Back

Test the system for broken access controls.


CONTROL ID
01319
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform penetration tests, as necessary., CC ID: 00655

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Robust System Security Testing, in respect of critical e-banking systems, needs to incorporate, inter-alia, specifications relating to information leakage, business logic, authentication, authorization, input data validation, exception/error handling, session management, cryptography and detailed lo… (Critical components of information security 11) c.32., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur. (Control: ISM-1610; Revision: 0, Australian Government Information Security Manual, June 2023)
  • A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur. (Control: ISM-1610; Revision: 0, Australian Government Information Security Manual, September 2023)
  • The procedures for testing access controls should be included in the Standard Operating Procedures for the information technology security officer. (Control: 0790 Table Row "System integrity audit", Australian Government Information Security Manual: Controls)
  • Central management and monitoring is performed by means of MDM solutions, including a possibility for remote deletion. A site plausibility check of the access is carried out. An inventory list of mobile terminal devices with access to the cloud service (among other things, with information of the op… (Section 5.17 MDM-01 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Interview responsible personnel and examine the software development policies and procedures to verify improper access control is addressed by coding techniques, such as sanitizing input, properly authenticating users, not exposing users to internal object references, and not permitting user interfa… (Testing Procedures § 6.5.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the system configuration setting and/or the physical controls to verify controls have been implemented to ensure only authorized individuals can use an authentication mechanism to gain access. (Testing Procedures § 8.6.c, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the database access control settings, the database application configuration settings, and the related application identifications to verify application identifications are only used by the application and not by individuals or other processes. (Testing Procedures § 8.7.d, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The software development process must address common coding vulnerabilities, to include improper access control. (PCI DSS Requirements § 6.5.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Web browsers should not automatically accept authorization credentials and tokens. (§ 5.2.5, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Do coding techniques address improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions? (PCI DSS Question 6.5.8, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Do coding techniques address improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions? (PCI DSS Question 6.5.8, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do coding techniques address improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions? (PCI DSS Question 6.5.8, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The use of access control mechanisms should be based on resistance to attack (e.g., brute force, social engineering, malware, and theft of authentication equipment). (CF.06.03.03b, The Standard of Good Practice for Information Security)
  • Prior to providing customers with access to business applications (e.g., for a goods ordering, travel booking, or online banking system), testing of connections should be performed. (CF.05.01.03d, The Standard of Good Practice for Information Security)
  • The use of access control mechanisms should be based on resistance to attack (e.g., brute force, social engineering, malware, and theft of authentication equipment). (CF.06.03.03b, The Standard of Good Practice for Information Security, 2013)
  • Prior to providing customers with access to business applications (e.g., for a goods ordering, travel booking, or online banking system), testing of connections should be performed. (CF.05.01.03d, The Standard of Good Practice for Information Security, 2013)
  • Test the each in-place and planned security access control. (§ 4.4.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Administer test bed(s), and test and evaluate applications, hardware infrastructure, rules/signatures, access controls, and configurations of platforms managed by service provider(s). (T0420, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Administer test bed(s), and test and evaluate applications, hardware infrastructure, rules/signatures, access controls, and configurations of platforms managed by service provider(s). (T0420, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)