CAF Outcome B3.c: Stored Data

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You have protected stored data important to the operation of the essential function.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B3.c: Stored Data to CSF mappings generated from UK Cabinet Office table.

Control ID Description
PR.PT-2 Removable media is protected and its use restricted according to policy
PR.AC-2 Physical access to assets is managed and protected
PR.IP-5 Policy and regulations regarding the physical operating environment for organizational assets are met
PR.IP-4 Backups of information are conducted, maintained, and tested
PR.PT-5 Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
PR.DS-5 Protections against data leaks are implemented
PR.DS-1 Data-at-rest is protected
PR.AC-7 Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Public key infrastructure (PKI) certificates (SR 1.8)
    ISA/IEC 62443-3-3:2013
  • Control system backup (SR 7.3)
    ISA/IEC 62443-3-3:2013
  • Authenticator management (SR 1.5)
    ISA/IEC 62443-3-3:2013
  • Use of cryptography (SR 4.3)
    ISA/IEC 62443-3-3:2013
  • Software and information integrity (SR 3.4)
    ISA/IEC 62443-3-3:2013
  • Information confidentiality (SR 4.1)
    ISA/IEC 62443-3-3:2013
  • Strength of public key authentication (SR 1.9)
    ISA/IEC 62443-3-3:2013
  • Protect assets against environmental damage (4.3.3.3.4)
    ISA/IEC 62443-2-1:2009
  • Provide entry controls (4.3.3.3.3)
    ISA/IEC 62443-2-1:2009
  • Establish physical security perimeters (4.3.3.3.2)
    ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Access control to program source code (9.4.5)
    ISO 27001:2013
  • Information backup (12.3.1)
    ISO 27001:2013
  • System acceptance testing (14.2.9)
    ISO 27001:2013
  • Physical security perimeter (11.1.1)
    ISO 27001:2013
  • Protection of records (18.1.3)
    ISO 27001:2013
  • Privacy and protection of personally identifiable information (18.1.4)
    ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
MP-5: Media Transport
MP-4: Media Storage
MP-3: Media Marking
MP-8: Media Downgrading
MP-2: Media Access
MP-7: Media Use
PE-8: Visitor Access Records
PE-5: Access Control for Output Devices
PE-3: Physical Access Control
PE-6: Monitoring Physical Access
PE-4: Access Control for Transmission
PE-2: Physical Access Authorizations
PE-13: Fire Protection
PE-14: Environmental Controls
PE-15: Water Damage Protection
PE-10: Emergency Shutoff
PE-18: Location of System Components
PE-12: Emergency Lighting
CP-4: Contingency Plan Testing
CP-6: Alternate Storage Site
CP-9: System Backup
SC-6: Resource Availability
CP-8: Telecommunications Services
CP-11: Alternate Communications Protocols
CP-13: Alternative Security Mechanisms
PL-8: Security and Privacy Architectures
SA-14: Criticality Analysis
CP-7: Alternate Processing Site
PE-19: Information Leakage
SC-31: Covert Channel Analysis
AC-5: Separation of Duties
AC-6: Least Privilege
AC-4: Information Flow Enforcement
SI-4: System Monitoring
SC-7: Boundary Protection
PS-6: Access Agreements
SC-13: Cryptographic Protection
SC-8: Transmission Confidentiality and Integrity
PS-3: Personnel Screening
SC-12: Cryptographic Key Establishment and Management
SC-28: Protection of Information at Rest
IA-4: Identifier Management
IA-1: Policy and Procedures
AC-14: Permitted Actions Without Identification or Authentication
AC-9: Previous Logon Notification
IA-10: Adaptive Authentication
AC-12: Session Termination
IA-3: Device Identification and Authentication
IA-5: Authenticator Management
AC-8: System Use Notification
IA-9: Service Identification and Authentication
IA-11: Re-authentication
AC-7: Unsuccessful Logon Attempts
IA-2: Identification and Authentication (organizational Users)
AC-11: Device Lock
IA-8: Identification and Authentication (non-organizational Users)

