This is a continuation of our CIS critical security controls blog series, which provides educational information regarding the control of focus as well as tips and tricks for consideration. See why SANS listed Rapid7 as the top solution provider addressing the CIS top 20 controls.
What is CIS Critical Control 16?
In the world of InfoSec, the sexy stuff gets all the attention. Everybody wants the latest and greatest next-gen product to get rid of the APTs and h4x0r$ hiding within their networks.
But what if I told you…
You don’t need all those bells and whistles to have a great security program? Specifically, by following CIS Critical Control 16: Account Monitoring and Control, which focuses on processes to manage the lifecycle (creation, use, dormancy, and deletion) of system and application accounts, you can do much good by practicing one of the most unsexy parts of InfoSec:
- Controlling what accounts live and die, and when
- Setting simple configuration settings to reduce the risk of an account being compromised, and to enable you to recognize when it is
- Enforcing two-factor authentication
Let’s take a little bit deeper dive on these three practices, shall we?
Account Lifecycle Management
Managing the life cycle of system and application accounts is one of the most effective controls you can have in place to protect your organization. Attackers spend their time poking around, harvesting credentials from successful phishing attacks and compromised websites, and want to use these to gain a foothold into your environment. If you don’t have a sound policy for account management, that guy in DevOps that got fired six months ago for, um, inappropriate web browsing at work? And nobody disabled his accounts? Yeah, there’s a good chance his credentials have been compromised, and once you are identified as a target, they will do everything they can to get in. While this is a fictional example, for many organizations, the example could be contractor accounts that have not been removed or disabled, or orphaned service accounts, that can be leveraged against you to gain access to and move laterally inside your organization.
You don’t know what you don’t know, so an in-depth review is in order to determine what kinds of accounts you have, what accounts are still active, and which ones are no longer valid/not in use. Armed with those results, sit down with your HR team, and ask (politely) that security be a part of onboarding and offboarding all users. If you already do this, great! Skip to the next paragraph. If not, work with HR to develop a communication process so that security is made aware when someone is hired/fired/quits/sabbatical, so you can take the appropriate steps. Ideally, you want to be able to disable all access within minutes of an individual leaving the organization. You’ll also want to have a policy around how long to keep dormant accounts, before they are deleted as well.
There are a lot of different settings you can set, buttons you can push, and configurations you can “configurate,” that can have a very positive impact on your security posture, without making life difficult for end users. CIS Critical Control 16 actually spells out some discrete settings, such as
- Automatically log user off after a set period of inactivity
- Set lock screens on devices
- Monitor for stale accounts that may have fallen through the cracks
- Use account lockouts
- Setting accounts to expire at regular intervals, based on business need and risk appetite
- Centralize authentication from a single source, such as LDAP
The first four listed above can be set via Group Policy. Voila!
Two-factor authentication (2FA) is one of the most effective controls you can implement to protect your organization, but it has to be done with reasonableness and executive support. It would not be wise to place 2FA on every account in the environment, but it certainly makes sense to use it for administrator accounts, dedicated accounts that access sensitive information, and for remote/VPN access. If you don’t use it for anything else, use it to protect VPN access. While not technically impossible, it would be extraordinarily difficult for someone to gain full access using compromised credentials via remote access vectors, if they do not have the required second factor for validation. One of the underlying principles here is to make success so expensive, either in time, resources, or dollars, to make attackers move on to other targets. 2FA for remote access is one of the best bang-for-your-buck controls you can put in place. The catch: If you utilize hardware certificates for 2FA on laptops, it’s effectively rendered useless if you don’t utilize whole disk encryption. If an attacker has credentials, and access to a corporate laptop, it’s game over at that point. And it’s a lot easier to steal a laptop (with requisite certificate, not protected by encryption than it is to steal an iPhone, and crack the PIN.
So there you have it. We’ve covered the high points of CIS Critical Security Control (CSC) 16: Account Monitoring and Control. If you need help developing or implementing your security strategy—or if you don’t have one—Rapid7 has tons of resources that can help. From our virtual CISO service, to maturity assessments of your security program, to penetration testing to validate your controls, to taking over some of the day-to-day operations of your security team—we’ve got you covered. Let us know how we can help you be successful!