- Training
- Training Live Events
- Training Without Travel
- Security Courses
- Security Curricula
- Certified Instructors
- Training Calendars
- SANS vLive! / SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- Coins
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top 20 List
- Top 25 Programming Errors
- 20 Coolest Jobs
- Application Security Procurement Language
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- AudioCasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Security Thought Leaders
- Security Policy Project
- Security+ Study Guide
- SANS Buyers Guide
- Security Tool Demos
- 2008 Salary Survey
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
The most trusted source for computer security training, certification and research.
Critical Control 9: Controlled Access Based on Need to Know
How do attackers exploit the lack of this control?
Some organizations do not carefully identify and separate their most sensitive data from less sensitive, publicly available information on their internal networks. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. In several high-profile breaches over the past two years, attackers were able to gain access to sensitive data stored on the same servers with the same level of access as far less important data.
How can this control be implemented, automated, and its effectiveness measured?
- QW: Organizations should establish a multi-level data identification/separation scheme (e.g., a three- or four-tiered scheme with data separated into categories based on the impact of exposure of the data).
- QW: Organizations should ensure that files shares have defined controls (such as Windows share access control lists) that specify at least that only "authenticated users" can access the share.
- Vis/Attrib: Organizations should enforce detailed audit logging for access to non-public data and special authentication for sensitive data.
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
AC-1, AC-2 (b, c), AC-3 (4), AC-4, AC-6, MP-3, RA-2 (a)
Procedures and tools for implementing this control:
This control is often implemented using the built-in separation of administrator accounts from non-administrator accounts included in most operating systems. While these features are available in most systems, it is important that organizations diligently implement and follow procedures for when administrator-level accounts should be used versus non-administrator accounts.
Control 9 Metric:
The system must be able to detect all attempts by users to access files on local systems or network-accessible file shares without the appropriate privileges and must generate an alert or e-mail for administrative personnel within 24 hours. While the 24 hour timeframe represents the current metric to help organizations improve their current state of security, in the future, organizations should strive for even more rapid alerting, with notification about unauthorized access attempts being sent within two minutes.
Control 9 Test:
To evaluate the implementation of Control 9 on a periodic basis, the evaluation team must create two test accounts each on ten representative systems in the enterprise: five server machines and five client systems. On each system under evaluation, one account must have limited privileges, while the other must have privileges necessary to create files on the systems. The evaluation team must then verify that the non-privileged account is unable to access the files created for the other account on the system. The team must also verify that an alert or e-mail is generated based on the attempted unsuccessful access within 24 hours. At the completion of the test, these accounts must be removed.
List Of Controls
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Critical Control 5: Boundary Defense
- Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- Critical Control 7: Application Software Security
- Critical Control 8: Controlled Use of Administrative Privileges
- Critical Control 9: Controlled Access Based on Need to Know
- Critical Control 10: Continuous Vulnerability Assessment and Remediation
- Critical Control 11: Account Monitoring and Control
- Critical Control 12: Malware Defenses
- Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
- Critical Control 14: Wireless Device Control
- Critical Control 15: Data Loss Prevention
Additional Security Controls
The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.
- © 2000-2009 The SANS™ Institute
- Web Privacy Policy | Web Contact |
- Press Room | Trademark Usage Policy