FRAMEWORKS AND STANDARDS
Control 05: Account Management
Published Date: October 9, 2024
Product Line: CIS Controls
Audience: Executives, Security Administrators
Get your copy of the CIS Controls V8.1 here.
Overview
Account management focuses on monitoring, careful storage, and tracking of credentials, specifically those which provide access to critical assets and information. The main goal of account management is to secure organizations’ assets from unauthorized access through a wide variety of techniques, procedures, tools, and policies later outlined in this summary.
Why is this control critical?
Without accurate implementation of account management, attackers can obtain credentials to gain unauthorized access to organizations assets and information, leaving the organization completely vulnerable to data breaches, modification of sensitive information, and much more.
Described below are three main areas of vulnerability that remain exploitable without this control.
- Passwords: Without implementation of proper password security controls, access to systems can be quite simple. When an employee is not careful about securing, creating, and using passwords across accounts, attackers are given a head start in their exploitation. An example of improper password use includes password reuse in which a user utilizes the same password for multiple different accounts/platforms. This then allows an attacker to gain access to all of these accounts/platforms with just one password. An example of improper password creation involves weak passwords which allow attacks like brute force, in which all username/password combinations are input rapidly, to become quick and easy to execute. Noting this, password policies are a significant aspect of securing an organization’s accounts and preventing attackers from gaining access to systems.
- Dormant Accounts: Unused or inactive accounts that remain in an organization’s domain pose a security threat to the organization in which they reside. These accounts can be vulnerable and outdated, with inaccurate permissions and expired passwords that allow attackers to gain access to the account. Moreover, access to these accounts may not be noticed until it is too late. Ensuring proper tracking/monitoring of all accounts is vital in protecting an organization.
- Other: Techniques like social engineering, installation of malware, and other exploits can be used to harvest credentials which are then used to gain access to a system. Ultimately, protecting and tracking credentials will immensely aid in securing an organization’s assets from unauthorized individuals.
Common Targets
Common targets in regard to control 5 include accounts/credentials that are at high risk of exploitation. These accounts have high-level or root privileges that can give attackers further access into systems. Three of the accounts to carefully monitor are:
- Administrator Accounts
- Service Accounts (those which are shared among multiple users)
- Accounts of employees in specified departments, such as IT or finance, which give attackers direct access to sensitive information
Mitigation Techniques, Tools, Procedures
- Track accounts and credentials as if they were any other asset/inventory item
- This can include utilizing password manager applications to store employee credentials via hashing or encrypting the sensitive information. Through these methods, credentials are no longer human readable to unauthorized individuals. To learn more about encryption/decryption in password managers, google “how does password manager encryption work”. Always do the research to make sure your password manager is trusted and reliable!
- This can include utilizing password manager applications to store employee credentials via hashing or encrypting the sensitive information. Through these methods, credentials are no longer human readable to unauthorized individuals. To learn more about encryption/decryption in password managers, google “how does password manager encryption work”. Always do the research to make sure your password manager is trusted and reliable!
- Create password policies
- Password policies ensure all employees are utilizing passwords that make it difficult for an unauthorized individual to figure out. An example of this is using Active Directory Group Policy to set password requirements for all users within a domain. Attributes like password expiration date, length, complexity, and more can be set, requiring all users to comply with each attribute to ensure strong password creation.
- Password policies ensure all employees are utilizing passwords that make it difficult for an unauthorized individual to figure out. An example of this is using Active Directory Group Policy to set password requirements for all users within a domain. Attributes like password expiration date, length, complexity, and more can be set, requiring all users to comply with each attribute to ensure strong password creation.
- Create separate dedicated admin accounts for tasks that require high privileges
- For administrator employees, separate accounts should be created for executing high-level tasks. This allows only certain accounts to have high-level privileges restricted to a specific user. All other accounts used for day-to-day use have no root privileges and no high-level actions can be taken on these accounts.
- For administrator employees, separate accounts should be created for executing high-level tasks. This allows only certain accounts to have high-level privileges restricted to a specific user. All other accounts used for day-to-day use have no root privileges and no high-level actions can be taken on these accounts.
- Auditing: Disable and remove all dormant accounts
- IT Admin should be vigilant about deleting accounts of employees who no longer work at an organization. This can involve going onto an Active Directory server and removing the user account completely. Moreover, any inactive accounts should also be removed as every account needs to have a valid and active user attached to it.
- IT Admin should be vigilant about deleting accounts of employees who no longer work at an organization. This can involve going onto an Active Directory server and removing the user account completely. Moreover, any inactive accounts should also be removed as every account needs to have a valid and active user attached to it.
- Auditing: Check for service accounts
- Monitor account types and determine which accounts are used by an individual or multiple employees. If used by multiple employees, this is a shared account which needs to be monitored carefully to ensure correct permissions are granted to each user.
- Monitor account types and determine which accounts are used by an individual or multiple employees. If used by multiple employees, this is a shared account which needs to be monitored carefully to ensure correct permissions are granted to each user.
- Centralized account management through a directory/identity service
- Utilizing a centralization service like Active Directory can help protect an organization’s internal assets. Through Active Directory, the ability to create/remove users, assign users permissions, assign users to groups, and more all work to prevent employees from accessing information they are not authorized to see. For more information, google “Microsoft Active Directory”.
- Utilizing a centralization service like Active Directory can help protect an organization’s internal assets. Through Active Directory, the ability to create/remove users, assign users permissions, assign users to groups, and more all work to prevent employees from accessing information they are not authorized to see. For more information, google “Microsoft Active Directory”.
- Extra Tips
- Use multifactor authentication, especially for remote access to systems
- Use single-sign-on for enterprises with a multitude of applications
- Automatically log out and lock device screens after a specified period of inactivity