Part Three: In-Depth Look at PAM Controls for DFARS Requirements

By Eric Noonan • October 12, 2016

CyberSheath’s security consultants and implementation engineers have previously written about utilizing privileged account management solutions to meet DFARS requirements, and this week we continue to explore DFARS control requirements in detail.

The latest post in the “In-Depth Look at PAM Controls for DFARS Requirements” series, CyberSheath reviews a third NIST 800-171 control that when utilizing a PAM solution like CyberArk, makes for very effective control. These NIST 800-171 controls include:

  1. NIST 800-171 3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. NIST 800-171 3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. NIST 800-171 3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
  4. NIST 800-171 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  5. NIST 800-171 3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  6. NIST 800-171 3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
  7. NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  8. NIST 800-171 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

The third control, 3.1.7, is to “prevent non-privileged users from executing privileged functions and audit the execution of such functions”. In layman’s terms, do not give users who do not need privileged access the ability to execute privileged tasks, as well as the ability to audit privileged tasks.

In CyberSheath’s previous posts, we have discussed the concept of least privilege and using tools like CyberArk’s On-Demand Privileges Manager (OPM) and Viewfinity to technically enforce the least privilege while allowing elevated privileges when necessary. As a refresher, a “least privilege” access model means that end-users are given the bare-bone access required to do their everyday basic job functions. When users need to execute privileged tasks, they can either check-out an account from a Password Vault database, use the OPM or use Viewfinity on their workstation.

The CyberArk Privileged Account Management suite includes the Privileged Session Manager, a component used primarily as a jumpbox to transparently connect to target machines using secured privileged accounts. Since all of the traffic is redirected through the PSM jumpbox, it is also possible to record the sessions and monitor them live.  Auditors and Investigators can search for users that retrieved a password (whether the action was to view or copy the password or connect to a system using the target account).  The audit capabilities can be further bolstered by requiring users to provide reasons as to why they need access to the privileged account, and even requiring correlation to a Service Desk ticket number.  Recordings of the sessions can be searched for titles of specific applications that may have been launched (such as gpedit or regedit) for Windows-type recordings, or any text for UNIX type recordings.

10_12_1.png

CyberSheath’s implementation engineers and security consultants are well versed in the practical application of NIST 800-171 controls, DFARS, and privileged account management. Download our security assessment datasheet to learn more about how CyberSheath can help improve your organization’s security posture and implement effective security controls. Subscribe to our email updates to stay up to date with our DFARS series and other security posts.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO