Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CSF PROTECT.Access Control (PR.AC)

by Sharon Everson
February 26, 2016

CSF PROTECT.Access Control (PR.AC) Screenshot

Access control is a critical part of every network security plan. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of objectives that allow an organization to build a comprehensive security plan to protect against security threats. This Assurance Report Card (ARC) addresses the user access and least privilege aspects of the NIST Cybersecurity Framework category PROTECT.Access Control (PR.AC), which provides accurate information on the access control measures in use and identifies potentially vulnerable areas that may need to be addressed.

No matter the size of an organization, user management and access control can be a daunting task. Access controls are security features that aim to regulate which users can access specific data or resources. Having effective password, account transition, and least privilege policies can help reduce the vulnerabilities an organization is exposed to. Organizations that do not maintain strict access controls could be leaving their network vulnerable to attack, intrusion, or infection.

This ARC assists organizations in improving their access control measures. Systems and vulnerabilities are identified using a combination of active scans by Nessus and passive scans by the Passive Vulnerability Scanner (NNM). NNM can detect hosts that may be missed by active scans, such as hosts that are only connected to the network intermittently. Policy statements are included that report on systems that are successfully reporting user statistics, systems that are using administrative accounts over the network, and systems with unused or disabled accounts. Additional policy statements report on various compliance checks related to user accounts, access controls, and least privilege policies. Noncompliant, misused, or misconfigured accounts can leave a network exposed to malicious activity. Ensuring that systems are reporting user statistics is key to monitoring and addressing systems within a network that have vulnerable accounts. 

The information provided in this ARC provides a baseline to measure the effectiveness of an organization's access control efforts and identifies whether the policies that are currently being enforced are effective. Policy statements can be customized as needed to meet organizational requirements.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:

  • Tenable.sc 5.2.0
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable's Tenable.sc Continuous View (Tenable.sc  CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Nessus Network Monitor (NNM), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network assets, connections, and services.

ARC Policy Statements:

At least 95% of systems report active user statistics: This policy statement compares the number of systems that report user statistics to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. LCE can gather user statistics from systems on a network. All systems should be reporting user statistics to LCE to ensure that access controls can be effectively implemented and monitored.

Less than 10% of systems using administrative accounts over the network: This policy statement compares the number of systems using administrative accounts over the network to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy monitors systems for the use of administrative accounts over the network, which should be limited to a defined list of systems. Any unexpected systems using administrative accounts over the network should be considered suspicious.

Less than 5% of password compliance checks failed: This policy statement compares the number of failed to total password compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Password settings may include password length, complexity, and age requirements, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:

  • NIST 800-53 control IA-5 (AUTHENTICATOR MANAGEMENT)
  • DoD Instruction 8500.2 control IAIA (Individual Identification and Authentication)
  • PCI DSS requirement 8.2 (Ensure proper user-authentication management)

Less than 5% of account lockout compliance checks failed: This policy statement compares the number of failed to total account lockout compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Account lockout settings may include failed logon counts and lockout duration requirements, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:

  • NIST 800-53 control AC-7 (UNSUCCESSFUL LOGON ATTEMPTS)
  • SANS/Council on CyberSecurity Critical Security Control 16-9 (Account Monitoring and Control: Lockouts)
  • DoD Instruction 8500.2 control ECLO (Logon)
  • PCI DSS requirement 8.1.6 (Limit repeated access attempts by locking out the user)
  • PCI DSS requirement 8.1.7 (Set the lockout duration)

Less than 5% of session lock/termination compliance checks failed: This policy statement compares the number of failed to total session lock and termination compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Session lock and termination settings may include screen lock and idle time requirements, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:

  • NIST 800-53 control AC-11 (SESSION LOCK)
  • NIST 800-53 control AC-12 (SESSION TERMINATION)
  • SANS/Council on CyberSecurity Critical Security Control 16-5 (Account Monitoring and Control: Auto logout)
  • DoD Instruction 8500.2 control PESL-1 (Screen Lock)
  • PCI DSS requirement 8.1.8 (Idle session requires re-authentication)

Less than 5% of least privilege compliance checks failed: This policy statement compares the number of failed to total least privilege compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Least privilege settings may include requirements to disable certain rights and privileges for specific users, among other things. Compliance is measured against those policy checks that reference one or more of the following standards:

  • Cybersecurity Framework PR.AC-4 (Access permissions are managed, incorporating the principles of least privilege and separation of duties)
  • NIST 800-53 control AC-6 (LEAST PRIVILEGE)
  • SANS/Council on CyberSecurity Critical Security Control 12 (Controlled Use of Administrative Privileges)
  • DoD Instruction 8500.2 control ECLP (Least Privilege)

Less than 5% of Windows systems have unused or disabled accounts: This policy statement compares the number of Windows systems that have unused or disabled accounts to total Windows systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Unused or disabled accounts are vulnerable to exploitation and should be deleted in order to ensure that they are not used for malicious purposes. 

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training