CSBS has created a very important doc for the banking association concerning ransomware. The document is called the R-SAT (Ransomware Self-Assessment Tool).
The CSBS R-SAT has become the definitive guide for organizations, not just banks, as a basis to attempt to prevent a ransomware attack.
First – What is the CSBS?
CSBS was organized in 1902 as the National Association of Supervisors of State Banks. In 1971, the name was changed to the Conference of State Bank Supervisors to better reflect the ongoing nature of CSBS activities.
For more than 110 years, CSBS has been uniquely positioned as the only national organization dedicated to protecting and advancing the nation’s dual-banking system.
Why the Need for the R-SAT (Ransomware Self Assessment Tool)?
In 2022, organizations all around the world detected 236.1 million ransomware attacks. And the trend continues growing higher – there were 102 million reports of ransomware in Q3 and 155 million in Q4.
But why don’t we see more in the news?
Nearly half (42%) of IT professionals have been told to hush up data breaches and ransomware attacks, according to a survey by Bitdefender. In addition, 29.9% of respondents admitted to keeping a breach confidential instead of reporting it.
In its “Cost of a Data Breach 2022” report, IBM revealed an average ransom payment of $812,360.
So it’s a real problem.
So what is the R-SAT?
In its own words, the CSBS R-SAT states:
The Bankers Electronic Crimes Taskforce (BECTF), State Bank Regulators, and the United States Secret Service developed (the RSAT). It was developed to help financial institutions assess their efforts to mitigate risks associated with ransomware and identify gaps for increasing security. This document provides executive management and the board of directors with an overview of the institution’s preparedness towards identifying, protecting, detecting, responding, and recovering from a ransomware attack.
In other words, the R-SAT is a baseline of security controls recommended by some pretty reliable sources.
Where to start w/ the R-SAT?
The best place to start with the R-SAT is where the R-SAT tells you to start – by ensuring your enterprise has its security practices and procedures mapped to a recognized cybersecurity Framework. This is spelled out in the first check box of the R-SAT:
The most commonly known and used of the frameworks is of course the NIST Cybersecurity Framework (800-53 r5). NIST being the U..S. National Institute of Standards and Technology, the agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. They created the CSF to help enterprises with a comprehensive list of proper cyber practices.
The CSF is all over the concepts of User Access Reviews as was spelled out in this YouAttest blog:
The two most specific being:
PR.AC-1
“Identity and Credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes”
Identity Governance Role: The governance portion of this control explicitly spells out that identities should be reviewed for their roles and privileges.
YouAttest is designed specifically to meet the identity attestation portion of PR.AC-1.
PR.AC-4
“Access permissions and authorized are managed, incorporating for the principle of least privilege and separations of duties.”
Identity Governance Role: A managed identity is an audited identity – governance must be an active part of enterprise identity management to meet this control.
YouAttest allows enterprises to review their roles and permission to ensure that privileges are limited to the access required to do the role.
R-SAT and the Principle of Least Privilege
The R-SAT starts laying out specific controls which the enterprise must incorporate to be considered minimally prepared for prevention of a ransomware attack. This list is spelled out on page nine of the document.
The list includes some standard cybersecurity best practices such as:
- RDP disabled
- MFA utilized
- Reduce admin endpoint exposure
But from a identity governance perspective – the most relevant is the quantification that the organization incorporates:
- Principle of Least Privilege for access to folders and “other resources”
Image #3: The R-SAT explicitly calls out the enterprise to enact the principle of least privilege on key resources.
The Principle of Least Privilege (NIST 800-53r5, PR.AC-6) explicitly states that enterprise must REVIEW their access privileges and restrict the enterprises to the least amount of privilege for the user to do their work.
But this is EASIER said than done. This requires a review of all of the privileges a user has. And this review SHOULD NOT be done by the IAM manager – but by the business owner and the manager of the user.
In this way – the line manager can best dictate what privileges this user needs to do their job. This is what is called a User Access Review (UAR) It is a specific course of action that involves the proper managers to:
- Review relevant users
- Review their entitlements
- Eliminate ghost accounts
- Eliminate excess privileges
YouAttest Is the Tool to Enforce the “Principle of Least Privilege” Control
These User Access Reviews are exactly what YouAttest does. The cloud-based YouAttest solution connects to your IAM solutions (or other identity store of record) in minutes.
Once the connection is made – the risk manager is able to:
- Access entitlement on Users, Groups, Applications
- Conduct an access review campaign
- Asks the specific line managers:
- To attest to all privileges; or
- To revoke those privileges
Youttest is the tool needed to enforce the principle of least privilege – the key control in the CSBS Ransomware Self-Assessment Tool. The process is 100% automated and allows the (internal or external) risk manager to conduct these access reviews at a mass scale – up to millions of entitlements can and have been reviewed by the YouAttest solution.
—
Contact us today to learn more about how YouAttest can help improve your identity audits, via automating user access reviews for compliance and better identity security.s g system.
