NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
Security Team Intelligence

SANS Critical Control 16: Account Monitoring and Control

Have you ever considered what is the venue most attackers use to infiltrate target systems? In terms of percentage, certainly default privileged accounts with default or easily guessable passwords get the lion’s share.

Protecting privileged user and administrative accounts is very important to prevent widespread intrusions. Domain admin accounts, default administrative accounts, guest accounts, contractors’ accounts needs to be protected with appropriate passwords, password expirations and monitored for appropriate use. Dormant accounts needs to be disabled after a reasonable amount of time and default administrative account (such as “administrator”) needs to be renamed.

SANS Critical Control 16 deals with privileged user account monitoring and control and with the domain group policies to appropriately protect and monitor such accounts.

Unified VRM internal and configuration modules can help in several ways accomplishing this control:

The internal assessment module, with its authenticated scan capabilities, helps determine the target host group policies in terms of default account enablement, no or easily guessable password on default account, password expiration, account lockout policy, policy on password renewal, activity logging and auditing. This can be accomplish with both the standard network scanner as well as with the OVAL scanning capabilities.
The configuration review module (with authenticated standard scan and XCCDF capabilities) enable the administrator to review target host configurations against best practices standards, such as XCCDF, NIST, compliance standards, and more.
Unified VRM can also help auditing password strength against various dictionary sizes, especially for the administrative privilege accounts which might allow an attacker to mount a widespread attack over the entire internal network.
Moreover, even local administrative accounts are important and worth to be protected. If a local administrative gets compromised and a domain administrative accounts ever logged into the same host, password hashes can be downloaded and passed without the need to be decrypted to allow login to the Domain Controller for example, in an attack called “Pass the Hash”.

So no account is non-important in the eyes of a motivated attacker.

Categories
Category
Tags
Verizon 2020 DBIR Report, Vulnerability management
Read Next

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.