Knowing who owns credentials, how that information is granted, and how it is used is the foundation of any secure environment. It starts with user accounts and the credentials they use. Maintaining a complete inventory of all accounts and verifying that any changes made to these accounts are authorized and intentional versus unintentional is paramount in establishing a secure environment and this includes service accounts.
Establishing and maintaining visibility across all accounts can protect assets in several ways. If an adversary is able to attack from a different vector to which we have no visibility, such as a new zero day vulnerability or a successful phishing attack, the adversary can first attempt to establish persistence. and one of the most common ways to maintain this persistence is by adding or modifying an account. If we maintain good management of the accounts, we may be able to detect an attack before they are able to establish that persistence, even if the initial vector of the attack was not the account itself ( as a brute force attack).
Account management also includes password requirements, locks for failed login attempts, logging out after a period of inactivity, and never using default passwords or accounts. sharing. Privileged accounts should only be used for tasks that require them.
Key takeaways for Control 5
- Politics. Have a policy in place that specifies all the settings for creating an account, including password strength, etc.
- Have an inventory and track changes. Establish an inventory and use Active Directory or other technologies and tools to centralize account management. Track all changes to accounts.
Safeguards for control 5
5.1) Establish and maintain an inventory of accounts
The description: Establish and maintain an inventory of all accounts managed in the business. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, user name, start / end dates, and department. Validate that all active accounts are authorized on a recurring schedule at least quarterly or more frequently.
Remarks: All accounts must be valid accounts. New accounts and changes to existing accounts should be tracked and verified as legitimate additions. Service accounts should also be checked to ensure that they are only used as intended. The unauthorized creation or modification of an account is often the first task an adversary performs to maintain persistence.
5.2) Use unique passwords
The description: Use unique passwords for all company assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts that do not use MFA.
Remarks: It’s not just for the business. If you reuse passwords and there is a data breach, they may use your password for other accounts. Always choose unique passwords and always change default passwords
5.3) Deactivate dormant accounts
The description: Remove or deactivate all dormant accounts after 45 days of inactivity, if supported.
Remarks: A future data breach could cause real problems if old accounts are not disabled. Deactivation of accounts can also be automatic by creating expiration dates for the account if the system supports it.
5.4) Restrict administrator privileges to dedicated administrator accounts
The description: Restrict administrator privileges to dedicated administrator accounts on company assets. Perform general computer activities, such as browsing the Internet, e-mailing, and using the productivity suite, from the user’s master, non-privileged account.
Remarks: Administrator and root accounts should only be used for tasks that require them. Using email, a web browser, etc. should always be done with non-privileged accounts.
5.5) Establish and maintain an inventory of service accounts
The description: Establish and maintain an inventory of service accounts. The inventory, at a minimum, should contain the owner of the department, the review date, and the purpose. Perform reviews of service accounts to validate that all active accounts are authorized on a recurring schedule at least quarterly or more frequently.
Remarks: Tracking what happens with accounts includes service accounts, not just user accounts
5.6) Centralize account management
The description: Centralize account management via a directory or identity service.
Remarks: This means using Active Directory and domains or some other centralized system for management
Find out how simple and effective security controls can create a framework that helps you protect your organization and your data against known cyber attack vectors by downloading this guide here.
Learn more about the 18 CIS controls here:
CIS Control 1: Inventory and control of company assets
CIS Control 2: Inventory and control of software assets
CIS 3 check: Data protection
CIS Control 4: Secure configuration of company assets and software
CIS 5 control: Account management
CIS Control 6: Access control management