|Description||Compensating Control for Weak Authentication Methods: For Network Operators and Service Providers legacy systems without adequate access control capabilities, access control lists (ACLs) should be used to restrict which machines can access the device and/or application. In order to provide granular authentication, a bastion host that logs user activities should be used to centralize access to such devices and applications, where feasible.|
|Network Type(s)||Cable; Internet/Data; Satellite; Wireless; Wireline|
|Industry Role(s)||Service Provider; Network Operator|
|Keyword(s)||Cyber Security;Intrusion Detection;|
|Reference/Comments||In the long term, the vendor should be engaged to correct the issue, either by allowing the built in method to be changed periodically, or by allowing the user to add complementary authentication means that they control, hence creating a two-factor authentication.
Where authentication methods must be shared, create an enforceable authentication method policy that addresses the periodic changing of the characteristics of the authentication method, and the dissemination of the method based on the principle of least privilege. If the authentication methods are shared, policy to implement least privilege access and periodic authentication characteristic change should be developed and implemented. Consider replacement of device at end of life, especially if the device is protecting key equipment. Implement a periodic audit program to verify policy compliance.Garfinkel, Simson, and Gene Spafford. Users and Passwords. Practical Unix & Internet Security, 2nd ed. Sebastopol, CA: O'Reilly and Associates, Inc. 1996. 49-69
King, Christopher M., Curtis E. Dalton, and T. Ertem Osmanoglu. Applying Policies to Derive the Requirements. Security Architecture, Design, Deployment & Operations. Berkley, CA: The McGraw-Hill Companies. 2001. 66-110
National Institute of Standards and Technology. User Account Management. Generally Accepted Principles and Practices for Securing Information Technology Systems. September 1996.
Dependency on NRIC BP 8007.