BR +55 11 3069 3925 | USA +1 469 620 7643

CIS Controls – PAM x 20 Controls Focused on PAM

by | Sep 26, 2019 | BLOG

The Michaelis Dictionary defines risk as the likelihood of damage in a given project or thing due to an uncertain event. This definition applies to anything that may expose people and organizations to risk, including Information Security. In this specific context, we can state that cyber-security risk is the likelihood of this damage to occur as a result of the use of interconnected systems. With this in mind, it is possible for those responsible for Information Security to be clear about the actions to be taken to mitigate these risks, that is, to prevent organizations from suffering such damages.

To assist in defining strategies for cyberattack protection, market organizations have created a set of policies and procedures, which is documented for theoretical knowledge, and also practical implementation procedures. Some of these frameworks may, in some cases, be designed for a specific industry, and are designed to reduce unknown vulnerabilities and configuration errors in the organizational environment. To summarize, these standards introduce models to allow organizations to understand their security approach and know how to improve it. And as they have been tested in different situations and industries, one can vouch for their confidence and effectiveness.

The industry’s leading cyber-security risk management frameworks, regulations, and standards are the ISO 27000 standards, the NIST’s Cyber-Security Framework, the PCI DSS standard, and the Center for Internet Security’s (CIS) Critical Security Controls.

CIS is a nonprofit organization that aims to leverage the power of a global IT community to secure public and private organizations against cyber threats. Thus, CIS has defined a set of critical security controls, based on the industry’s best practices, that organizations must implement in their environment to ensure an effective cyber-security strategy. These critical controls are divided into three distinct sets: basic, foundation, and organizational, totaling 20 controls that address basically all aspects of cyber-security. These are:

Even though CIS’ controls address numerous aspects of Information Security, some of them are directly related to Privileged Access Management (PAM). From the 20 controls proposed by CIS, one specifically addresses PAM, while the other 19 are influenced or effectively require the concepts related to PAM.

Privileged Access Management refers to a set of technologies and practices that monitors and manages privileged access (also called administrative access) to critical systems. With a privileged credential, a user can, for example, modify system settings, user accounts, and access critical data.

Thus, given their level of access and control over the systems that manage information or processes, a privileged user exposes the organization to potential business risks. Whether through an attack, privilege abuse, or human error, a privileged user can be an attack vector for a potential security incident.

Control number 4 (controlled use of administrative privileges) directly addresses aspects of PAM. In order to understand how a PAM solution can fully address this control, let’s present the CIS-provided sub-controls associated with controlled use of administrative privileges. These are:

  • 4.1. Maintain Inventory of Administrative Accounts. 

  • 4.2. Change Default Passwords. 

  • 4.3. Ensure the Use of Dedicated Administrative Accounts. 

  • 4.4. Use Unique Passwords.

  • 4.5. Use Multi-Factor Authentication for All Administrative Access. 

  • 4.6. Use Dedicated Workstations for All Administrative Tasks. 

  • 4.7. Limit Access to Scripting Tools. 

  • 4.8. Log and Alert on Changes to Administrative Group Membership. 

  • 4.9. Log and Alert on Unsuccessful Administrative Account Login.

Thus, a PAM solution is essential to implement this control and all of its sub-controls, enabling the Information Security team to grant and revoke privileged access on a range of systems and devices. A PAM solution also allows monitoring of these accesses, as well as alerting system administrators of any non-compliance in remote sessions. An example of non-compliance would be a user attempting to access at an unauthorized time or access the admin interface of a device that is not within their purview.

Sub-control 4.1 – Maintaining Inventory of Administrative Accounts, for example, requires the organization to have full visibility over all administrative credentials and their privileges by using automated tools to inventory all privileged credentials. senhasegura, as a PAM solution, offers the Scan and Discovery resource, which enables one to scan and discover privileged credentials (such as domain and local privileged accounts) on a range of assets, such as network devices, systems, and applications, including DevOps.

Another example of sub-control that senhasegura can help implement is 4.2 – Change Default Passwords. CIS’ recommendation is that, before deploying any new assets in the environment, one must change all their default passwords to be consistent with administrative accounts. senhasegura allows the automatic rotation of all device passwords and restricts access through easily and quickly configurable, multilevel approval streams. 

Of course, the features of a PAM solution are not restricted to just these two sub-controls. In addition, this type of solution may also meet the recommendations present in other controls and their sub-controls. senhasegura offers a PAM solution that enables the implementation of numerous controls provided in the CIS’ Critical Security Controls. In addition to enabling the full implementation of privileged access management control, senhasegura also adheres to aspects linked to system inventory, configuration, monitoring, incident response, and su/sudo injection. Implementing senhasegura enables one to mitigate potential attacks against systems through privileged credentials and to ensure the trust of employees, partners, and customers, and business continuity.

An Overview of Saudi Arabia’s Personal Data Protection Act (PDPL)

Saudi Arabia’s Personal Data Protection Law (PDPL) was implemented by Royal Decree M/19 of 9/2/1443H (September 16, 2021), which approved Resolution No. 98 of 7/2/1443 H (September 14, 2021). It was published in the Republic Journal on September 24, 2021. The Saudi...

The 5 Biggest Data Leaks of 2021

During the pandemic, cyberattacks grew more than ever. Theft, hijacks, and data leaks are increasingly popular practices in cybercrime. The lock and hijack for ransom (ransomware) category has stood out a lot, as data is a highly valuable resource and most companies...

HIPAA: Five Tips for Complying with The Certificate

What is HIPAA? Currently, this is one of the most frequently asked questions by many professionals working in the healthcare industry, especially in times of the Covid-19 pandemic. But why is it so important and what are its benefits for healthcare companies? First,...

How Does The LGPD Impact Companies?

Due to the growing technological development in the market, we can clearly see how much how consumers tend to buy products and services has changed. Through more practical technologies, such as cellphones, laptops, and tablets, for example, they are just a click away...

What Is the Difference Between IAM and PAM?

It is important to know the differences between IAM (Identity & Access Management) and PAM (Privileged Access Management). However, this theme still raises doubts for some people. First, it is necessary to understand that the need to obtain an identity is...
Copy link
Powered by Social Snap