20 Critical Security Controls: Control 4 – Controlled Use of Administrative Privileges

Today, I will be going over Control 4 from version 7 of the CIS top 20 Critical Security Controls – Controlled Use of Administrative Privileges. I will go through the nine requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 4

• Get this control right. Attackers would love to get their hands on your admin credentials. Control 4 is in the top five for that very reason. Administrative credentials are as valuable than the data you are trying to protect. Provide the level of care with those as you would with your organization’s most sensitive data.
• Follow best practices. Every compliance framework and hardening benchmark has guidance on handling credentials, not just those of administrators. Look to those for inspiration on what to do in your own environment.
• Think seriously about two-factor authentication: There is guidance on enabling MFA for administrative users, but why not all users? Not just when accessing the VPN but all the time. There is going to be a cost/resource issue, but we’re well overdue for making this a requirement.

Requirement Listing for Control 4

1. Maintain Inventory of Administrative Accounts

Description: Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.

Notes: Attackers are going to go after administrative accounts. With admin access, there’s no need to burn costly zero-days and create a bunch of noise in the environment. Know what the attackers are after so you can create appropriate controls and implement detection mechanisms.

2. Change Default Passwords

Description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.

Notes: Note the fact that all default passwords should be changed with administrative-level password recommendations. Granted, most (Read more...)