Knowing who has credentials, how those credentials are granted, and how they are being used is the foundation of any secure environment. It begins with user accounts and the credentials they use. Maintaining a thorough inventory of all accounts and verifying any changes to those accounts as authorized and intentional vs unintended is paramount to establishing a secure environment and this includes service accounts.

Establishing and maintaining visibility on all accounts can protect assets in multiple ways. If an adversary is able to attack from a different vector that we do not have any visibility into, like a new zero day vulnerability or a successful phishing attack, the adversary may first attempt to establish persistence and one of the most common ways to maintain that persistence is through an addition or modification of an account. If we maintain good account management, we may be able to detect an attack before they are able to establish that persistence, even if the initial vector of the attack was not the account itself (such as brute force attack).  

Account Management also includes password requirements, lock outs on failed log in attempts, logging out after a period of inactivity as well as never using default passwords or sharing accounts. Privileged accounts should only be used for tasks that require it.  

Key Takeaways for Control 5

  • Policy. Have a policy in place that specifies all the parameters of creating an account including password strength, etc.
  • Have an inventory and track changes. Establish an inventory and use Active Directories or other technologies and tools to centralize management of accounts. Track any changes to the accounts.

Safeguards for Control 5

5.1) Establish and Maintain an Inventory of Accounts

Description: Establish and maintain an inventory of all accounts managed in the enterprise. The inventory (Read more...)