20. Regulatory Compliance – Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations

© Morey J. Haber 2020
M. J. HaberPrivileged Attack Vectorshttps://doi.org/10.1007/978-1-4842-5914-6_20

20. Regulatory Compliance

Morey J. Haber1 
(1)
Heathrow, FL, USA
 
A threat actor does not care about the law, compliance, regulations, and security best practices. In fact, they are hopeful that your organization is lax on many of these specifications and frameworks to leverage them for malicious intent. While regulatory compliance is designed to provide legally binding guidelines for industries and governments, they do not provide the necessary means to stay secure. Compliance does not equal security. Regulatory compliance measures are enforced guidance toward good cybersecurity hygiene, but implementing them without good processes, people, training, and diligence will leave you susceptible to a breach. Therefore, when reviewing leading regulatory compliance initiatives, consider the following:
  • How they apply to your organization based on laws, sensitive information, contracts, industry, and geography.

  • What overlaps exist between them and what processes can satisfy multiple requirements?

  • Be sure to adopt the strictest guidance for your initiatives. The strictest and most comprehensive requirement should always win since it will exceed any looser requirements.

  • Scoping is critical. Just applying the rules to sensitive systems is often not enough to provide good security. Consider the effort and cost of increasing the scope to mitigate risks through any connected system that could affect the legislatively required scope.

Keep in mind that any regulatory compliance requirements are the absolute minimum your organization should be doing. If you are not meeting the minimums, or have lapses in the requirements, you are the low-hanging fruit a threat actor is seeking, and slowest individual being pursued by the bear.

Payment Card Industry (PCI)

Initially developed in 2004 and currently on version 3.2 (PCI DSS-4.0, at the time of writing this book, is in draft form and in review with QSAs), the Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for every organization that accepts credit cards such as Visa, MasterCard, American Express, and others. The PCI standard:
  • Was created to increase controls around cardholder data to reduce credit card fraud

  • Has become a de facto standard for protecting access to personally identifiable information (PII), especially in the retail industry

  • Is mandated by the card issuers

  • Is administered by the Payment Card Industry Security Standards Council (PCI SSC)

Organizations face several challenges when working to prove their compliance with PCI DSS. The largest organizations are challenged with assessments that are conducted annually by a Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC). And although compliance with PCI DSS is not required by federal law in the United States, the laws of some states either refer to PCI DSS directly or make equivalent provisions. If an organization has been breached and was not in compliance with PCI, the card issuers can impose significant financial penalties on the merchant. Since it is the responsibility of the merchant to achieve, demonstrate, and maintain their compliance at all times during the annual assessment, best practice for PCI DSS compliance is to continually improve processes to ensure ongoing compliance, rather than treating compliance as a point-in-time project. Naturally, this can create a tremendous resource drain on technology- and security-oriented teams.

As a part of this process, the primary mission is to protect cardholder data and the security of the transactions involved with this information. Privileged access management can assist with many of the requirements for PCI DSS compliance in various forms, from restricting access, to command-line filtering. Figure 20-1 provides a high-level diagram of PCI DSS requirements. Based on the requirements, it is easy to see how PAM can impact privileges everywhere.
Figure 20-1

PCI DSS Requirements, High-Level Overview

HIPAA

Enacted by the US Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) provides provisions to protect health insurance coverage for workers and their families when they change or lose their jobs. HIPAA requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers. HIPAA has become a de facto standard for protecting the privacy and security of personally identifiable information (PII) in the healthcare industry.

The Security Rule within HIPAA deals specifically with electronic protected health information (EPHI). It lays out three types of security safeguards required for compliance:
  • Administrative Safeguards: Policies and procedures designed to clearly show how the entity will comply with the act

  • Physical Safeguards: Controlling physical access to protect against inappropriate access to protected data

  • Technical Safeguards: Controlling access to computer systems and enabling covered entities to protect communications containing PHI (protected health information) transmitted electronically over open networks from being intercepted by anyone other than the intended recipient

Based on these three safeguards, it is apparent that patient health information requires protection from a potential threat actor. While a single healthcare record is a viable target, especially when its a record for someone famous or of importance, bulk data is much more valuable on the dark web and for malicious data correlation. Accessing large quantities of data requires privileged access. A single doctor or healthcare provider should not have that level of privileges. Therefore, HIPAA requires privileged access management. Table 20-1 shows the sections in HIPAA solved by PAM (password management (PM), endpoint privilege management (EPM), and secure remote access (SRA)).
Table 20-1

