Anchor Technologies, Inc.
  • Solutions
    • Managed Planning & Prevention
    • Governance, Risk & Compliance
    • Cyber Risk Identification
    • Incident Response & Mitigation
  • Capabilities
    • Advisory
    • Integration
    • Education
  • Insights
  • About
  • Contact
Select Page

CIS Critical Security Control #16: Account Monitoring and Control

by Perry Lynch | Aug 24, 2019 | Blog, CIS Critical Security Controls | 0 comments

lines of code in green with a magnifying glass over username and password lines
http://www.anchortechnologies.com/wp-content/uploads/2018/07/CIS-Control-16-Account-Monitoring-and-Control.m4a

3:30 min read |
Account hijacking lets criminals impersonate employees and contractors. They can trick others into getting information and gain access to systems. It’s especially dangerous when they get control of inactive accounts, since they might escape detection for a long time. CIS Control #16 presents ways of preventing account theft and detecting it if it does happen.

How to gain control of accounts

Phishing, brute-force password guessing, and gaining physical access to unattended workstations are some of the ways a would-be invader can steal user credentials. Some users make it easy for the attackers by using common passwords or writing them down where visitors can see them. If a user has a mobile device that logs in automatically, someone who steals it can get into the accounts without further effort.

If the attacker can successfully impersonate the victim by sending and receiving emails from a spoofed account, they may be able to gain access to other accounts by requesting a link to reset their passwords. This is most effective when no one else is currently using the account. Otherwise the account owner may notice the emailed link and suspect something is wrong.

A successful impersonator can email other users and convince them to send confidential information or arrange wire transfers. It could be a while before anyone recognizes the impersonation.

Managing account lifecycles

Deactivating stale accounts reduces the opportunities for impersonation. It also protects against actions taken by disgruntled ex-employees or contractors who might take illegal advantage of their continuing access. A process should be implemented to disable accounts when employees are terminated or contractors complete their current tasks.

Activity monitoring can catch any accounts that have slipped through the cracks and gone dormant without being closed. A well-structured monitoring system can also detect spurious logins at times when the user wouldn’t normally be working, as well as attempts to log into deactivated accounts.

Preventing account theft

Every hijacking method warrants its own type of defense. Password theft can be thwarted with a requirement for strong passwords (CIS recommends 14 characters or more). Two-factor authentication will make it harder to use stolen passwords. All authentication should, of course, use encrypted protocols.

Although CIS no longer recommends frequent password changes as a method of protection, it’s still a good idea to change them on a regular basis. Consider that the most effective way to meet a password length requirement is to exceed it: Use passphrases that are complete with punctuation. These can be easily remembered, which reduces the odds that users will write them down or that attackers will decipher them.

Password files need to be encrypted or hashed and be accessible only to administrators. Although current operating systems use password hashing and protected databases, there are other avenues: Many departments keep a file of account credentials in a shared folder or network drive. These should be migrated to trusted credential management platforms, using current encryption and authentication methods to ensure that only authorized users can access them.

Having accounts automatically log out after a period of inactivity reduces the chance for anyone to walk up to an unattended computer and use it. Alternatively, the system can require re-entry of the password after a short time and then let the user continue the same session.

Detecting hijacked accounts

This requires logging of account activity and analyzing it. Inspecting the log for an unusual number of failed logins, or off-hours activity, is an option available to all system managers.

Staying on top of all the accounts that an organization issues keeps opportunists from taking control of them. Tools for centralized account management help in implementing this. Keeping the list of active accounts winnowed down to the ones that are currently in use means fewer accounts to attack and fewer that can be taken over without being noticed. With ongoing monitoring of account usage, would-be intruders won’t find available as many opportunities to pillage.

  • Facebook
  • Twitter
  • LinkedIn

Submit a Comment Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • CMMC | Securing the Supply Chain
  • Anchor to launch new product, myCYPR, at the RSA Conference in Feb. 2020
  • Case Study: Penetration Testing
  • CIS CONTROL #20: Penetration Tests and Red Team Exercises

Categories

Archives

  • ►2020 (4)
    • ►June (1)
    • ►February (1)
    • ►January (2)
  • ►2019 (11)
    • ►December (1)
    • ►November (1)
    • ►September (1)
    • ►August (1)
    • ►July (1)
    • ►June (1)
    • ►May (1)
    • ►April (1)
    • ►March (1)
    • ►February (1)
    • ►January (1)
  • ►2018 (28)
    • ►December (1)
    • ►November (1)
    • ►October (1)
    • ►September (1)
    • ►August (1)
    • ►July (4)
    • ►June (2)
    • ►May (2)
    • ►March (3)
    • ►February (3)
    • ►January (9)

Tags

account theft Administrative Privileges assessment audit log authorized Backup Boundary Defense Check Point CIS control configuration Cybersecurity Investment Incentive Cybersecurity Tax Credit Data Data Loss Prevention Data Protection Data Recovery devices Email Encryption exploit Firewall human security risk IDS Integrity inventory IPS Legislation Malware Network Device network port Network Segmentation password patching penetration test phishing Remote Router scan Security Control software Switch unauthorized vulnerability vulnerability scanning web browser
Tweets by Path2Protection

Recent Posts

  • CMMC | Securing the Supply Chain
  • Anchor to launch new product, myCYPR, at the RSA Conference in Feb. 2020
  • Case Study: Penetration Testing
  • CIS CONTROL #20: Penetration Tests and Red Team Exercises
  • CIS Control #19: Incident Response and Management
  • CIS Control #18: Application Software Security
  • CIS Control #17: Implement a Security Awareness and Training Program
  • CIS Critical Security Control #16: Account Monitoring and Control

6315 Hillside Court, Suite J
Columbia, MD 21046
Howard County, Maryland, USA

410.295.7601 or toll free: 866.841.0777
info@anchortechnologies.com​

BREACH RESPONSE HOTLINE:
breach@anchortechnologies.com
866.841.0777, option #8

  • Facebook
  • Twitter