Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CIS CSC: Account Monitoring and Control (CSC 5,16) ARC

by David Schwalenberg
June 20, 2016

User account management, access control, and enforcement of least privilege are critical to effective network security. Without proper user account management, an organization may not know who has access to their network, whether or not the old accounts of former employees are still active, and whether or not user passwords meet policy requirements. Without proper access control and enforcement of least privilege, users on the organization's network may inadvertently access information they should not access, change files, or install malware on the network. This increases the risk of network intrusion and compromise, insider activity, and data loss. The Account Monitoring and Control Assurance Report Card (ARC) provides insight into an organization's user access monitoring and control, and can help to identify appropriate actions that can further protect the organization.

As defined by the Center for Internet Security (CIS), the Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. Developed based on specific knowledge of the threat environment and currently available technologies, the Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of many experts. This ARC aligns with CIS Critical Security Controls 5, Controlled Use of Administrative Privileges, and 16, Account Monitoring and Control, which address user access and least privilege.

More details on each of the policy statements included in the ARC are given below. Clicking on a policy statement will bring up the analysis screen to display more details related to that policy statement. The ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Tenable.sc Feed under the category Executive. The ARC requirements are:

  • Tenable.sc 5.3.1
  • Nessus 8.5.1
  • NNM 5.9.1
  • LCE 6.0.0
  • Compliance data

Tenable Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring solution. Tenable.sc CV includes active vulnerability detection with Tenable Nessus and passive vulnerability detection with the Tenable Nessus Network Monitor (NNM), as well as log correlation with the Tenable Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network.

ARC Policy Statements:

At least 95% of systems report active user statistics: This policy statement displays the percentage of total systems that report user statistics. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. LCE can gather user statistics from systems on a network. All systems should be reporting user statistics to LCE to ensure that access controls can be effectively implemented and monitored.

Less than 10% of systems using administrative accounts over the network: This policy statement displays the percentage of total systems using administrative accounts over the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy monitors systems for the use of administrative accounts over the network, which should be limited to a defined list of systems. Any unexpected systems using administrative accounts over the network should be considered suspicious.

Systems reporting successful admin login events in last 72 hours: This policy statement displays the ratio of systems that have had successful administrative user login events in the last 72 hours to all systems from which LCE collected logs. Clicking on the policy statement to bring up the analysis screen and setting the tool to User Summary will display the user accounts that logged in administratively. Any unexpected users in this list should be further investigated to determine why and how they are executing administrative actions.

Systems reporting privilege gain events in last 72 hours: This policy statement displays the ratio of systems that have had privilege gain events in the last 72 hours to all systems from which LCE collected logs. These privilege gain events may indicate an attack or intrusion. Systems on which privilege gains are occurring should be further investigated to ensure that they are not compromised.

Systems reporting group membership change events in last 72 hours: This policy statement displays the ratio of systems that have had group membership change events in the last 72 hours to all systems from which LCE collected logs. These group membership change events should be investigated to verify that no users, by being added to groups, are gaining privileges that they should not have.

Less than 5% of user access and least privilege compliance checks failed: This policy statement displays the percentage of user access and least privilege compliance checks that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Least privilege settings may include requirements to disable certain rights and privileges for specific users, among other things. Compliance is measured against those policy checks that reference standards such as the Cybersecurity Framework, NIST 800-53, and the CIS Critical Security Controls.

Less than 5% of default account/password compliance checks failed: This policy statement displays the percentage of default account and password compliance checks that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Default account and password settings may include requirements to disable default accounts and limit use of blank passwords, among other things. To protect systems against unauthorized use, default accounts and passwords should be changed.

Less than 5% of systems have account and credentials vulnerabilities: This policy statement displays the percentage of total systems that have account and credentials vulnerabilities. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Account and credentials vulnerabilities may include default or blank password detections and weak authentication, among other things. Account and credentials vulnerabilities should be remediated in order to protect systems and prevent valuable data from being stolen.

Less than 5% of systems report suspicious login failures in last 72 hours: This policy statement displays the percentage of systems from which LCE collected logs that have had suspicious login failure events in the last 72 hours. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Suspicious failed logins may include attempts to log in with default or invalid user accounts and repeated login failures, among other things. These suspicious events should be investigated to determine if any malicious behavior is occurring.

Less than 5% of systems report account lockouts in last 72 hours: This policy statement displays the percentage of systems from which LCE collected logs that have had account lockout events in the last 72 hours. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. An account lockout occurs when a user fails too many times to log in to an account. These lockout events should be investigated to determine if any malicious behavior is occurring.

Less than 5% of Windows systems have unused or disabled accounts: This policy statement displays the percentage of Windows systems that have unused or disabled accounts. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Unused or disabled accounts are vulnerable to exploitation and should be deleted in order to ensure that they are not used for malicious purposes.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.