HIPAA Requirements That Can Be Addressed with PAM

HIPAA STANDARD

REF

PM

EPM

SRA

Security Management Process

164.308(a)(1)

Assigned Security Responsibility

164.308(a)(2)

Workforce Security

164.308(a)(3)

Information Access Management

164.308(a)(4)

Security Incident Procedures

164.308(a)(6)

  

Contingency Plans

164.308(a)(7)

  

Business Associate Contracts and Other Arrangements

164.308(b)(1)

 

Facility Access Controls

164.310(a)(1)

 

Workstation Use

164.310(b)

Workstation Security

164.310(c)

 

Device and Media Controls

164.310(d)(1)

 

Access Control

164.312(a)(1)

Audit Controls

164.312(b)

Integrity

164.312(c)(1)

Person or Entity Authentication

164.312(d)

Transmission Security

164.312(e)(1)

  

Business Associate Contracts or Other Arrangements

164.314(a)(1)

SOX

In July 2002, the US Congress passed the Sarbanes-Oxley Act (“SOX”), which was primarily designed to restore investor confidence following well-publicized bankruptcies that brought chief executives, audit committees, and independent auditors under heavy scrutiny. The act applies to all publicly registered companies under the jurisdiction of the Securities and Exchange Commission (SEC). Financial data and documentation are at the heart of the compliance issue, and within the legislation, SOX Section 404: Assessment of Internal Controls defines vulnerability and privileged access management as a business requirement. This helps a business understand the flow of transactions, including IT aspects, to identify points at which a misstatement could arise, and evaluate controls designed to prevent or detect fraud. The latter places privileges as an attack vector and session monitoring clearly in focus for fraud detection and prevention.

GLBA

The Gramm-Leach-Bliley Act (GLBA) was enacted to ensure protection over customers’ records and information. To satisfy the rules and provisions of GLBA, financial institutions are required to perform security risk assessments; develop and implement security solutions that effectively detect, prevent, and allow timely incident response; and perform auditing and monitoring of their security environment. Similar to SOX, a complete section covers risk management. The primary portions of Section 508 relevant to privileges as an attack vector include these:
  • Subtitle A: Disclosure of Nonpublic Personal Information—Constructing a thorough [risk management] on each department handling the nonpublic information

  • Subtitle B: Fraudulent Access to Financial Information—Social engineering occurs when someone tries to gain access to personal nonpublic information without proper authority

NIST

NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, was developed by a joint task force composed of representatives from NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems. This interagency partnership formed in 2009.

This guide delivers a holistic approach to information security and risk management by providing organizations with a comprehensive set of security controls essential to fundamentally strengthen their information systems, as well as the environments in which they operate. The resulting systems are more resilient in the face of threats and cyberattacks. NIST SP 800-53 outlines a “Build It Right” strategy combined with various security controls for continuous monitoring and strives to provide the senior leaders of organizations information in near real-time to support making risk-based decisions related to their critical missions.

Controlling and monitoring privileged access is extremely important for mitigating the risks posed by insider threats, preventing data breaches, and meeting compliance requirements. With that being said, security and IT leaders should walk a fine line between protecting the organization’s critical data to ensure business continuity and enable users and administrators to be productive.

The NIST publication recognizes this dilemma and formalizes separation of duties, change control, and privileged session auditing. This clearly defines how an organization should manage access and when. Unfortunately, the size and scope of actual PAM mappings to NIST 800-53 is enormous. If your organization has NIST requirements, please consider external consultants (or in-house expertise if you have the resources) to map your business requirements to contracts and actual deliverables. The scope may even include your supply chain and be completely outside of your control, except for contractually-based audits.

ISO

The International Organization for Standardization (ISO) has established guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined in ISO 27002:2013(E) provide general guidance on the commonly accepted goals of information security management.

The control objectives and controls in ISO 27002 are intended to be implemented to meet the requirements identified by a risk assessment. ISO 27002 can serve as a practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in interorganizational activities.

