Open adammontville opened 5 years ago
apiperCIS
commented
5 years ago UNCC proposal for this is to analyze PowerShell log data/use of PowerShell. They indicated that this would be harder for other tools like Python. They said maybe they could monitor certain extensions like .py. We suggested one approach along those lines would be to look for use of the interpreter executable (python.exe for example).
apiperCIS
commented
5 years ago For Controls Team: UNCC was not sure that Python belonged here
apiperCIS
commented
5 years ago Inputs 1) List of scripting tools allowed in organization (subset of the Authorized Software List) 2) Approved configuration(s) to restrict these tools to approved administrator and developer accounts
Operations 1) For each authorized scripting tool in Input 1, check the appropriate configuration(s) from Input 2 to see if access to the scripting tool has been properly restricted to only allow access from approved accounts. Create a list of scripting tools that meet the approved configuration (M1) and a list of scripting tools that do not meet the approved configuration (M2), noting each deviation from the approved configuration(s)
Measures M1: List of scripting tools that meet the approved configuration (compliant list) M2: List of scripting tools that do not meet the approved configuration (non-compliant list) M3: Count of scripting tools that meet the approved configuration (count of M1) M4: Count of scripting tools that do not meet the approved configuration (count of M2) M5: Total count of approved scripting tools (count of Input 1)
Metrics Ratio of scripting tools restricted to the proper accounts: M3 / M5
adammontville
commented
5 years ago Consider adding input: approved admin/dev account list.
apiperCIS
commented
5 years ago Inputs 1) List of scripting tools allowed in organization (subset of the Authorized Software List) 2) Approved configuration(s) to restrict these tools to approved administrator and developer accounts 3) List of approved administrator and developer accounts
Operations 1) For each authorized scripting tool in Input 1, check the appropriate configuration(s) from Input 2 to see if access to the scripting tool has been properly restricted to only allow access from approved accounts provided in Input 3. Create a list of scripting tools that meet the approved configuration (M1) and a list of scripting tools that do not meet the approved configuration (M2), noting each deviation from the approved configuration(s).
Measures M1: List of scripting tools that meet the approved configuration (compliant list) M2: List of scripting tools that do not meet the approved configuration (non-compliant list) M3: Count of scripting tools that meet the approved configuration (count of M1) M4: Count of scripting tools that do not meet the approved configuration (count of M2) M5: Total count of approved scripting tools (count of Input 1)
Metrics Ratio of scripting tools restricted to the proper accounts: M3 / M5
wmunyan
commented
5 years ago Revisit based on Ehab's notes.
apiperCIS
commented
5 years ago Internal note (not for spec): below proposal reworked to be more account-based, rather than tool-based
Sub-Control Dependencies 16.6 Inventory of Accounts Optional: 2.1 Authorized Software List
Inputs 1) Inventory of Accounts including how/where access to scripting tools is restricted 2) List of accounts (administrative or developer accounts) with the need to access scripting tools, including which scripting tools are required for each account 3) Approved configuration(s) to restrict scripting tool access to only approved accounts 4) List of scripting tools to be checked 5) Optional: List of scripting tools allowed in organization (subset of the Authorized Software List)
Operations 1) For each account in Input 1, determine if the account has access to any of the scripting tools provided in Input 4 by comparing the appropriate approved configuration(s) from Input 3 to the configuration location(s) specified for that account in Input 1. Create a list of accounts that conform to the appropriate configuration(s) and policy for scripting tool access (M1) noting which configuration(s) they were checked against, and a list of accounts that do not conform to the appropriate configuration(s) and policy for scripting tool access (M2) noting the configuration(s) they were checked against and the deviations from those configurations. For each account on both lists, note which, if any, scripting tools that account has access to. 2) Optional: Compare the scripting tools authorized for particular accounts identified in Input 2 to the authorized scripting tools provided in Input 5. Create a list of scripting tools that are authorized for particular accounts but are not authorized for use in the organization (M5). 3) Optional: For each account authorized to access scripting tools in M2, verify that the account is an administrative or developer account. Create a list of accounts that are authorized for scripting tools but that are not administrative or developer accounts (M6).
Measures M1: List of accounts that conform to the appropriate configuration(s) and policy for scripting tool access (compliant list) M2: List of accounts that do not conform to the appropriate configuration(s) and policy for scripting tool access (non-compliant list) M3: Count of accounts that are compliant with the scripting tool access policy (count of M1) M4: Total count of accounts (count of Input 1) Optional M5: List of scripting tools authorized for particular accounts but not authorized for use in the organization Optional M6: List of accounts that are authorized for scripting tools but that are not administrative or developer accounts
Metrics Ratio of accounts that comply with the scripting tool access policy: M3 / M4
Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or development users with the need to access those capabilities.
Measures
Metrics