Categories Topics
Description
Access Control

Overview
Access to systems and applications should be controlled to ensure access is commensurate with job and security requirements. Access should be consistent with a user's role in the organization and should define specific access rights authorized on systems, networks and applications. Access controls should also include periodic review of role membership, segregation of duties, monitoring of access and formal access authorization process.

Guidelines
As part of an Identity Management program, organizations should first focus on establishing roles and access privileges commensurate with business requirements and "least privilege" (i.e. the minimum amount of privileges required for the role and nothing more).  Each role should also have a role owner who is accountable for approving new users/members to the role.

Privilege Access to the most sensitive systems and data should be authorized with the least privilege required to minimize the potential risks of errors or misuse of privileges. Management should review role membership periodically (quarterly for privilege access) and ensure members are removed if access is no longer required.

New user access approvals:  Once roles are established, new user requests should be approved by the role owner prior to authorizing (or "provisioning") user access to sensitive systems or data.  Organizations may use groups (e.g. Active Directory group) to define members or user ID's that are authorized to perform certain activities defined by the role.  Groups are often easier to provision or assign access to system or application resources.

Word of warning: Often times, authorization procedures are weak in that users can request "access like" another user (in lieu of a defined role). This often times contributes to role propagation where users can accumulate privileges over time that are not commensurate with a user's role.  This practice should be strongly discouraged.

Segregation of Duties (or SOD) is also a strong control to ensure no single person has full control to introduce fraudulent or malicious code or remove data without detection. Some examples of roles that should be separated include, but not limited to: separate roles for authorization from roles implementing changes and separate developer roles from production support roles.

Termination of Access Rights: Access for users who leave the company should immediately be revoked upon termination. Close arrangement should be made between Human Resources and security access control to ensure HR or management can notify security immediately upon termination to ensure access is removed. Passwords to privileged IDs should also be changed if they were known by former employee.  

Logging: Audit logging should be enabled on systems (and devices) to log user and security activity at the application or transaction level. Audit logs are critical to assist in incident response, future investigations, audit trail and troubleshooting to name a few. See topic "Logging" for more information and guidance if needed.