For organizations that have adopted ISO 27002, it is important that all existing and new security solutions map into this framework. The standard contains 14 security control clauses, collectively containing a total of 35 main security categories and 114 controls. Whether an organization’s objective is to achieve legislative compliance or to adopt security best practices, these controls apply to most organizations and in most environments. These clauses directly translate to privileged access management and privileged session monitoring. Table 20-2 shows the categories and controls influenced by ISO 27002 and PAM (password management (PM), endpoint privilege management (EPM), and secure remote access (SRA)).
Table 20-2

PAM Mappings for ISO 27002:2013(E)

6 ORGANIZATION OF INFORMATION SECURITY

PM

EPM

SRA

 

6.1 INTERNAL ORGANIZATION

  

6.1.1 Information security roles and responsibilities

  

6.1.2 Segregation of duties

  

6.1.5 Information security in project management

 

6.2 MOBILE DEVICES AND TELEWORKING

  

6.2.2 Teleworking

8 ASSET MANAGEMENT

8.1 RESPONSIBILITY FOR ASSETS

  

8.1.3 Acceptable use of assets

 

8.2 INFORMATION CLASSIFICATION

  

8.2.3 Handling of assets

 

 

9 ACCESS CONTROL

9.1 BUSINESS REQUIREMENT OF ACCESS CONTROL

  

9.1.1 Access control policy

  

9.1.2 Access to networks and network services

9.2 USER ACCESS MANAGEMENT

  

9.2.1 User registration and deregistration

 

  

9.2.2 User access provisioning

  

9.2.3 Management of privilege access rights

  

9.2.4 Management of secret authentication information of users

 

  

9.2.5 Review of user access rights

9.3 USER RESPONSIBILITIES

  

9.3.1 Use of secret authentication information

 

9.4 SYSTEM AND APPLICATION ACCESS CONTROL

  

9.4.1 Information access restriction

  

9.4.2 Secure logon procedures

  

9.4.3 Password management system

  

9.4.4 Use of privileged utility programs

  

9.4.5 Access control program source code

  

10 CRYPTOGRAPHY

10.1 CRYPTOGRAPHIC CONTROLS

  

10.1.2 Key management

  

12 OPERATIONS SECURITY

12.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES

  

12.1.2 Change management

12.4 LOGGING AND MONITORING

  

12.4.1 Event logging

  

12.4.2 Protection of log information

 
  

12.4.3 Administrator and operator logs

 

12.5 CONTROL OF OPERATIONAL SOFTWARE

  

12.5.1 Installation of software on operational systems

12.7 INFORMATION SYSTEMS AUDIT CONSIDERATIONS

  

12.7.1 Information systems audit controls

13 COMMUNICATIONS SECURITY

13.1 NETWORK SECURITY MANAGEMENT

  

13.1.1 Network controls

 

  

13.1.2 Security of network services

 

  

13.1.3 Segregation in networks

14 SYSTEM ACQUISITION, DEVELOPMENT, AND MAINTENANCE

14.2 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES

  

14.2.1 Secure development policy

  

14.2.6 Secure development environment

14.3 TEST DATA

  

14.3.1 Protection of test data

16 INFORMATION SECURITY INCIDENT MANAGEMENT

16.1 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS

  

16.1.2 Reporting information security events

  

16.1.3 Reporting information security weaknesses

  

16.1.7 Collection of evidence

17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

17.1 INFORMATION SECURITY CONTINUITY

  

17.1.2 Implementing information security continuity

  

17.1.3 Verify, review, and evaluate information security continuity

18 COMPLIANCE

18.1 COMPLIANCE WITH LEGAL AND CONTRACTUAL REQUIREMENTS

  

18.1.2 Intellectual property rights

  

18.1.3 Protection of records

18.2 INFORMATION SECURITY REVIEWS

  

18.2.1 Independent review of information security

  

18.2.2 Compliance with security policies and standards

  

18.2.3 Technical compliance review

Security best practices have been adopted in almost every regulation and framework. ISO 27002 is no different when monitoring and managing privileges, and sessions form a fundamental part of managing the privileged attack vector and thwarting threat actors. Mapping these controls to your privileged access management deployment will help close off many of the attack vectors that we have discussed.

GDPR

The General Data Protection Regulation (GDPR) is one of the most important movements in the area of data protection in recent years. It was passed into European Union (EU) law on April 28, 2016, and became enforceable on May 25, 2018. Over several hundred million dollars in fines have already been levied for GDPR violations since the law went into effect.

In summary, the GDPR defines controls around how organizations store and process the personal data of EU citizens, irrespective of where the organization is based, owned, or operating. Anyone storing or processing the personal data of an EU citizen must comply with the GDPR or face significant fines in the event of a failed audit or data breach. Those fines can be up to 4% of the organization’s global turnover, or €10m, whichever is greater. With this level of impact, it is vital that all organizations understand their obligations under the GDPR and take appropriate measures to ensure they are compliant by demonstrating that the proper controls are in place to protect information.

