Breaking Down The Critical Security Controls: CSC 16 – Account Monitoring
3 min readAs we near the end of this series of posts the next one, I feel, is the most important. Although it is number 16 in the list doesn’t mean it can be ignored. Account monitoring, or lack thereof, has been the cause of several major breaches. Anthem and Target and the two that come to mind. Those two breaches were not executed by breaking through the barriers but from using legitimate accounts. In the forensic investigations after the fact, those company’s security systems did in fact record the activity. The problem was the logs and alerts were not acted on or ignored.
Cybercriminals are businessmen now. Much like your company there is a time and effort versus cost analysis done on their actions. It’s easier and far more effective to go after legitimate accounts than try to find vulnerabilities or break through perimeter barriers forcibly. Yes, there are attacks that do that, but on a grand scale sending out a million phishing emails to try and capture login information is more effective.
Here’s what the control says –
Actively manage the lifecycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
Account monitoring and control is the day to day activities of your security team. Watch what the accounts are doing. This the glue that ties CSC 5 and CSC 14 together. You can have all the account controls, provisioning, segregation throughout your environment but unless you are monitoring their use it’s useless. Only through a comprehensive program consisting of policies, procedures, governance and actions can you limit the damage of an account being used outside of the intended purpose.
Solution Approach
- Have a SIEM in place and review daily login activity. Build a profile of normal use to easily identify deltas in behavior.
- Prioritize reporting on all account lockouts. See where the lockouts are coming from, focus on repeat offenders. Lockouts could be a sign of outside attempts.
- Alert on all account creations, disables and deletes.
- Assign all accounts to an owner. Assign all service accounts to an owner and department.
- Do not let accounts remain idle/unused for a long period of time. In most clients I recommend daily scripts to disable accounts that have not logged in for more than 60 days. Harder to use an account that is disabled.
- Implement multi-factor authentication where possible.
- Strengthen your password policies, however this does not stop people that fall for a phishing email, so…
- Educate employees on phishing techniques, run sample campaigns, train regularly.
- Read your logs, review them analyze them. If you rely on alerts to do your job, you will get owned at some point.
How It Could Be Exploited
All you need to do is read between the lines of the next breach report and see this is exploited all the time. Currently the average breach is detected approximately 200 days after the criminal first enters the environment. 200 days. Why so long? Because companies are terrible at building operational security programs that focus on monitoring. They assume and trust the layers they have are working for them and their alerts are sufficient. All that means nothing when legitimate accounts, ones that you assume and trust, are used by unauthorized people.
Logs are meant to be read and alerts are meant to be acted on. If you have both and do neither, good luck to you.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Subscribe
Facebook Page
Follow Me On Twitter
contactme@binaryblogger.com