and communicating the organisation’s attitude and approach to risk management is crucial. Boards may wish to consider communicating their risk appetite statement and information risk management policy across the organisation to ensure that employees, contractors and suppliers are aware of the organisation’s risk management boundaries.
2. What is the risk?
Risk is an inherent part of doing business. For any organisation to operate successfully it needs to address risk and respond proportionately and appropriately to a level which is consistent with the organisation’s risk appetite. If an organisation does not identify and manage risk it can lead to business failure.
A lack of effective information risk management and governance may lead to the following:
Increased exposure to risk
Information risk must be owned at Board level. Without effective risk governance processes it is impossible for the Board to understand the risk exposure of the organisation. The Board must be confident that information risks are being managed within tolerance throughout the lifecycle of deployed systems or services
Missed business opportunities
Where risk decisions are being taken at junior level without effective governance and ownership back to senior levels, it may promote an overly cautious approach to information risk which may lead to missed business opportunities. Alternatively, an overly open approach may expose the organisation to unacceptable risks
Ineffective policy implementation
An organisation’s Board has overall ownership of the corporate security policy. Without effective risk management and governance processes the Board will not have confidence that its stated policy is being consistently applied across the business as a whole
Poor reuse of security investment
A lack of effective governance means that information risk management activities may be undertaken locally when they could be more effectively deployed at an organisational level
3. How can the risk be managed?
3.1 Establish a governance framework
A governance framework needs to be established that enables and supports a consistent and empowered approach to information risk management across the organisation, with ultimate responsibility for risk ownership residing at Board level.
3.2 Determine the organisation’s risk appetite
Agree the level of information risk the organisation is prepared to tolerate in pursuit of its business objectives and produce a risk appetite statement to help guide information risk management decisions throughout the business.
3.3 Maintain the Board’s engagement with information risk
The risks to the organisation’s information assets from a cyber attack should be a regular agenda item for Board discussion. To ensure senior ownership and oversight, the risk of cyber attack should be documented in the corporate risk register and regularly reviewed; entering into knowledge sharing partnerships with other companies and law enforcement can help you in understanding new and emerging threats that might be a risk to your own business and also to share mitigations that might work.
3.4 Produce supporting policies
An overarching corporate information risk policy needs to be created and owned by the Board to help communicate and support risk management objectives, setting out the information risk management strategy for the organisation as a whole.
3.5 Adopt a lifecycle approach to information risk management
The components of a risk can change over time so a continuous through-life process needs to be adopted to ensure security controls remain appropriate to the risk.
3.6 Apply recognised standards
Consider the application of recognised sources of security management good practice, such as the ISO/IEC 27000 series of standards, and implement physical, personnel, procedural and technical measures.
3.7 Make use of endorsed assurance schemes
Consider adopting the Cyber Essentials Scheme. It provides guidance on the basic controls that should be put in place and offers a certification process that demonstrates your commitment to cyber risk management.
3.8 Educate users and maintain their awareness
All users have a responsibility to manage the risks to the organisation’s Information and Communications Technologies (ICT) and information assets. Provide appropriate training and user education that is relevant to their role and refresh it regularly; encourage staff to participate in knowledge sharing exchanges with peers across business and Government.
3.9 Promote a risk management culture
Risk management needs to be organisation-wide, driven by corporate governance from the top down, with user participation demonstrated at every level of the business.
