Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

The below will appear on the Refined page at https://iasme.atlassian.net/wiki/spaces/CEKH/pages/2576646422/User+Access+Control+FAQ#

QUESTION

ANSWER

Why is user access control important?

Every person with an account in your organisation has some level of access to your data and services. By controlling how much access they have you can reduce the risk of data being stolen or damaged.

What is meant by a ‘user account’?

A user account is a standard account with a low level of privilege. This means that it cannot, for example, install software, change system settings, or create new accounts. Such privileges are reserved for admin accounts and

What is meant by an ‘admin account’?

An admin or administrator account is an account with a high level of control over a system. This means that the potential for damage is higher if such an account is compromised. Therefore you should treat this type of account with care and only use them for necessary purposes.

Why should I not use my admin account for day-to-day work or accessing the internet?

A common cyber attack involves trying to install malicious software (malware) onto a device. This can be done by tricking the user into opening an email attachment or visiting a website. However, only admin accounts are allowed to install software and if this is attempted with a user account, the attack is unlikely to succeed. This is why you should not use your admin account to access email or websites - if you make a mistake and accidentally click on something malicious, the risk of compromise is far higher.

What is application allow listing?

What is application signing?

Is brute force device locking now mandatory? What are the requirements if so?

You'll need to use either throttling or account locking after 10 attempts to protect against brute force attacks.

Are shared accounts permissible under certain circumstances, such as a shared third-party web application account? Or are they not allowed at all?

Shared accounts are not compliant with Cyber Essentials scheme. The use of unique accounts is required by all users and administrators. As stated in the Cyber Essentials Requirements you need to ensure that user accounts are assigned to authorised individuals only and provide access to only those applications, computers and networks required for the user to perform their role.

When using third-party cloud services (such as MS365) is it acceptable to use one centralised mobile device owned by one user to retrieve the authentication code, even if there are various users using the system? 

It's acceptable but perhaps not advisable. For example - what happens if you lose the phone? You would need to consider various scenarios and what might happen if problems occurred. 

Why the need for controls on personally-owned devices accessing virtual desktops as clients?

Client access software needs to be on a supported operating system and that client access software must be kept up to date and updated with all their latest security updates. There are known commodity attacks against devices trying to access those sessions and screen recording those sessions, so therefore they must remain in scope.

Why is it important to have separate user and admin accounts?

Because admin accounts provide far greater control over the device, any attack which compromises an admin account can have more serious effects. Consider the scenario where a user is logged in to a user account and clicks on a malicious link. The link may attempt to install malicious software such as ransomware or spyware onto the device. However, because a user account does not have sufficient privileges to install software, the attempt would fail. But if the logged in account was an admin account, the software installation could succeed and the attacker could then take control of the machine and carry out any number of damaging activities. That is why day-to-day activities should be done using a user account, and admin accounts must not access the internet or emails. 

If an organisation has a policy that we do not allow personally-owned devices, is a technical control needed to stop unauthorised devices from connecting?

A common solution is to monitor your cloud services and not allow them to connect unless they are authorised devices supplied by the organisation. Asset management can play a role here as you would need to understand how and which devices are connecting to your cloud services. 

Why the need for controls on personally-owned devices accessing virtual desktops as clients?

There are known commodity attacks against such devices which try to access or screen record sessions, so therefore they must remain in scope. Client access software must be running on a supported operating system and the software must be kept up to date with the latest security updates.

While admin accounts shouldn't be used on a day-to-day basis, what about when admin privileges are temporarily needed to install software or run scripts? 

All admin accounts need to be approved by a person of authority.
The requirement is that every administrator has both a user account and an admin account, and the admin account is only used to perform administrative tasks and must not access email or websites.
This can be achieved by policy, education and technical controls. If using technical controls these must be compliant with Cyber Essentials.

Some developers need local admin access to compile, debug and check-in source code changes using their standard account. Would this fail the Cyber Essentials assessment and if so, how do organisations manage their local admin privilege needs for development team members?

It would not automatically fail a Cyber Essentials assessment, but would be an issue if certifying for Cyber Essentials Plus. Account separation is a core control and if this can't be achieved, we would suggest de-scoping the developer network by creating a subset using a firewall or VLAN.

If we have a generic account used by a few people, which is managed using an auto-lock and a fingerprint reader, would this be compliant with Cyber Essentials?

Shared accounts are not compliant with the Cyber Essentials scheme. The use of unique accounts is required by all users and administrators - you need to ensure that user accounts are assigned to authorised individuals only and provide access to only those applications, devices and networks required for them to perform their role.

Does a 'break glass' account need to have MFA applied or would it be out of scope?

Break glass accounts should still have a form of MFA applied, but should use an alternative method of MFA to other users.  An example of MFA for a break glass account could be logging into it from a trusted managed device.

  • No labels