CIS_v8CIS Control 5voice-validated
CIS_v8 5: CIS Control 5
CIS_v8
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Use processes and tools to assign and manage authorisation to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | Control 5 directly manages valid accounts and their authorization, preventing unauthorized use for initial access. | 100% |
| T1133 | Control 5 ensures authorization for external remote services is properly managed, preventing unauthorized access. | 90% |
| T1136 | Control 5 defines processes for account creation and management, preventing unauthorized or rogue account creation. | 90% |
| T1098 | Control 5 ensures authorization processes prevent unauthorized modification of existing accounts, including privileges. | 90% |
| T1003 | Proper authorization limits access to systems and processes where credentials can be dumped, reducing the attack surface. | 80% |
| T1110 | Strong authorization policies, such as account lockout and multi-factor authentication, make brute force attacks less effective. | 80% |
| T1087 | Authorization management restricts the visibility of accounts and their associated privileges to only those necessary, hindering discovery. | 80% |
| T1046 | Authorization controls limit what network services an account can discover, reducing an attacker's ability to map the environment. | 70% |
| T1021 | Control 5 ensures authorization controls access to remote services, preventing lateral movement using compromised credentials. | 90% |
| T1005 | Authorization limits the data a compromised account can access and collect from local systems. | 80% |
| T1041 | Strong authorization limits data access, thereby reducing the scope and success of exfiltration attempts via C2 channels. | 70% |
| T1486 | Unauthorized administrative access, often gained through weak authorization, can lead to impact actions like data encryption. | 70% |
| T1053 | Control 5 manages authorization for accounts, preventing attackers from using compromised credentials to create or modify scheduled tasks for privilege escalation or persistence. | 80% |
| T1078 | Using valid, but compromised, accounts helps attackers evade detection. Strong authorization reduces the likelihood of account compromise. | 90% |
| T1071.001 | If an attacker uses compromised credentials to establish C2 over web protocols, authorization management limits the scope of actions they can perform. | 70% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1017 | Control 5 directly mandates processes and tools for managing user accounts and their authorization. | 100% |
| M1026 | Control 5 explicitly includes administrator and service accounts, which are privileged. | 100% |
| M1030 | Implementing MFA strengthens credentials and authorization, as part of managing access. | 90% |
| M1027 | Control 5's focus on managing credentials implies strong password policies for user and service accounts. | 90% |
| M1035 | This mitigation directly implements authorization controls for enterprise assets and software. | 90% |
| M1042 | Part of managing authorization is ensuring only necessary accounts and services exist and are authorized. | 80% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-284 | Control 5 directly addresses assigning and managing authorization, which is access control. | 100% |
| CWE-269 | Control 5 focuses on managing authorization for various account types, directly impacting privilege management. | 100% |
| CWE-287 | While Control 5 is more about authorization, proper authentication is a prerequisite for effective authorization. | 90% |
| CWE-306 | A lack of authorization for critical functions is a direct violation of Control 5's intent. | 90% |
| CWE-798 | Control 5's emphasis on managing credentials aims to prevent insecure practices like hard-coding. | 80% |
| CWE-259 | This is a specific instance of hard-coded credentials, directly addressed by credential management. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0163 compute · voice-rubric self-validated