Today, I will be going over Control 16 from version 7 of the CIS top 20 Critical Security Controls – Account Monitoring and Control. I will go through the thirteen requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 16

  • Don’t forget the logs. Enabling a lot of the later sections of this control will require gathering logging data from endpoints into a centralized location such as a SIEM. The security intelligence of the organization will be in your logs, so collect as much as you can without overburdening the tool and/or necessitating that analysts review the logs.
  • Missing password requirements. The guidance on passwords has been removed from control 16. This is probably a good thing since it has been mostly duplicated by Control 4. If you’re looking for guidance on password requirements, look at any major hardening guide or security framework.
  • Block common attacks. Many common attacks that have been made public hit on a lot of the requirements in control 16. While a zero-day attack gets all of the press at security conferences, attackers are after valid credentials to make their attacks stealthier. Controlling authentication mechanisms and valid accounts is a cornerstone of building a proper security architecture.

Requirement Listing for Control 16

1. Maintain an Inventory of Authentication Systems

Description: Maintain an inventory of each of the organization’s authentication systems, including those located onsite or at a remote service provider.

Notes: Relating back to the first two controls, you cannot protect that which you are unaware of. Authentication systems are the crown jewels of an attacker going after valid credentials, so be aware of where these systems live in your environment.

2. Configure Centralized Point of Authentication

Description: Configure access for all accounts through as few centralized points of (Read more...)