May 29, 2024

Binary Blogger

Are you a 1 or a 0? News, Thoughts and Reviews

Breaking Down The Critical Security Controls: CSC 16 – Account Monitoring

3 min read

As we near the end of this series of posts the next one, I feel, is the most important. Although it is number 16 in the list doesn’t mean it can be ignored. Account monitoring, or lack thereof, has been the cause of several major breaches. Anthem and Target and the two that come to mind. Those two breaches were not executed by breaking through the barriers but from using legitimate accounts. In the forensic investigations after the fact, those company’s security systems did in fact record the activity. The problem was the logs and alerts were not acted on or ignored.

Cybercriminals are businessmen now. Much like your company there is a time and effort versus cost analysis done on their actions. It’s easier and far more effective to go after legitimate accounts than try to find vulnerabilities or break through perimeter barriers forcibly. Yes, there are attacks that do that, but on a grand scale sending out a million phishing emails to try and capture login information is more effective.

Here’s what the control says –

Actively manage the lifecycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.

Account monitoring and control is the day to day activities of your security team. Watch what the accounts are doing. This the glue that ties CSC 5 and CSC 14 together. You can have all the account controls, provisioning, segregation throughout your environment but unless you are monitoring their use it’s useless. Only through a comprehensive program consisting of policies, procedures, governance and actions can you limit the damage of an account being used outside of the intended purpose.

Solution Approach

  • Have a SIEM in place and review daily login activity. Build a profile of normal use to easily identify deltas in behavior.
  • Prioritize reporting on all account lockouts. See where the lockouts are coming from, focus on repeat offenders. Lockouts could be a sign of outside attempts.
  • Alert on all account creations, disables and deletes.
  • Assign all accounts to an owner. Assign all service accounts to an owner and department.
  • Do not let accounts remain idle/unused for a long period of time. In most clients I recommend daily scripts to disable accounts that have not logged in for more than 60 days. Harder to use an account that is disabled.
  • Implement multi-factor authentication where possible.
  • Strengthen your password policies, however this does not stop people that fall for a phishing email, so…
  • Educate employees on phishing techniques, run sample campaigns, train regularly.
  • Read your logs, review them analyze them. If you rely on alerts to do your job, you will get owned at some point.

How It Could Be Exploited

All you need to do is read between the lines of the next breach report and see this is exploited all the time. Currently the average breach is detected approximately 200 days after the criminal first enters the environment. 200 days. Why so long? Because companies are terrible at building operational security programs that focus on monitoring. They assume and trust the layers they have are working for them and their alerts are sufficient. All that means nothing when legitimate accounts, ones that you assume and trust, are used by unauthorized people.

Logs are meant to be read and alerts are meant to be acted on. If you have both and do neither, good luck to you.

End of line.


Please follow and like us:
Pin Share
Copyright © All rights reserved. | Newsphere by AF themes.

Enjoy this blog? Please spread the word :)

  • RSS
  • Follow by Email
  • Twitter
    Visit Us
    Follow Me
Follow by Email
Visit Us
Follow Me