096 – Set user's required privileges

Summary

The privileges required by the users who will access the system must be defined.

Description

Systems should have a set of roles with different levels of privileges to access resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated.

Supported In

Essential: True

Advanced: True

References

CAPEC-1. Accessing functionality not properly constrained by ACLs
CAPEC-122. Privilege abuse
CAPEC-690. Metadata Spoofing
CIS-3_3. Configure data access control lists
CWE-250. Execution with unnecessary privileges
CWE-276. Incorrect default permissions
HIPAA-164_312_a_1. Standard: access control
HIPAA-164_312_d. Standard: person or entity authentication
NERCCIP-005-5_R1_3. Electronic security perimeter
NIST80053-AC-2_6. Dynamic privilege management
NIST80053-AC-2_7a. Establish and administer privileged user accounts
NIST80053-AC-2_7b. Monitor privileged role or attribute assignments
NIST80053-AC-2_7c. Monitor changes to roles or attributes
OWASP10-A1. Broken access control
OWASP10-A7. Identification and authentication failures
BIZEC-APP-04. Improper authorization (missing, broken, proprietary, generic)
CERTC-FIO32-C. Do not perform operations on devices that are only appropriate for files
MITRE-M1018. User account management
MITRE-M1024. Restrict registry permissions
MITRE-M1026. Privileged account management
MITRE-M1052. User account control
PADSS-5_2_8. Improper access controls
PDPO-S1_4. Security of personal data
CMMC-AC_L1-3_1_1. Authorized access control
CMMC-AC_L2-3_1_4. Separation of duties
CMMC-AC_L2-3_1_6. Non-privileged account use
CMMC-AC_L2-3_1_15. Privileged remote access
CMMC-SC_L2-3_13_3. Role separation
CMMC-SC_L2-3_13_4. Shared resource control
HITRUST-01_c. Privilege management
HITRUST-01_q. User identification and authentication
HITRUST-07_b. Ownership of assets
HITRUST-09_c. Segregation of duties
HITRUST-09_r. Security of system documentation
HITRUST-10_j. Access control to program source code
FEDRAMP-AC-2_7. Account management - Role-based schemes
FEDRAMP-AC-6_1. Least privilege - Authorize access to security functions
FEDRAMP-AC-6_2. Least privilege - Non-privileged access for nonsecurity functions
FEDRAMP-CM-5_5. Access restrictions for change - Limit production, operational privileges
FEDRAMP-PS-3_3. Personnel screening - Information with special protection measures
ISO27002-5_16. Identity management
ISO27002-7_2. Physical entry controls
ISO27002-8_2. Privileged access rights
ISO27002-8_3. Information access restriction
LGPD-46. Security and Secrecy of Data
IEC62443-UC-2_1. Authorization enforcement
WASSEC-6_2_1_2. Authentication - Insufficient authentication
OSSTMM3-9_15_2. Wireless security (privileges audit) - Authorization
WASC-A_12. Content spoofing
WASC-W_17. Improper filesystem permissions
WASC-W_02. Insufficient authorization
ISSAF-P_6_15. Host security - Linux security (local attacks)
ISSAF-Q_16_20. Host security - Windows security (local attacks)
ISSAF-S_5_1. Web server security - Countermeasures (secure administrative access)
ISSAF-U_11. Web application SQL injections - Get control on host
ISSAF-U_15. Web application SQL injections – Countermeasures
MVSP-4_2. Operational controls - Logical access
OWASPSCP-5. Access control
BSAFSS-IA_2-2. Policies to control access to data and processes
NIST800171-1_1. Limit system access to authorized users, processes acting on behalf of authorized users and devices
NIST800171-1_7. Prevent non-privileged users from executing privileged functions
NIST800171-3_9. Limit management of audit logging functionality to a subset of privileged users
NIST800171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
CWE25-269. Improper Privilege Management
CWE25-862. Missing authorization
CWE25-863. Incorrect Authorization
SWIFTCSC-5_1. Logical access control
ASVS-1_2_1. Authentication architecture
C2M2-4_1_g. Establish identities and manage authentication
C2M2-8_3_c. Assign cybersecurity responsibilities
PCI-1_4_3. Implement anti-spoofing measures
PCI-1_4_4. Network connections between trusted and untrusted networks are controlled
PCI-7_2_2. Access to system components and data is appropriately defined and assigned
PCI-7_3_2. Access to system components and data is managed via an access control system
SIGLITE-SL_33. Are staff able to access client Scoped Data in an unencrypted state?
SIG-D_4_4_1. Asset and information management
ASVS-4_1_1. General access control design
ASVS-4_1_2. General access control design
OWASPAPI-API5. Broken Function Level Authorization
ISO27001-5_16. Identity management
ISO27001-7_2. Physical entry controls
ISO27001-8_2. Privileged access rights
ISO27001-8_3. Information access restriction
CASA-4_1_1. General Access Control Design
CASA-4_1_2. General Access Control Design
FISMA-AC-2_6. Dynamic privilege management
FISMA-AC-2_7a. Establish and administer privileged user accounts
FISMA-AC-2_7b. Monitor privileged role or attribute assignments
FISMA-AC-2_7c. Monitor changes to roles or attributes
SANS25-11. Missing authorization
SANS25-22. Improper Privilege Management
SANS25-24. Incorrect Authorization
NIST-PR_AA-04. Identity assertions are protected, conveyed, and verified

Weaknesses

159 – Excessive privileges
160 – Excessive privileges - Temporary Files
201 – Unauthorized access to files
202 – Unauthorized access to files - Debug APK
203 – Unauthorized access to files - Cloud Storage Services
204 – Insufficient data authenticity validation
266 – Excessive Privileges - Docker
267 – Excessive Privileges - Kubernetes
325 – Excessive privileges - Wildcards
346 – Excessive privileges - Mobile App
430 – Serverless - one dedicated IAM role per function
031 – Excessive privileges - AWS
032 – Spoofing
039 – Improper authorization control for web services
073 – Improper authorization control for web services - RDS
075 – Unauthorized access to files - APK Content Provider

Last updated

2024/03/05