*This post originally appeared on the AppSense blog prior to the rebrand in January 2017, when AppSense, LANDESK, Shavlik, Wavelink, and HEAT Software merged under the new name Ivanti.
By John Pescatore, Director of Emerging Technologies, SANS
In the Version 6.0 update of the CIS Critical Security Controls, two control areas were elevated in priority because they provide a high level of risk mitigation against real-world attacks:
Control 5: Controlled Use of Administrative Privileges
“The processes and tools used to track/control/prevent/correct the use, assignment and configuration of administrative privileges on computers, networks and applications.”
Control 14: Controlled Access Based on the Need to Know
“The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers and applications have a need and right to access these critical assets based on an approved classification.”
Both of those areas focus on preventing attackers from using administrative privileges or user access rights, raising the bar against both installing/executing software and reading/modifying sensitive data.
Overprivileged accounts or widespread granting of administrative privileges are commonly exploited by attackers to cause severe business damage. Similar to application control, privilege management done badly often causes unacceptable levels of business disruption.
“Need to share” often violates simple “need to know” policies or group access controls. When restrictions are too static or complex, IT will need high levels of staffing to respond to requests for access or administrative privilege in a reasonable amount of time. Mechanisms are needed to allow limited exceptions to be granted during verification and to support user self-service approaches in low-risk cases.
A common response to the Critical Controls and other efforts to define controls is to say that the controls are all well-understood security practices—nothing new. And that is true—but survey after survey, penetration test after penetration test and breach report after breach report show these basic controls were either not implemented or not maintained.
Conversely, enterprises and government agencies that avoid breaches or minimize the damage of advanced targeted attacks almost invariably have implemented controls such as “Application Control” and “Privilege Management” and have mature processes that both respond to changes in threat and meet business needs for flexibility and adaptability.
Practices that such organizations tend to follow include these:
1. Get management and peer support before starting.
Change is difficult for all organizations, and increasing security does require change. Getting buy-in from both upper-level management and key peer organizations (such as IT, legal and business) is key to driving change. Proven ways to obtain buy-in and support for security change include the following three, in order of effectiveness:
- Post-audit/breach report. Unfortunately, change is always easier after a disaster. The best case is that another company in your industry suffers a breach, providing you with information about the root cause that helps you get approval for closing your gaps. The worst case (an after-action report from an external party investigating a breach at your company or agency) is an even more powerful catalyst, as is a negative audit report.
- Major business or IT transition. Mergers and acquisitions often result in change to both business and IT operations as consolidation occurs. Major IT transitions (such as moving to Windows 10 or SaaS) also drive change. “Application Control” and “Privilege Management” can often be worked into these transition plans as part of process improvement.
- Compliance- or competition-driven. Federal Information Security Management Act (FISMA), HIPAA, the North American Electric Reliability Corp. (NERC), PCI and every other compliance regime have requirements for “Application Control” and “Privilege Management.” Case studies such as SANS What Works are documenting companies that are showing real business benefit from improvement in security in these areas.
2. Start smart.
Both “Application Control” and “Privilege Management” can be disruptive to business if implemented abruptly. Prior to any deployment of these controls, inventories of business-critical applications and access needs should be documented and understood. The first phase of deployment should be “monitor only”: allow all operations to proceed without enforcement for at least a week, while potential enforcement actions are analyzed for potential disruption. The next step should be a small-scale prototype test with enforcement enabled, using only security and IT personnel and any motivated external volunteers.
Once any process issues are shaken out, some problem users such as developers, managers and super-admins should be added to the trial.