Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CIS CSC: Account Monitoring and Control (CSC 5,16) ARC

by David Schwalenberg
June 20, 2016

User account management, access control, and enforcement of least privilege are critical to effective network security. Without proper user account management, an organization may not know who has access to their network, whether or not the old accounts of former employees are still active, and whether or not user passwords meet policy requirements. Without proper access control and enforcement of least privilege, users on the organization's network may inadvertently access information they should not access, change files, or install malware on the network. This increases the risk of network intrusion and compromise, insider activity, and data loss. The Account Monitoring and Control Assurance Report Card (ARC) provides insight into an organization's user access monitoring and control, and can help to identify appropriate actions that can further protect the organization.

As defined by the Center for Internet Security (CIS), the Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. Developed based on specific knowledge of the threat environment and currently available technologies, the Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of many experts. This ARC aligns with CIS Critical Security Controls 5, Controlled Use of Administrative Privileges, and 16, Account Monitoring and Control, which address user access and least privilege.

More details on each of the policy statements included in the ARC are given below. Clicking on a policy statement will bring up the analysis screen to display more details related to that policy statement. The ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.

This ARC is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the SecurityCenter Feed under the category Executive. The ARC requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.5.4
  • PVS 5.0.0
  • LCE 4.8.0
  • Compliance data

Tenable SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring solution. SecurityCenter CV includes active vulnerability detection with Tenable Nessus and passive vulnerability detection with the Tenable Passive Vulnerability Scanner (PVS), as well as log correlation with the Tenable Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network.

ARC Policy Statements:

At least 95% of systems report active user statistics: This policy statement displays the percentage of total systems that report user statistics. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. LCE can gather user statistics from systems on a network. All systems should be reporting user statistics to LCE to ensure that access controls can be effectively implemented and monitored.

Less than 10% of systems using administrative accounts over the network: This policy statement displays the percentage of total systems using administrative accounts over the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy monitors systems for the use of administrative accounts over the network, which should be limited to a defined list of systems. Any unexpected systems using administrative accounts over the network should be considered suspicious.

Systems reporting successful admin login events in last 72 hours: This policy statement displays the ratio of systems that have had successful administrative user login events in the last 72 hours to all systems from which LCE collected logs. Clicking on the policy statement to bring up the analysis screen and setting the tool to User Summary will display the user accounts that logged in administratively. Any unexpected users in this list should be further investigated to determine why and how they are executing administrative actions.

Systems reporting privilege gain events in last 72 hours: This policy statement displays the ratio of systems that have had privilege gain events in the last 72 hours to all systems from which LCE collected logs. These privilege gain events may indicate an attack or intrusion. Systems on which privilege gains are occurring should be further investigated to ensure that they are not compromised.

Systems reporting group membership change events in last 72 hours: This policy statement displays the ratio of systems that have had group membership change events in the last 72 hours to all systems from which LCE collected logs. These group membership change events should be investigated to verify that no users, by being added to groups, are gaining privileges that they should not have.

Less than 5% of user access and least privilege compliance checks failed: This policy statement displays the percentage of user access and least privilege compliance checks that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Least privilege settings may include requirements to disable certain rights and privileges for specific users, among other things. Compliance is measured against those policy checks that reference standards such as the Cybersecurity Framework, NIST 800-53, and the CIS Critical Security Controls.

Less than 5% of default account/password compliance checks failed: This policy statement displays the percentage of default account and password compliance checks that failed. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Default account and password settings may include requirements to disable default accounts and limit use of blank passwords, among other things. To protect systems against unauthorized use, default accounts and passwords should be changed.

Less than 5% of systems have account and credentials vulnerabilities: This policy statement displays the percentage of total systems that have account and credentials vulnerabilities. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Account and credentials vulnerabilities may include default or blank password detections and weak authentication, among other things. Account and credentials vulnerabilities should be remediated in order to protect systems and prevent valuable data from being stolen.

Less than 5% of systems report suspicious login failures in last 72 hours: This policy statement displays the percentage of systems from which LCE collected logs that have had suspicious login failure events in the last 72 hours. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Suspicious failed logins may include attempts to log in with default or invalid user accounts and repeated login failures, among other things. These suspicious events should be investigated to determine if any malicious behavior is occurring.

Less than 5% of systems report account lockouts in last 72 hours: This policy statement displays the percentage of systems from which LCE collected logs that have had account lockout events in the last 72 hours. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. An account lockout occurs when a user fails too many times to log in to an account. These lockout events should be investigated to determine if any malicious behavior is occurring.

Less than 5% of Windows systems have unused or disabled accounts: This policy statement displays the percentage of Windows systems that have unused or disabled accounts. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Unused or disabled accounts are vulnerable to exploitation and should be deleted in order to ensure that they are not used for malicious purposes.