Topic Category
Access Control
 
News Articles
For some cloud services more than 75% of accounts are utilized by hackers10/4/2018
Clarksons says single user account to blame for data breachwww.zdnet.com7/31/2018
Facebook now supports 2FA via authenticator appswww.helpnetsecurity.com5/29/2018
Researchers develop algorithm to detect fake users on social networkswww.helpnetsecurity.com4/17/2018
Hackers reveal leading enterprise security blind spotswww.zdnet.com9/19/2017
Blame shoddy security for UK parliament hack, says reportwww.zdnet.com7/6/2017
Researchers develop algorithm to detect fake users on social networkswww.helpnetsecurity.com4/17/2017
Google’s CAPTCHA Service Now Goes Invisible for Human Userswww.tripwire.com3/9/2017
Researchers spot uptick in apparel and food delivery online fraudwww.scmagazine.com3/3/2017
Paper factory fired its sysadmin. He returned via VPN and caused $1m in damage. Now jailedwww.theregister.co.uk2/18/2017
YubiKey for Windows Hello brings hardware-based 2FA to Windows 10www.zdnet.com12/23/2016
Sage suffers data breach from insiderwww.scmagazine.com8/15/2016
Android users to be warned of suspect Google account activity in real-timewww.helpnetsecurity.com8/2/2016
BlackEnergy drains files from Ukraine media, energy organisationswww.theregister.co.uk1/4/2016
Apple's "two-step" security now protects iMessage and FaceTime, toonakedsecurity.sophos.com2/13/2015
Chipotle Website & Twitter Account Hackedwww.tripwire.com2/7/2015
Daily Report: Simple Flaw Allowed JPMorgan Computer Breachbits.blogs.nytimes.com12/23/2014
SpoofedMe Social Login Attack Discovered by IBM X-Force Researcherssecurityintelligence.com12/4/2014
Strengthening 2-Step Verification with Security Keygoogleonlinesecurity.blogspot.com10/21/2014
Giving fraud the finger: Barclays banks on biometrics for business customerswww.zdnet.com9/5/2014
JLaw, Kate Upton exposed in celeb nude pics hackwww.theregister.co.uk8/31/2014
Who needs hackers? 'Password1' opens a third of all biz doorswww.theregister.co.uk8/15/2014
Hackers Find Way to Outwit Tough Security at Banking Sitesbits.blogs.nytimes.com7/22/2014
Ad network compromise leads to rogue page redirects on Reuters sitewww.computerworld.com6/23/2014
Verizon launches credential cloud servicewww.zdnet.com6/23/2014
Heartbleed-based BYOD hack pwns insurance giant Aviva's iPhoneswww.theregister.co.uk6/23/2014
Tumblr beefs up security with two-factor authenticationnakedsecurity.sophos.com3/26/2014
Yahoo Mail accounts breached with stolen passwordsnews.yahoo.com1/30/2014
Target traces security breach to stolen vendor credentialswww.zdnet.com1/30/2014
Report: Target Hackers Used Default Vendor Credentials; Justice Dept. Investigatingthreatpost.com1/30/2014
Syrian Electronic Army Hacks CNN Social Media, Microsoft Transparency Datathreatpost.com1/27/2014
Salesforce launches identity service, eyes Oktawww.zdnet.com10/15/2013
Contractor Accesses 2 Million Vodafone Germany Customer Recordsthreatpost.com9/12/2013
Internet Census 2012 Data: Millions of Devices Vulnerable by Defaultthreatpost.com9/11/2013
Google security exec: 'Passwords are dead'news.cnet.com9/10/2013
Inside the Response to the New York Times Attackthreatpost.com8/29/2013
New York Times, Twitter domain hijackers 'came in through front door'www.theregister.co.uk8/27/2013
Syrian Electronic Army Cracks ShareThis.com GoDaddy Accountblogs.cisco.com8/22/2013
Bradley Manning sentenced to 35 years in prisonwww.theregister.co.uk8/21/2013
20 Critical Security Controls: Control 16 – Account Monitoringwww.tripwire.com7/24/2013
Hollywood hospital fires six for snooping into patient recordsnakedsecurity.sophos.com7/16/2013
Brute-Force Attack Leaks Data on 35,000 Konami Gamersthreatpost.com7/13/2013
WellPoint takes $1.7 million hit over HIPAA slipwww.zdnet.com7/11/2013
NC Fuel Distributor Hit by $800,000 Cyberheistkrebsonsecurity.com5/23/2013
Syrian hacktivists hijack Telegraph's Facebook, Twitter accountswww.theregister.co.uk5/21/2013
Report: Twitter warns news outlets to be on guard against account takeover attemptswww.scmagazine.com4/30/2013
Hackers send bogus tweets from '60 Minutes' accountnews.cnet.com4/20/2013