GDPR was designed to simplify requirements and not introduce a massive new burden on organizations. In fact, GDPR consolidates the 28 distinct implementations of the previous Data Protection Directive (95/46/EC) into one regulation for consistency, standardized version control, and reporting. To that end, the GDPR provides guidance relating to the protection of natural persons with regard to the processing of personal data and requirements relating to the free movement of personal data, including PII. It protects fundamental rights and freedoms of natural persons (human identity in GDPR terminology) and, in particular, their right to the protection of personal information. It also allows for unrestricted movement of personal data within the EU and the requirement that the collection of this data to be deleted or removed upon request of the user, protecting their digital identity. The regulation defines scope in two ways:
  • Material Scope: How data is processed

  • Territorial Scope: Where data is processed

In material terms, GDPR applies to the processing of personal data wholly or partly by automated (electronically) means and to processing other than by automated means, that is, as part of a paper or manual filing system. Processing related to the prevention, investigation, detection, or prosecution of criminal offenses, execution of penalties, and safeguarding public security is excluded from the GDPR. This is an important differentiation since law enforcement and their investigations are not participatory entities and may have exclusions when collecting personal data from organizations normally governed by GDPR.

In territorial terms, GDPR applies to the processing of personal data for data subjects who are in the European Union (EU)—in particular, when related to the offering of goods and services (irrespective of whether payment is required) and monitoring of their personal behavior. The regulation also applies to the processing of data by a controller wherever Member State law applies, through public international law.

Therefore, the million-dollar question is surprisingly simple—when is your organization required to comply with GDPR? There are several key areas to consider:
  • Consent of the Data Subject: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Beyond the pure collection and processing of personal data, the GDPR also lays out specific requirements around the consent of the data subject for both the collection and processing of their data. This consent requires affirmation by the data subject to show consent to each form of processing the collected data will undergo; consent can no longer be given in a blanket manner, that is, covering multiple processes. Consent can also be withdrawn at any time by the data subject. For more detailed information, see Article 7 of the GDPR.

  • Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The regulation provides a much stronger response to personal data breaches than previous directives and regional legislations. It requires that the controller notify the supervisory authority of any personal data breach no later than 72 hours after having become aware of the breach. If the notification cannot be given within 72 hours, the controller will be required to provide the reasons for the delay. If the controller can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of the natural persons whose data has been breached, the need for notification within the timeframe is removed, but notification must still be made.

  • Accountability: The GDPR also defines clear accountability for the controller over the management of personal data. The controller must ensure that data is processed lawfully, fairly, and transparently; that data is only collected for specified, explicit, and legitimate purposes and adequate, relevant, and limited to only what’s necessary for the consented processing. The controller is also responsible for ensuring the personal data is accurate and, where necessary, kept up-to-date. The data should also be kept for no longer than is necessary for the purposes for which the personal data is processed. Also, the data must be processed in a manner that ensures appropriate security of the personal data, for example, not allowing it to be subject to a personal data breach. As a controller, you have responsibility for, and must be able to demonstrate, compliance with the defined regulation. As is clear from this, you must have control over who has access to personal data, when they accessed the data, and what was done with the data. Also, as far as possible, it’s also vital to ensure that there are no opportunities for unauthorized access to the personal data. This is where privileged access management becomes a critical component of your GDPR strategy.

As a discipline, privileged access management (PAM) offers a number of solutions that can help organizations achieve GDPR compliance:
  • A privileged password management solution can help control who has access to operating systems, applications, databases, infrastructure, and cloud resources and provide attestation reporting on complete session activity to avoid inappropriate activity and access at a controller.

  • Server least privilege management solutions can manage privileged access to commands and applications, eliminating the need for root access and sudo.

  • Endpoint least privilege management solutions can anonymize data collected around user and administrative activity, ensuring data cannot be linked to individuals within a single data store.

  • Remote access solutions can regulate and authorize access at a controller to sensitive data stores to prevent unauthorized access that might lead to a breach.

CCPA

The California Consumer Privacy Act (CCPA) has been quoted as the beginning of America’s GDPR-type data privacy laws. Similar to the GDPR, the CCPA requires organizations to focus first on consumer data in 2020 and then personal data shared between businesses in 2021. It requires organizations to provide transparency in how they are collecting, sharing, and using personal information based on an individual’s request. And remember, a privileged account typically can access this data en masse, making it relevant, from an incident or breach perspective, to secure.

