Summary

The privileges required by the users who will access the system must be defined.

Description

Systems should have a set of roles with different levels of privileges to access resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated.

References

• CAPEC-1. Accessing functionality not properly constrained by ACLs
• CAPEC-122. Privilege abuse
• CAPEC-690. Metadata Spoofing
• CIS-3_3. Configure data access control lists
• CWE-250. Execution with unnecessary privileges
• CWE-276. Incorrect default permissions
• HIPAA-164_312_a_1. Standard: access control
• HIPAA-164_312_d. Standard: person or entity authentication
• NERCCIP-005-5_R1_3. Electronic security perimeter
• NIST80053-AC-2_6. Dynamic privilege management
• NIST80053-AC-2_7a. Establish and administer privileged user accounts
• NIST80053-AC-2_7b. Monitor privileged role or attribute assignments
• NIST80053-AC-2_7c. Monitor changes to roles or attributes
• OWASP10-A1. Broken access control
• OWASP10-A7. Identification and authentication failures
• BIZEC-APP-04. Improper authorization (missing, broken, proprietary, generic)
• CERTC-FIO32-C. Do not perform operations on devices that are only appropriate for files
• MITRE-M1018. User account management
• MITRE-M1024. Restrict registry permissions
• MITRE-M1026. Privileged account management
• MITRE-M1052. User account control
• PADSS-5_2_8. Improper access controls
• PDPO-S1_4. Security of personal data
• CMMC-AC_L1-3_1_1. Authorized access control
• CMMC-AC_L2-3_1_4. Separation of duties
• CMMC-AC_L2-3_1_6. Non-privileged account use
• CMMC-AC_L2-3_1_15. Privileged remote access
• CMMC-SC_L2-3_13_3. Role separation
• CMMC-SC_L2-3_13_4. Shared resource control
• HITRUST-01_c. Privilege management
• HITRUST-01_q. User identification and authentication
• HITRUST-07_b. Ownership of assets
• HITRUST-09_c. Segregation of duties
• HITRUST-09_r. Security of system documentation
• HITRUST-10_j. Access control to program source code
• FEDRAMP-AC-2_7. Account management - Role-based schemes
• FEDRAMP-AC-6_1. Least privilege - Authorize access to security functions
• FEDRAMP-AC-6_2. Least privilege - Non-privileged access for nonsecurity functions
• FEDRAMP-CM-5_5. Access restrictions for change - Limit production, operational privileges
• FEDRAMP-PS-3_3. Personnel screening - Information with special protection measures
• ISO27002-5_16. Identity management
• ISO27002-7_2. Physical entry controls
• ISO27002-8_2. Privileged access rights
• ISO27002-8_3. Information access restriction
• LGPD-46. Security and Secrecy of Data
• IEC62443-UC-2_1. Authorization enforcement
• WASSEC-6_2_1_2. Authentication - Insufficient authentication
• OSSTMM3-9_15_2. Wireless security (privileges audit) - Authorization
• WASC-A_12. Content spoofing
• WASC-W_17. Improper filesystem permissions
• WASC-W_02. Insufficient authorization
• ISSAF-P_6_15. Host security - Linux security (local attacks)
• ISSAF-Q_16_20. Host security - Windows security (local attacks)
• ISSAF-S_5_1. Web server security - Countermeasures (secure administrative access)
• ISSAF-U_11. Web application SQL injections - Get control on host
• ISSAF-U_15. Web application SQL injections – Countermeasures
• MVSP-4_2. Operational controls - Logical access
• OWASPSCP-5. Access control
• BSAFSS-IA_2-2. Policies to control access to data and processes
• NIST800171-1_1. Limit system access to authorized users, processes acting on behalf of authorized users and devices
• NIST800171-1_7. Prevent non-privileged users from executing privileged functions
• NIST800171-3_9. Limit management of audit logging functionality to a subset of privileged users
• NIST800171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
• CWE25-269. Improper Privilege Management
• CWE25-862. Missing authorization
• CWE25-863. Incorrect Authorization
• SWIFTCSC-5_1. Logical access control
• ASVS-1_2_1. Authentication architecture
• C2M2-4_1_g. Establish identities and manage authentication
• C2M2-8_3_c. Assign cybersecurity responsibilities
• PCI-1_4_3. Implement anti-spoofing measures
• PCI-1_4_4. Network connections between trusted and untrusted networks are controlled
• PCI-7_2_2. Access to system components and data is appropriately defined and assigned
• PCI-7_3_2. Access to system components and data is managed via an access control system
• SIGLITE-SL_33. Are staff able to access client Scoped Data in an unencrypted state?
• SIG-D_4_4_1. Asset and information management
• ASVS-4_1_1. General access control design
• ASVS-4_1_2. General access control design
• OWASPAPI-API5. Broken Function Level Authorization
• ISO27001-5_16. Identity management
• ISO27001-7_2. Physical entry controls
• ISO27001-8_2. Privileged access rights
• ISO27001-8_3. Information access restriction
• CASA-4_1_1. General Access Control Design
• CASA-4_1_2. General Access Control Design
• FISMA-AC-2_6. Dynamic privilege management
• FISMA-AC-2_7a. Establish and administer privileged user accounts
• FISMA-AC-2_7b. Monitor privileged role or attribute assignments
• FISMA-AC-2_7c. Monitor changes to roles or attributes
• SANS25-11. Missing authorization
• SANS25-22. Improper Privilege Management
• SANS25-24. Incorrect Authorization
• NIST-PR_AA-04. Identity assertions are protected, conveyed, and verified

Weaknesses

• 031. Excessive privileges - AWS
• 032. Spoofing
• 039. Improper authorization control for web services
• 073. Improper authorization control for web services - RDS
• 075. Unauthorized access to files - APK Content Provider
• 159. Excessive privileges
• 160. Excessive privileges - Temporary Files
• 201. Unauthorized access to files
• 202. Unauthorized access to files - Debug APK
• 203. Unauthorized access to files - Cloud Storage Services
• 204. Insufficient data authenticity validation
• 266. Excessive Privileges - Docker
• 267. Excessive Privileges - Kubernetes
• 325. Excessive privileges - Wildcards
• 346. Excessive privileges - Mobile App
• 430. Serverless - one dedicated IAM role per function