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

ATT&CK ID Title Associated Tactics
T1119 Automated Collection Collection
T1070.003 Clear Command History Defense Evasion
T1072 Software Deployment Tools Execution, Lateral Movement
T1565 Data Manipulation Impact
T1565.001 Stored Data Manipulation Impact
T1070 Indicator Removal Defense Evasion
T1070.002 Clear Linux or Mac System Logs Defense Evasion
T1070.009 Clear Persistence Defense Evasion
T1070.007 Clear Network Connection History and Configurations Defense Evasion
T1070.001 Clear Windows Event Logs Defense Evasion
T1070.008 Clear Mailbox Data Defense Evasion
T1114.002 Remote Email Collection Collection
T1557.002 ARP Cache Poisoning Collection, Credential Access
T1003 OS Credential Dumping Credential Access
T1550.001 Application Access Token Defense Evasion, Lateral Movement
T1020.001 Traffic Duplication Exfiltration
T1558 Steal or Forge Kerberos Tickets Credential Access
T1602.002 Network Device Configuration Dump Collection
T1565.002 Transmitted Data Manipulation Impact
T1557 Adversary-in-the-Middle Collection, Credential Access
T1558.004 AS-REP Roasting Credential Access
T1659 Content Injection Command and Control, Initial Access
T1114 Email Collection Collection
T1602.001 SNMP (MIB Dump) Collection
T1040 Network Sniffing Credential Access, Discovery
T1552 Unsecured Credentials Credential Access
T1602 Data from Configuration Repository Collection
T1558.002 Silver Ticket Credential Access
T1114.001 Local Email Collection Collection
T1114.003 Email Forwarding Rule Collection
T1003.003 NTDS Credential Access
T1552.004 Private Keys Credential Access
T1649 Steal or Forge Authentication Certificates Credential Access
T1530 Data from Cloud Storage Collection
T1558.003 Kerberoasting Credential Access
T1036.005 Match Legitimate Name or Location Defense Evasion
T1037.005 Startup Items Persistence, Privilege Escalation
T1562.002 Disable Windows Event Logging Defense Evasion
T1546.013 PowerShell Profile Persistence, Privilege Escalation
T1563.001 SSH Hijacking Lateral Movement
T1552.001 Credentials In Files Credential Access
T1036 Masquerading Defense Evasion
T1569 System Services Execution
T1222.001 Windows File and Directory Permissions Modification Defense Evasion
T1548.003 Sudo and Sudo Caching Defense Evasion, Privilege Escalation
T1489 Service Stop Impact
T1562.004 Disable or Modify System Firewall Defense Evasion
T1574.008 Path Interception by Search Order Hijacking Defense Evasion, Persistence, Privilege Escalation
T1574 Hijack Execution Flow Defense Evasion, Persistence, Privilege Escalation
T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
T1037.004 RC Scripts Persistence, Privilege Escalation
T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
T1546.004 Unix Shell Configuration Modification Persistence, Privilege Escalation
T1547.013 XDG Autostart Entries Persistence, Privilege Escalation
T1055.009 Proc Memory Defense Evasion, Privilege Escalation
T1562 Impair Defenses Defense Evasion
T1569.002 Service Execution Execution
T1037.003 Network Logon Script Persistence, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Defense Evasion, Privilege Escalation
T1218.002 Control Panel Defense Evasion
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1562.006 Indicator Blocking Defense Evasion
T1574.007 Path Interception by PATH Environment Variable Defense Evasion, Persistence, Privilege Escalation
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1574.004 Dylib Hijacking Defense Evasion, Persistence, Privilege Escalation
T1574.002 DLL Side-Loading Defense Evasion, Persistence, Privilege Escalation
T1574.009 Path Interception by Unquoted Path Defense Evasion, Persistence, Privilege Escalation
T1565.003 Runtime Data Manipulation Impact
T1222.002 Linux and Mac File and Directory Permissions Modification Defense Evasion
T1037.002 Login Hook Persistence, Privilege Escalation
T1556 Modify Authentication Process Credential Access, Defense Evasion, Persistence
T1547.003 Time Providers Persistence, Privilege Escalation
T1564.004 NTFS File Attributes Defense Evasion
T1222 File and Directory Permissions Modification Defense Evasion
T1543.002 Systemd Service Persistence, Privilege Escalation
T1553.003 SIP and Trust Provider Hijacking Defense Evasion
T1036.003 Rename System Utilities Defense Evasion
T1543.001 Launch Agent Persistence, Privilege Escalation
T1562.001 Disable or Modify Tools Defense Evasion
T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
T1080 Taint Shared Content Lateral Movement
T1490 Inhibit System Recovery Impact
T1485 Data Destruction Impact
T1561.002 Disk Structure Wipe Impact
T1491.002 External Defacement Impact
T1561.001 Disk Content Wipe Impact
T1486 Data Encrypted for Impact Impact
T1491.001 Internal Defacement Impact
T1561 Disk Wipe Impact
T1491 Defacement Impact