Compliance - NIST 800-171 - Access Control
"Almost all physical and logical entry points to the organization and its information system need some type of access control"
Access Controls specifies following four:
- which users can access a system or facility
- what resources those users can access
- what operations those users can perform
- Enforce accountability for those users' actions
Access control is the process of allowing only authorized users, programs, or other computer systems (i.e. networks) to observe, modify, or otherwise take possession of the resources of a computer system. It is also a mechanism for limiting the use of some resources to authorized users.
In short, access controls are the collection of mechanisms, processes, or techniques that work together to protect the assets of an organization. They help protect against threats and mitigate vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only authorized people, processes, or systems.
Access controls incorporates all operational levels of an organizations:
- Facilities: Protects entry to, and movement around, organization's physical location. This protects personnel, equipment, information and other assets inside that facility.
- Support Systems: Systems like power, heating, ventilation, AC, fire suppression controls must be carefully controlled.
- Information Systems: Multilayer of access controls needs to be applied in information systems and networks. This protect those systems from harm or misuse.
- Personnel: Ensure right people have access right access and they do not interfere with people with whom they do not have any legitimate business.
A guideline from NIST provides following security requirements for access control (including basic and derived requirements) for protecting the confidentiality of CUI (Controlled Unclassified Information) in nonfederal information systems and organizations. The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.
- 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Derived Security Requirements:
- 3.1.3 Control the flow of CUI in accordance with approved authorizations.
- 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
- 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
- 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
- 3.1.8 Limit unsuccessful logon attempts.
- 3.1.9 Provide privacy and security notices consistent with applicable CUI rules.
- 3.1.10 Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity.
- 3.1.11 Terminate (automatically) a user session after a defined condition.
- 3.1.12 Monitor and control remote access sessions.
- 3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
- 3.1.14 Route remote access via managed access control points.
- 3.1.15 Authorize remote execution of privileged commands and remote access to security-relevant information.
- 3.1.16 Authorize wireless access prior to allowing such connections.
- 3.1.17 Protect wireless access using authentication and encryption.
- 3.1.18 Control connection of mobile devices.
- 3.1.19 Encrypt CUI on mobile devices.
- 3.1.20 Verify and control/limit connections to and use of external information systems.
- 3.1.21 Limit use of organizational portable storage devices on external information systems.
- 3.1.22 Control information posted or processed on publicly accessible information systems.
SIEM and Compliance
Keeping up with compliance and reporting is a daunting tasks. SIEM solutions can help us here by providing holistic visibility into the network and improving detection and response capabilities. However, not everything mentioned by NIST is realizable through SIEM. Here's what you can implement with your SIEM to create a compliance reporting.
Basic Security Requirements:
3.1.1 Limit information system access to authorized users and process.
- Check user authentication and their actions. Source and destination of authentication
3.1.5 Principle of least privilege
- Track activities by privileged accounts
- Privilege authentication by user, source, destination, application etc.
- Check for privilege escalation and associated events
- Account lockout, failed logins, failed privileged logins, 3+ failed login within 1 minute, failed login from multiple location etc.
- Remote login, vpn sessions by users. Summary and Time-trend analysis
- track mobile device usage and users
Log Source Requirements
- Hosts Logs (Windows, Unix etc.)
- Official (ISC)2 Guide to the CISSP CBK - Fourth Edition 2015 by Adam Gordon