Threat Actors:   

Can impersonate or pose as:

i) Current/previous employees

ii) Consultants/vendors

iii) Friends/acquaintances

·  The list of active accounts along with the name of individuals associated with the account.

·  The list of permissions and rights associated with a group account or role.

·  Documentation of individuals terminated, transferred within the organization, or assigned a new role in the organization.

The above information may be compared with system and application accounts to verify the actual accounts and associated permissions were implemented as described in the company's documented procedure.

Threat Actors:   

An employee may have elevated accesses or permissions that are not necessarily aligned to their current role - and the system itself may not allow for the separation of access control rights and enforcement of those rights. Threat actors could effectively compromise a user account with pre-exisiting transaction and function authority and use these accesses to laterally traverse through the system.

·  Access control list that limit access to systems (network and servers).

·  Access control list for applications and data based on role and/or identity. 

·  Access control list that show the type of access permitted, for example, administrator rights vs. user rights to view, edit, update, or delete records.

·  Provisioning processes and associated examples of approval by an identified individual with the authority to approve access with evidence such as an email or signature on a form.

Threat Actors:   

i) May compromise your external suppliers to include cloud vendors and software updaters

ii) May compromise the inbound/outbound network traffic/packets between you and a third party

·  Documentation, such as diagram or security plan to verify if the organization has identified a system boundary and that connections to external systems have been identified.

·  Account management process and connection agreements to determine if the use of external system is restricted to authorized individuals and system interconnections .

·  Policy and procedures on personally owned systems and the security standards set by the organization and determine if controls exist to restrict unauthorized connections to identified access points to systems.

Threat Actors:   

Threat actors seek:

i) DOD Controlled but Unclassified Information (CUI)

ii) DOD Federal Contract Information (FCI)

They will try and locate CUI and FCI by scouring publicly available defense-related websites.

·  List of users authorized to post or process information on public facing systems

·  Training records to demonstrate employees receive training that non-public information such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must not be posted on public facing systems.

·  Evidence that content on a public facing system is reviewed and approved prior to posting, for example, a change record or audit log.

·  Evidence that public facing systems are periodically reviewed for authorized content, for example, a review log.

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Demonstration of system pattern-hiding display images which can include static or dynamic images, such as patterns used with screen savers, photographic or clock images.  

·  Evidence of pattern hiding displays used when sessions are locked, and that session is locked after defined period of inactivity.  

Threat Actors:   

Session hijacking is a type of web attack that takes advantage of the active sessions and can be attempted if the attacker has your session ID. There are two primary session hijack methods:

i) Active: The attacker will take over the clients’ position in the communication exchange between the workstation and the server and act as one of the participants

ii) Passive: The attacker monitors traffic between the workstation/server looking for valuable data to intercept/steal.

An attacker could steal your session ID by doing the following:

i) Cross-site scripting can gather a session ID by running malicious code/script from the client side.

ii)An attacker could use a packet sniffer to obtain the session ID.

Lists of organizationally defined conditions or trigger events that require an automatic session termination and inspect system configuration settings accordingly.
 

Threat Actors:   

i) may use remote access software to target systems within networks.

ii) may use remote access protocols such as port 3389 to establish a remote desktop protocol session

·  Policy and procedures to determine how the organization approves, manages, and monitors all user remote access. 

·  What protections are in place to limit remote access to only authorized users

·  Are remote access sessions logged?

·  Are remote access sessions encrypted?

·  How access rights and restrictions applied to remote user connections

Remote access is defined as "user" access to an organization's system from an external network such as the internet. 

Threat Actors:   

Threat actors can compromise unsecured remote access sessions and infiltrate your network. Ransomware specifically designed to be deployed via Remote desktop Protocol includes strains such as CryptON, LockCrypt, Scarabey, Horsuke, SynAck, Bit Paymer, RSAUtil, Xpan, Crysis, Samas (SamSam), LowLevel, DMA Locker, Apocalypse, Smrss32, Bucbi, Aura/BandarChor, ACCDFISA, and Globe.

·  An inventory of applications providing remote access.

·  List of encryption methods used for protecting confidentiality and the integrity of remote sessions.

·  Procedures addressing remote access

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Policy and procedures addressing remote access to the system.

·  List of all managed network access points

·  External scans to identify any unauthorized access into the system. 

There is also an expectation that management and configuration is under one departmental control and responsibility. 

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Organization policy, procedures for remote access system configurations and audit records of authorized remote access. 

·  Access control policy and system security settings where remote access is restricted. 

Threat Actors:   

i) may attempt a wardriving tactic where the hacker drives around looking for weak Wi-Fi networks. They typically map the locations and record the networks' names (SSIDs) and encryption settings.

ii) may attempt network sniffing where attackers monitor ("sniff") Wi-Fi network traffic in search of user names, passwords, and other personally identifiable information (PII).

·  Policy, or procedure established for access and management of wireless access devices.

