Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Verizon 2016 DBIR – Account Weakness

by Megan Daudelin
May 18, 2016

The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that organizations can use to check themselves against the common threats described in the Verizon DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports, best practices are noted for each pattern that can assist in thwarting the attacks. Some of the best practices can assist in thwarting multiple attack patterns. The Point-of-Sale Intrusions, Web App Attacks, and Insider Misuse patterns all mention aspects of the general best practice of eliminating account weaknesses and vulnerabilities.

Developing and enforcing user management and access control policies is a key factor in ensuring network security. Access controls are security features that aim to regulate which users can access specific data or resources. Having effective password, account transition, and least privilege policies can help reduce the vulnerability exposure for an organization. Organizations that do not maintain strict access controls could be leaving their network vulnerable to attack, intrusion, or infection.

Based on the best practices described in the Verizon DBIR, the Account Weakness and Compliance ARC assists organizations in improving their access control measures. Systems and vulnerabilities are identified using a combination of active scans by Nessus and passive monitoring by the Passive Vulnerability Scanner (PVS). PVS can detect hosts that may be missed by active scans, such as hosts that are only connected to the network intermittently. Policy statements are included that report on systems that have unchanged passwords, systems that are using administrative accounts over the network, and systems with unused or disabled accounts. Additional policy statements report on various compliance checks related to user accounts, access controls, and least privilege policies. Noncompliant, misused, or misconfigured accounts can leave a network exposed to malicious activity. Ensuring that systems are reporting user statistics is key to monitoring and addressing systems within a network that have vulnerable accounts. 

The information provided in this ARC provides a baseline to measure the effectiveness of an organization's access control efforts and identifies whether the policies that are currently being enforced are effective. Policy statements can be customized as needed to meet organizational requirements.

This ARC is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Security Industry Trends. 

The dashboard requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.5.4
  • LCE 4.6.0
  • PVS 4.4.1 

SecurityCenter Continuous View (CV) provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. SecurityCenter is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. The Passive Vulnerability Scanner (PVS) performs deep packet inspection to enable discovery and assessment of operating systems, network devices, hypervisors, databases, tablets, phones, web servers, cloud applications, and critical infrastructure. The Log Correlation Engine (LCE) performs deep log analysis and correlation to continuously discover and track systems, applications, cloud infrastructure, trust relationships, and vulnerabilities. By integrating with Nessus, PVS, and LCE, SecurityCenter CV’s continuous network monitoring is able to detect events and vulnerabilities across the enterprise.

The following policy statements are included in this ARC:

No Windows systems have user account passwords that never expire: This policy statement displays the ratio of Windows systems with user account passwords that never expire to the total number of Windows systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. User accounts with passwords that never expire should be disabled or reconfigured to require periodic password changes. This policy statement helps to identify Windows systems and accounts that may be misconfigured. Systems with user account passwords that never expire should be investigated and reconfigured as necessary.

Less than 5% of Windows systems have user account passwords that have never been changed: This policy statement displays the ratio of Windows systems with user account passwords that have never been changed to the total number of Windows systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. User accounts with passwords that have never been changed should be reconfigured to require periodic password changes. This policy statement helps to identify Windows systems and accounts that may be misconfigured. Systems with user account passwords that have never been changed should be investigated and reconfigured as necessary.

More than 95% of Windows systems have user accounts that can change their password: This policy statement displays the ratio of Windows systems with changeable user account passwords to the total number of Windows systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. User accounts with passwords that cannot be changed should be reconfigured to allow and require periodic password changes. This policy statement helps to identify Windows systems and accounts that may be misconfigured. Systems with user account passwords that cannot be changed should be investigated and reconfigured as necessary.

All Windows systems have administrator accounts with non-blank passwords: This policy statement displays the ratio of Windows systems with non-blank administrator account passwords to the total number of Windows systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Administrator accounts with blank passwords should be disabled or reconfigured to require non-blank passwords. This policy statement helps to identify Windows systems and accounts that may be misconfigured. Systems with blank administrator account passwords should be investigated and reconfigured as necessary.

All Windows guest accounts are disabled: This policy statement displays the ratio of Windows systems with disabled guest user accounts to the total number of Windows systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Guest user accounts should be disabled in order to improve security and reduce the risk of compromise. This policy statement helps to identify Windows systems and accounts that may be misconfigured. Systems with enabled guest user accounts should be investigated and reconfigured as necessary.

Less than 10% of systems are detected using administrative accounts over the network: This policy statement displays the ratio of systems using administrative accounts over the network to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. The use of administrator accounts over the network should be limited to specific tasks, users, and systems. This policy statement monitors systems for the use of administrative accounts over the network. Any unexpected systems using administrative accounts over the network should be considered suspicious.

Less than 5% of account lockout compliance checks failed: This policy statement displays the ratio of failed to total password compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Password settings may include password length, complexity, and age requirements, among other things.

Less than 5% of password compliance checks failed: This policy statement displays the ratio of failed to total account lockout compliance checks. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Account lockout settings may include failed logon counts and lockout duration requirements, among other things.