CIS Control #16: Account Monitoring and Control

Account hijacking lets criminals impersonate employees and contractors. They can trick others into getting information and gain access to systems. It’s especially dangerous when they get control of inactive accounts, since they might escape detection for a long time. CIS Control #16 presents ways of preventing account theft and detecting it if it does happen.

How to Gain Control of Accounts

Phishing, brute-force password guessing, and gaining physical access to unattended workstations are some of the ways a would-be invader can steal user credentials. Some users make it easy for the attackers by using common passwords or writing them down where visitors can see them. If a user has a mobile device that logs in automatically, someone who steals it can get into the accounts without further effort.

If the attacker can successfully impersonate the victim by sending and receiving emails from a spoofed account, they may be able to gain access to other accounts by requesting a link to reset their passwords. This is most effective when no one else is currently using the account. Otherwise the account owner may notice the emailed link and suspect something is wrong.

A successful impersonator can email other users and convince them to send confidential information or arrange wire transfers. It could be a while before anyone recognizes the impersonation.

Managing Account Lifecycles

Deactivating stale accounts reduces the opportunities for impersonation. It also protects against actions taken by disgruntled ex-employees or contractors who might take illegal advantage of their continuing access. A process should be implemented to disable accounts when employees are terminated or contractors complete their current tasks.

Activity Monitoring

Activity monitoring can catch any accounts that have slipped through the cracks and gone dormant without being closed. A well-structured monitoring system can also detect spurious logins at times when the user wouldn’t normally be working, as well as attempts to log into deactivated accounts.

Preventing Account Theft

Every hijacking method warrants its own type of defense. Password theft can be thwarted with a requirement for strong passwords (CIS recommends 14 characters or more).

Account Verification

Two-factor authentication will make it harder to use stolen passwords. All authentication should, of course, use encrypted protocols.

Password Hygiene

Although CIS no longer recommends frequent password changes as a method of protection, it’s still a good idea to change them on a regular basis. Consider that the most effective way to meet a password length requirement is to exceed it: Use passphrases that are complete with punctuation. These can be easily remembered, which reduces the odds that users will write them down or that attackers will decipher them.

Credential Protection

Password files need to be encrypted or hashed and be accessible only to administrators. Although current operating systems use password hashing and protected databases, there are other avenues: Many departments keep a file of account credentials in a shared folder or network drive. These should be migrated to trusted credential management platforms, using current encryption and authentication methods to ensure that only authorized users can access them.

Session Management

Having accounts automatically log out after a period of inactivity reduces the chance for anyone to walk up to an unattended computer and use it. Alternatively, the system can require re-entry of the password after a short time and then let the user continue the same session.

Detecting Hijacked Accounts

This requires logging of account activity and analyzing it. Inspecting the log for an unusual number of failed logins, or off-hours activity, is an option available to all system managers.

Staying on top of all the accounts that an organization issues keeps opportunists from taking control of them. Tools for centralized account management help in implementing this. Keeping the list of active accounts winnowed down to the ones that are currently in use means fewer accounts to attack and fewer that can be taken over without being noticed. With ongoing monitoring of account usage, would-be intruders won’t find available as many opportunities to pillage.