·  System Security Plan to examine who approves the use of wireless technologies, what technologies are used, and how wireless access devices are monitored and controlled.

·  Wireless access capabilities such as secure method used for authentication and encryption.

Threat Actors:   

i) may attempt a wardriving tactic where the hacker drives around looking for weak Wi-Fi networks. They typically map the locations and record the networks' names (SSIDs) and encryption settings.

ii) may attempt network sniffing where attackers monitor ("sniff") Wi-Fi network traffic in search of user names, passwords, and other personally identifiable information (PII).

Lists of authorized users compared with system accounts for verification.  The authorization list should be dated and signed by a designated individual who has been granted the role and responsibility for authorizing access to wireless communications.  

Threat Actors:   

Threat actors/attackers can take advantage of several mobile threats, such as:

i) Malware/ransomware delivered via email or SMS

ii) Cryptocurrency mining

iii) Exploiting Android vulnerabilities

Corporate devices should never be connected to publicly available/unsecured Wi-Fi access points such as coffee shops or airports where network spoofing is prevalent.

·  System Security Plans or other policy for controlling mobile device connectivity.  

·  Mobile device authorizations and approvals for connection to organizational systems and networks.

·  System configurations and settings for managing mobile device connectivity and audit records of mobile device connectivity to company systems and networks

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Mobile devices such as smart phones and tablets for configuration settings that enable full disk encryption (FDE).

·  Vendor documentation and verification of encryption modules with NIST Cryptographic Model Validation Program (CMVP)

Threat Actors:   

i) may use flash/thumb drives to install malicious software/malware

ii) may use external hard drives to install malicious software/malware

iii) may use a nefarious third party actor or conspirator to connect a malicious USB device to a computer so that malware can be installed

• may use flash/thumb drives to install malicious software/malware
• may use external hard drives to install malicious software/malware
• may use a nefarious third party actor or conspirator to connect a malicious USB device to a computer so that malware can be installed

·  Company documentation (such as policies and procedures) on the use of portable storage devices such as thumb drives or external hard disks.

·  Documents or records to evidence how devices are controlled i.e., who approves, who assigns, what are the restrictions on how devices may be used?

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Policy and procedures on methods used to control the flow of information within the organization.

·  Additional information such as design documents to demonstrate mechanism enforced by network and application layer device configurations.

Flow control includes the use of network devices (such as routers and switches), firewalls, or other devices that regulate where information can travel within an information system or the organization. 

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Administrator accounts and system user accounts to ensure that separate accounts are implemented.

·  Roles and responsibilities for those with security and privileged access rights.

·  Organizational policy and procedures for the use of accounts with privileged access rights.

Threat Actors:   

i) may compromise a privileged user and use their account to gain further access within a network

ii) may take advantage of a company that does not practice the principle of least privilege by hacking into lower echelon users who are more susceptible to compromise via phishing

iii) may employ a privilege escalation tactic and elevate themselves through the system to gain access to sensitive/protected resources

·  Selected user accounts and privileges

·  Evidence that the organization restricts access to privileged functions and security information to authorized individuals.

The principle of "least privilege" requires that users, programs, or processes can only have access to information and resources that are needed and only those privileges that are essential for the intended function or purpose. 

Threat Actors:   

i) may take advantage of the misuse of privileged/non-privileged accounts and access system resources that may otherwise be restricted to users with specific account permissions

·  System configuration and account settings

·  System audit records or related documentation

·  List of system-generated security functions assigned to system accounts or roles

·  List of administrative accounts or other users with privileged and non-privileged accounts and determine their intended use via demonstration or explanation.

It is a good security practice that privilege accounts are not used for non-privileged functions. 

Threat Actors:   

Threat actors can take advantage of both privileged and non-privileged accounts.

A successful attacker could:

i) compromise a privileged user and use their account to gain further access within a network

ii) take advantage of a company that does not practice the principle of least privilege by hacking into lower echelon users who are more susceptible to compromise via phishing

iii) employ a privilege escalation tactic and elevate themselves through the system to gain access to sensitive/protected resources

·  Policy and procedures that addresses access to auditing of privileged functions.

·  System user accounts and associated privileges to ensure that access to audit functions is limited to authorized security personnel.

Threat Actors:   

i) may perform a brute force logon tactic that could otherwise go unnoticed if the limiting of unsuccessful logon attempts is not practiced.

·  System limits the number of invalid logon attempts

·  System is configured to lock users after a predetermined number of invalid attempts

·  System enforces a limit on the number of consecutive invalid access attempts by a user during a specific time-period

Multiple unsuccessful logon attempts may indicate malicious attacks on the system. 

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Logon screen display notices that users see upon initial logon, or when accessing a system

·  The system use information displayed before granting access  

·  Records of user acknowledgements for system use notifications

·  Policy or procedures to determine how often users are required to acknowledge system use notifications