Control 16 Mapping to the NIST Cybersecurity Framework
9 hours 54 minutes
Hey, everyone, welcome back to the core. So in the last video, we took a brief overview of CIA's control 16 which is account monitoring and control. And in this video, we're going to take a look at how that maps up to the NIST CSF.
So some control. 16.1. We need to maintain an inventory of our authentication systems, so that matches up to P. R. A. C. Dash one, which we seem to four in previous modules.
Sub control. 16 2 We need to have that centralized point of authentication. So we talked earlier about having that centralized point for our anti malware solution. Similar thought process here, right when we need one centralized point that we can then authenticate everyone and remove authentication if needed. That makes it so much easier. When people change job roles, they change departments
or they leave our company
and you'll see here there's not a direct 1 to 1 match in the NIST CSF.
Next up we have some control 16.3, which when we're just requiring that multi factor authentication you've heard it drilled down many times throughout this course so far. Multi factor multi factor multi factor authentication, and so again, you want to put that in place if you don't already have it. So make sure that
the users devices etcetera are all using multi factor authentication,
some control. 16 encryption or hashing authentication credentials, preferably encrypting it
and just making sure that you're protecting that information.
Self control. 16 5 Encrypting the transmission of your use name or other authentication information, right? So an example. I can't just use a tool like wire shark or snort and sniff that traffic and then get your log in information, so just make sure you're encrypting that data
some control. 16 6 Meeting an inventory of all of the user accounts so again that goes back to the centralized management. Right. Centralized authentication management. So when a user is terminated in the system, or when they're transferring departments etcetera, we can maintain their account properly and give them the only the access they need. Tohave,
some control. 16 Sevens where we established the process for revoking access, right, so somebody changes departments. If they quit their job, we fire them. Or if we just have to revoke some of their access because of their user activity, they're doing, then we need to be able to have a process in place. Just tell us, how do we actually do that?
Some control? 16 8 So any unassociated account? So any old accounts in there that aren't associated with the active user? Make sure you disabled those because those could always be used by a nefarious actor to get into your systems
some control. 16 9 Disabling any dormant accounts as well. So going back to the previous one just if it's not an account that's actively and use, just go ahead and disable those and revoke all permissions,
some control. 16. 10 Ensuring all the accounts have an expiration date.
So again, just going back to the same process of if the accounts not active, we need to make sure we expire it. One issue I ran into in the health care industry is I would create users that would come on board, and then before they actually finished orientation, they would quit. Right?
And the problem was, no one would tell me eso so I wouldn't know that this wasn't an active user, right? So I figured what I did is I would put a put on alert That said, if they haven't loved in within a week,
send me an email because with the particular system we were using for the EMR,
if they didn't walk in within a week, I would have to reset their passwords anyways, Right? So I would just have an alert sent to me, and then I would follow up with HR and say Hey, and they're like, Oh, yeah, they never finished orientation. So just make sure you got things in place to ensure that number one all the accounts have some kind of expiration if they're not so basically, if they haven't logged in at a certain point, it terminates the account.
And number two, make sure you have a process in place with, like, HR. So you know
when people are actually leaving the company
some control 16 11. Always make sure the lot toe lock the workstations. I can't tell you how many times that I've just in, You know, I'm one of good people, right? Because I've seen so many times in the health care industry working for these different organizations that people do not lock their computers, they walk away from it and they don't lock it. And I'm just like, man like your
you're the VP of finance writer, accounting or whatever.
I could cause so much chaos right now for the company. I could send myself a bunch of money. I could do all these things because you didn't lock your computer. So users just understand user behavior. They're not usually going to lock their own computer. Most people aren't. So you need to put something in place that after a certain period of an activity at times, um, out and locks your computer.
Yes, they'll complain, but it's for their overall benefit.
Some control 16 12. So monitor any attempts to access the activity counts. And once you terminate those accounts,
let's say that Joey and Accounting was fired and you terminate that account. Is Joey trying to log into that account from from an external source? Right. So monitor that stuff and alert to it. And if there's something the you delve criminal in nature where they need to be reported, definitely take the appropriate steps for your organization.
Some control. 16 13. So alert on any count, log and behavior,
that's a deviation, right? So what does that I normally log in from 9 to 5, and it's the only time you ever see me log in.
But now all of a sudden I'm logging in a 2 a.m. on a Saturday night, right? That doesn't make any sense for me, right? So that's usually an indication that it's something nefarious going on some nefarious actor now. It could just mean that I had an extra assignment that week. I had to get done right, So I'm I'm logging in late to work on that. But
you want to alert on that. So then you could follow up and make sure it's it's either legit or not legit.
So in this video, we just took a look at control number 16 again around account monitoring and control. And a lot of that is just best practices, right? You make sure you have multi factor authentication, disabling accounts that shouldn't be active anymore and then monitoring when people try to access those accounts
in the next module, we're gonna take a look at CS Control 17 where we talk about implementing a security awareness and training programs. What's gonna notice and the next few controls that we do? Is there is not going to be a significant amount of mapping, usually to the new cybersecurity framework. But we're gonna talk about just some of the things with these various controls,
and if they do a map to the noose CSF in some capacity, we'll talk about that as well.