Bank Sues Cyberheist Victim to Recover Fundskrebsonsecurity.com4/19/2013
Syrian hacktivists hijack BBC Weather feedwww.theregister.co.uk3/21/2013
Need to lend your key? E-mail it, Fraunhofer saysnews.cnet.com3/4/2013
Burger King Twitter account hacked, defacednews.cnet.com2/18/2013
Former Employee Charged With Accessing Thousands of Driver's Licensesthreatpost.com2/7/2013
Barracuda moves to shutter backdoor access to its network gearwww.computerworld.com2/6/2013
Twitter flaw gave private message access to third-party apps, researcher sayswww.computerworld.com1/22/2013
Google sees one password ring to rule them allwww.computerworld.com1/18/2013
Army Looking for Ways to Infiltrate Air-Gapped Systemsthreatpost.com1/17/2013
Passwords hanging around like an ugly old dorm couchwww.zdnet.com1/10/2013
Adobe warns of critical ColdFusion hole being exploited in the wildwww.zdnet.com1/8/2013
Facebook Patches Password Reset Vulnerabilitythreatpost.com1/8/2013
WA Police seeks new two-factor authentication providerwww.zdnet.com12/18/2012
FBI Memo Shows Hackers Accessed Commercial HVAC Systemsthreatpost.com12/13/2012
Twitter SMS-Spoofing Bug Allows Attackers to Send Tweets From Users' Accounts, Edit Profilesthreatpost.com12/4/2012
Twitter Resolves SMS Bug (For Some Users)threatpost.com12/4/2012
Companies House website security 'a bit of a mess'www.theregister.co.uk11/28/2012
Hardcoded Password Enables Remote Attacks on Samsung Printersthreatpost.com11/28/2012
FreeBSD shuts down servers after breachwww.infosecurity-magazine.com11/19/2012
Nintendo Wii U network 'hacked' hours after launch?www.zdnet.com11/19/2012
Regaining Control Of Data In The Cloudwww.darkreading.com11/12/2012
Blizzard Sued Over Data Breach, Authenticator Salesthreatpost.com11/12/2012
Toyota sues programmer for 'sabotaging' computer networkwww.zdnet.com8/30/2012
Dropbox Now Offers Two-Step Authenticationkrebsonsecurity.com8/27/2012
Reuters' Twitter account hackedwww.zdnet.com8/5/2012
Gizmodo's Twitter account hackedwww.zdnet.com8/4/2012
Agencies to dole out new hardware keys for secret networkswww.nextgov.com7/20/2012
Homeland Security warns of hackers targeting popular Niagara softwarewww.washingtonpost.com7/13/2012
Federal appeals court raps bank over shoddy online securitywww.computerworld.com7/5/2012
Man arrested for hacking into billing providerwww.h-online.com5/31/2012
DHS To Critical Infrastructure Owners: Hold On To Data After Cyber Attackthreatpost.com5/29/2012
Report: Hackers Seized Control of Computers in NASA’s Jet Propulsion Labwww.wired.com3/1/2012
Man charged with stealing NY Fed Reserve Bank source codenews.cnet.com1/18/2012
Patient Data Theft Sends IT Specialist To Jailwww.informationweek.com1/17/2012
NYC authorities charge 55 in cyber fraud, ID theft ringwww.scmagazine.com12/19/2011
How To Spot Malicious Insiders Before Data Theftwww.informationweek.com12/8/2011
Anonymous Hacks Back at Cybercrime Investigatorswww.wired.com11/19/2011
Title Firm Sues Bank Over $207k Cyberheistkrebsonsecurity.com11/14/2011
RSA Blames Breach on Two Hacker Clans Working for Unnamed Governmentwww.wired.com10/11/2011
Who Else Was Hit by the RSA Attackers?krebsonsecurity.com10/1/2011
Countrywide insider gets eight months in prison for theftwww.scmagazine.com9/28/2011
Sony yet to fully secure its networks: expertwww.reuters.com5/13/2011
FBI Arrests Four For Insider Tradingwww.informationweek.com12/17/2010
White Papers
DISA Access Control STIGiase.disa.mil10/29/2010
DISA Biometric Security Checklist for the Access Control STIGiase.disa.mil10/17/2007
Policies
Access Control Policy
Authentication Management Policy
Network Access Control Policy
Secure Log-on Procedure and Message Policy
Separation of Non-Production and Production Environment Policy
Session Management Policy
System ID Management Policy
User ID Management Policy
User System Session Policy
Standards
NIST SP 800-76-2 Biometric Data Specification for Personal Identity VerificationNIST7/12/2013
NIST Guide to Computer Security Log ManagementNIST9/1/2006
NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) CredentialsNIST12/19/2014
NIST SP 800-162 Guide to Attribute Based Access Control (ABAC) Definition and ConsiderationsNIST1/21/2014