Based on the GDPR requirements covered earlier, it should not be a difficult extension for an organization to cover CCPA unless their business has no overseas activity in Europe. Then the ramifications can be costly to implement. Therefore, to assist global organizations, a comparison between GDPR and CCPA has been created in Table 20-3. It is important to note that internal policies, processes, and systems will still need to be updated to address differences between the two laws.
Table 20-3

A Comparison of GDPR to CCPA

Governance

GDPR

CCPA

Scope

All personal data collected for European Union citizens

All California residents whose personal data is collected after January 2020 and for business-to-business data, starting January 2021

Right to Access

An individual has the right to review all European Union personal data processed for an individual

An individual has the right to access personal data in scope collected for the last 12 months with restrictions imposed on whether the data was stored, sold, or transferred between organizations

Right to Portability

Data must be able to import and export in a user-friendly format. This is similar to US HIPAA regulations

All individual access requests must be exportable in a user-friendly format, but there is no requirement for importing data

Right to Remediate

An individual reserves the right to correct and verify any personnel European Union data that has been collected

CCPA lacks a corrective actions provision for personal data

Right to Halt Processing

An individual has the right to withdraw consent or stop processing, within an entity, of personally collected data

An individual has the right to “opt-out” of selling personal data and businesses must provide an opt-out link or procedure on their website or through a similar data collection vehicle

Right to Stop Automation

An individual has the right to enforce a human decision in an automated process that may have a legal effect for the inquiring party

CCPA has no provisions to stop automated decision-making

Right to Stop Information Sharing

An individual has the right to request the halting of third-party data transfers based on a specific category of data

An individual has the right to “opt-out” of selling their personal information to third parties

Right to Information Erasure

A European Union citizen can request the right to erase personal data if specific conditions are met

An individual has the right to erase personally collected data only under specific conditions

Individual Damages

No limits to pursue damages based on actions

Each consumer breach is limited to a minimum of $100 and a maximum of $750 per data breach event

Enforcement Penalties

Global annual revenue is capped at 4%

Regulator penalties are limited to $2500 for unintentional violations and $7500 for intentional violations

ASD

The Australian Signals Directorate (ASD) has developed a list of strategies to mitigate targeted cyber intrusions. The recommended mitigation strategies were developed in 2014 through ASD’s extensive experience in operational cybersecurity, including responding to serious cyber intrusions and performing vulnerability assessments and penetration testing for Australian Government Agencies.

In 2017, the ASD expanded the Top 4 recommendations to contain the Essential Eight. The dynamic nature of cybersecurity required a course correction to address the latest threats, like ransomware. Businesses and governments are accustomed to broad stroke changes occurring every few years, but rarely are recommendations made that are very precise to manage specific threats. The Essential Eight are the following:

Australian Signals Directorate Top 4 (Original from 2014)
  1. 1.

    Application whitelisting of permitted/trusted programs, to prevent the execution of malicious or unapproved programs, including executables, scripts, and installers.

     
  2. 2.

    Patch applications—for example, Java, PDF viewer, Flash, web browsers, and Microsoft Office. Patch/mitigate systems with “extreme risk” vulnerabilities within 2 days. Use the latest version of applications.

     
  3. 3.

    Patch operating system vulnerabilities. Patch/mitigate systems with “extreme risk” vulnerabilities within 2 days. Use the latest suitable operating system version. Avoid Microsoft Windows XP.

     
  4. 4.

    Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing.

     
Essential Eight (Amended in 2017)
  1. 5.

    Disable untrusted Microsoft Office Macros, so malware cannot run unauthorized routines.

     
  2. 6.

    Block web browser access to Adobe Flash, web advertisements, and untrusted Java code on the Internet. If possible, uninstall all browser plug-ins that are not required.

     
  3. 7.

    Apply multi-factor authentication for all systems when possible to make it harder for an adversary to access a system and information.

     
  4. 8.

    Perform daily backup of important data securely and offline to ensure even if data is compromised, protected versions are available for recovery.

     

Based on a threat actor’s methods to gain privileges, these recommendations are completely in line with the threats solved by privileged access management. The privileged attack vector mitigation is included in the Top 4 and Essential Eight (5–7) and represents a refined strategy to stop threats worldwide. Number eight is a backup discipline and is not a privileged attack vector. It can, however, be used for remediation for attacks like ransomware.

MAS

The Monetary Authority of Singapore (MAS) was founded in 1971 to oversee various monetary functions associated with financial and banking institutions. Throughout the years, their guidelines have been revised to manage emerging technologies and the evolving threat landscape. In June 2013, the MAS created a new set of guidelines for Internet Banking and Technology Risk Management (IBTRM). This addendum mandated certain requirements for Technology Risk Management (TRM) and contained a set of guidelines as well (TRM Guidelines), along with errata notices (TRM Notices).

