Cyber Essentials Section 3 - Access Control

The Cyber Essentials is a UK government-backed framework which is designed to assist organisations in protecting themselves against common threats.  The Cyber Essentials provides a basic cyber security foundation that can serve as a stepping stone to a more comprehensive zero-trust approach. The Cyber Essentials is built on 5 key components that, when implemented correctly, can reduce cyber risk.  The five key components are:

1. Firewalls and Boundary Devices
2. Secure Configurations
3. Access Control
4. Malware Protection
5. Patch Management

Tenable has released a series of dashboards, that focuses on each of the five basic technical controls, which organisations can use to help strengthen their defences against the most common cyber threats.

The focus of this dashboard is Section 3 - Access Control.  This key requirement supports the goal of reducing an organisation’s risk from the most common cyber threats. The Cyber Essentials focuses on preventing high impact attacks, such as phishing, malware infection, and unauthorized access.  Strong access control can limit the number of accounts which attackers can compromise, ensuring that individuals only have access which is required to perform job functions. 

This key component applies to all the following in scope devices: Boundary Firewalls, Desktop Computers, Laptops, Routers, Servers, Iaas, PaaS, and SaaS devices.  Some items to focus on within this key component are:

• Administrative privileges are tightly controlled and monitored
• No shared accounts, every user must have their own unique account for auditing
• Access is granted on the principles of least privilege
  • Users should have the minimum level of privileges to carry out their duties
• Strong passwords must be enforced
• Stale accounts are removed
  • User accounts should be reviewed regularly
• Use multi-factor authentication (MFA)

Components

• Authentication and Access Control - Compliance Checks - This component displays compliance information in the areas of user access, least privilege, password and authentication requirements, and administrative/root account control.

• Default Credentials Summary - Default Credentials - The Default Credentials table presents hosts with default account names, default passwords, or default credentials in use. 

• InfoSec Team - Insecure items, Weaknesses and Default Credentials - The matrix displays host counts based on the type of scan results collected for common security misconfigurations, including: security weakness, insecurity, cleartext disclosure, and password concerns. 

• Account Weakness - Top 50 Account Compliance Issues - This table displays the top 50 compliance issues with 'account' in their name. Note that in order for data to appear in this table, appropriate audit/compliance scans must first be run on the network.