Critical Control 16: Account Monitoring and Control

How do attackers exploit the absence of this control?

Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for network watchers. Accounts of contractors and employees who have been terminated have often been misused in this way. Additionally, some malicious insiders or former employees have accessed accounts left behind in a system long after contract expiration, maintaining their access to an organization's computing system and sensitive data for unauthorized and sometimes malicious purposes.

How to Implement, Automate, and Measure the Effectiveness of this Control

  1. Quick wins: Review all system accounts and disable any account that cannot be associated with a business process and owner.
  2. Quick wins: Systems should automatically create a report on a daily basis that includes a list of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire. This list should be sent to the associated system administrator in a secure fashion.
  3. Quick wins: Organizations should establish and follow a process for revoking system access by disabling accounts immediately upon termination of an employee or contractor.
  4. Quick wins: Organizations should regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity.
  5. Quick wins: Organizations should monitor account usage to determine dormant accounts that have not been used for a given period, such as 30 days, notifying the user or user's manager of the dormancy. After a longer period, such as 60 days, the account should be disabled.
  6. Quick wins: When a dormant account is disabled, any files associated with that account should be encrypted and moved to a secure file server for analysis by security or management personnel.
  7. Quick wins: All nonadministrator accounts should be required to have a minimum length of 12 characters, contain letters, numbers, and special characters, be changed at least every 90 days, have a minimal age of one day, and not be allowed to use the previous 15 passwords as a new password.
  8. Quick wins: After eight failed log-on attempts within a 45-minute period, the account should be locked for 120 minutes.
  9. Visibility/Attribution: On a periodic basis, such as quarterly or at least annually, organizations should require that managers match active employees and contractors with each account belonging to their managed staff. Security or system administrators should then disable accounts that are not assigned to active employees or contractors.
  10. Visibility/Attribution: Organizations should monitor attempts to access deactivated accounts through audit logging.
  11. Configuration/Hygiene: Organizations should profile each user's typical account usage by determining normal time-of-day access and access duration for each user. Daily reports should be generated that indicate users who have logged in during unusual hours or have exceeded their normal log-in duration by 150 percent. This includes flagging the use of user's credentials from a computer other than computers usually used by theuser.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls
AC-2 (e, f, g, h, j, 2, 3, 4, 5), AC-3
Associated NSA Manageable Network Plan Milestones and Network Security Tasks
Milestone 5: User Access

Procedures and Tools to Implement and Automate this Control

Although most operating systems include capabilities for logging information about account usage, these features are sometimes disabled by default. Even when such features are present and active, they often do not provide fine-grained detail about access to the system by default. Security personnel can configure systems to record more detailed information about account access, and use home-grown scripts or third-party log analysis tools to analyze this information and profile user access of various systems.
Accounts must also be tracked very closely. Any account that is dormant must be disabled and eventually removed from the system. All active accounts must be traced back to authorized users of the system and it must be ensured that their passwords are robust and changed on a regular basis. Users must also be logged out of the system after a period of no activity to minimize the possibility of an attacker using their system to extract information from the organization.

Control 16 Metric:

The system must be capable of identifying unauthorized user accounts when they exist on the system. An automated list of user accounts on the system must be created every 24 hours and an alert or e-mail must be sent to administrative personnel within one hour of completion of a list being created. While the one-hour timeframe represents the current metric to help organizations improve their state of security, in the future organizations should strive for even more rapid alerting, with notification regarding the creation of the list of user accounts sent within two minutes.

Control 16 Test:

To evaluate the implementation of Control 16 on a periodic basis, the evaluation team must verify that the list of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire has successfully been completed on a daily basis for the previous 30 days by reviewing archived alerts and reports to ensure that the lists were completed. In addition, a comparison of a baseline of allowed accounts must be compared to the accounts that are active in all systems. The report of all differences must be created based on this comparison.
Control 16 Sensors, Measurement, and Scoring
Sensor: Account management software
Measurement: Using management tools like Microsoft System Center, Trusted Computer Solutions Security Blanket, Intellitactics Security Manager, Qwest Enterprise Security Reporter, and MaxPowerSoft AD Reports, determine the number of current accounts on the system. Validate that all active accounts are valid and baseline the list. Create a process so that whenever a new account is authorized and added or removed, the system baseline list is also updated. Once a week, compare the list of current accounts to the baseline list and flag any anomalies that exist.
Score: 100 percent if there are no unauthorized accounts created for a six-month period. Minus 1 percent for each unauthorized account that exists.
Sensor: Account management software
Measurement: Using management tools like Microsoft System Center, Trusted Computer Solutions Security Blanket, Intellitactics Security Manager, Qwest Enterprise Security Reporter, and MaxPowerSoft AD Reports, scan all active accounts and flag any accounts that have a default password or have not been logged into for 60 days and are still active.
Score: 100 percent if there are no active accounts that should be disabled. Minus 1 percent for each active account that should be disabled.
Sensor: Account management software
Measurement: Using management tools like Microsoft System Center, Trusted Computer Solutions Security Blanket, Intellitactics Security Manager, Qwest Enterprise Security Reporter, and MaxPowerSoft AD Reports, determine the number of failed log-on attempts.
Score: 100 percent if there are no failed log-on attempts. Minus 1 percent for each failed log-on attempt.
Abonnieren Posts (Atom)