The TRM Guidelines are statements of industry best practices to which financial institutions are expected to adhere. The guidance is not legally binding, but is used by MAS in risk assessment audits of financial institutions.

Privilege as an attack vector considers four of these MAS TRM sections relevant when protecting privileges from a threat actor:
  • Section 4: Technology Risk Framework

  • Section 6: Acquisition and Development of Information Systems

  • Section 9: Operational Infrastructure Security Management

  • Section 11: Access Control

SWIFT

The Society for Worldwide Interbank Financial Telecommunications (SWIFT) Customer Security Controls Framework 1.0, published on March 31, 2017, describes a set of mandatory and advisory security controls for participating SWIFT financial organizations. The framework is divided into three objectives:
  • Secure Your Environment
    • Restrict Internet Access

    • Protect Critical Systems from General IT Environment (Lateral Movement)

    • Reduce Attack Surface and Vulnerabilities

    • Physically Secure the Environment

  • Know and Limit Access
    • Prevent Compromise of Credentials

    • Manage Identities and Segregate Privileges (PAM)

  • Detect and Respond
    • Detect Anomalous Activity to Systems or Transaction Records

    • Plan for Incident Response and Information Sharing

SWIFT requires that users self-attest compliance against the mandatory security controls (it is optional for the advisory controls). PAM provides coverage for the following mandatory controls:
  • 1.1 Operating System Privileged Account Control

  • 2.1 Internal Data Flow Security

  • 2.2 Security Updates

  • 2.3 System Hardening

  • 2.6 Operator Session Confidentiality and Integrity

  • 2.8 Critical Activity Outsourcing

  • 4.1 Password Policy

  • 4.2 Multi-Factor Authentication

  • 5.1 Logical Access Control

  • 5.4 Physical and Logical Password Storage

  • 6.2 Software Integrity

  • 6.4 Logging and Monitoring

Organizations can address their compliance and security requirements as defined in the SWIFT Customer Security Controls Framework by implementing PAM solutions. Please note, if your organization currently adheres to the NIST Cybersecurity Framework, ISO 27002, or PCI DSS, SWIFT provides mappings to other frameworks to expedite compliance verification and to help avoid duplication of efforts in attestation reporting.

MITRE ATT&CK

While technically not a regulatory compliance framework, the MITRE ATT&CK1 knowledge base is designed to help third parties discover, prioritize, categorize, and recommend strategies for threat remediation. It is a practical structure based on real-world attacks that are categorized by operating system, privileges, method, and technical details for classes of attack vectors. Not surprisingly, the vast majority of attacks can be mitigated by privileged access management solutions, especially when password management, endpoint least privileged management, and remote access capabilities are used in concert. Organizations are using the knowledge base as a guide to prove their risk mitigation strategies actually meet compliance objectives for risk reduction.

Based on Mitre’s Enterprise Tactics,2 privileged access management solutions can either detect, prevent, or respond to the following attack vectors:
  • Initial Access (TA0001): Represents the vectors adversaries use to gain an initial foothold within a network.

  • Execution (TA0002): Represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with initial access as the means of executing code once access is obtained, and lateral movement to expand access to remote systems on a network.

  • Persistence (TA0003): Any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.

  • Privilege Escalation (TA0004): The result of actions that allows an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. Adversaries can enter a system with unprivileged access and must take advantage of a system weakness to obtain local administrator or SYSTEM/root-level privileges. A user account with administrator-like access can also be used. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.

  • Defense Evasion (TA0005): Consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.

  • Credential Access (TA0006): Represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. This allows the adversary to assume the identity of the account, with all of that account’s permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.

  • Discovery (TA0007): Consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.

  • Lateral Movement (TA0008): Consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.

  • Collection (TA0009): Consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

  • Exfiltration (TA0010): Refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

  • Command and Control (TA0011): Represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication.

  • Impact (TA0040): The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

While each Enterprise Tactic is comprised of multiple Technique IDs,3 the detection, privileges, and mitigation detail provide a blueprint for using a tool, solution, policy, or configuration change to thwart each item as an attack vector. This alone is why many organizations embrace the MITRE ATT&CK framework, because it provides real-world guidance vs. theoretical aspirations like many legally binding regulatory compliance frameworks. And, if you manage to implement privilege security controls based on these real-world threats, it demonstrates compliance for many other regulatory initiatives.