- Training
- Training Live Events
- Training Without Travel
- Security Courses
- Security Curricula
- Certified Instructors
- Training Calendars
- SANS vLive! / SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- Coins
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top 20 List
- Top 25 Programming Errors
- 20 Coolest Jobs
- Application Security Procurement Language
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- AudioCasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Security Thought Leaders
- Security Policy Project
- Security+ Study Guide
- SANS Buyers Guide
- Security Tool Demos
- 2008 Salary Survey
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
The most trusted source for computer security training, certification and research.
Critical Control 9: Controlled Access Based on Need to Know
How do attackers exploit the lack of this control?
Some organizations do not carefully identify and separate their most sensitive data from less sensitive, publicly available information on their internal networks. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. In several high-profile breaches over the past two years, attackers were able to gain access to sensitive data stored on the same servers with the same level of access as far less important data.
How can this control be implemented, automated, and its effectiveness measured?
- QW: Organizations should establish a multi-level data identification/separation scheme (e.g., a three- or four-tiered scheme with data separated into categories based on the impact of exposure of the data).
- QW: Organizations should ensure that files shares have defined controls (such as Windows share access control lists) that specify at least that only "authenticated users" can access the share.
- Vis/Attrib: Organizations should enforce detailed audit logging for access to non-public data and special authentication for sensitive data.
- Config/Hygiene: Periodically, security or audit personnel should create a standard user account on file servers and other application servers in the organization. Then, while logged into that test account, authorized personnel should examine whether they can access files owned by other users on the system, as well as critical operating system and application software on the machine.
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
AC-1, AC-2 (b, c), AC-3 (4), AC-4, AC-6, MP-3, RA-2 (a)
Procedures and tools for implementing this control:
This control is often tested using built-in operating system administrative features, with security personnel scheduling a periodic test on a regular basis, such as monthly. For the test, the security team could create at least two non-superuser accounts on a sample of server and workstation systems. With the first test account, the security personnel could create a directory and a file that should be viewable only by that account. They could then login to each machine using the second test account to see whether they are denied access to the files owned by the first account. Similar but more complex test procedures could be devised to verify that accounts with different levels of access to sensitive data are in fact restricted to accessing only the data at the proper classification/sensitivity level.
List Of Controls
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Critical Control 5: Boundary Defense
- Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- Critical Control 7: Application Software Security
- Critical Control 8: Controlled Use of Administrative Privileges
- Critical Control 9: Controlled Access Based on Need to Know
- Critical Control 10: Continuous Vulnerability Assessment and Remediation
- Critical Control 11: Account Monitoring and Control
- Critical Control 12: Malware Defenses
- Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
- Critical Control 14: Wireless Device Control
- Critical Control 15: Data Loss Prevention
Additional Security Controls
The following sections identify additional controls that are important but that cannot be automatically or continuously monitored.
- © 2000-2009 The SANS™ Institute
- Web Privacy Policy | Web Contact |
- Press Room | Trademark Usage Policy