Critical Security Control: 16

Critical Security Control: 16

Account Monitoring and Control

Actively manage the life-cycle of system and application accounts - their creation, use, dormancy, deletion - in order to minimize opportunities for attackers to leverage them.

Why Is This Control Critical?

Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for network watchers. Accounts of contractors and employees who have been terminated and accounts formerly set up for Red Team testing (but not deleted afterwards) have often been misused in this way. Additionally, some malicious insiders or former employees have accessed accounts left behind in a system long after contract expiration, maintaining their access to an organization's computing system and sensitive data for unauthorized and sometimes malicious purposes.

How to Implement This Control

ID # Description Category
CSC 16-1 Review all system accounts and disable any account that cannot be associated with a business process and owner. Quick win
CSC 16-2 Ensure that all accounts have an expiration date associated with the account. Quick win
CSC 16-3 Ensure that systems automatically create a report that includes a list of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire. This list should be sent to the associated system administrator in a secure fashion. Quick win
CSC 16-4 Establish and follow a process for revoking system access by disabling accounts immediately upon termination of an employee or contractor. Disabling instead of deleting accounts allows preservation of audit trails. Quick win
CSC 16-5 Regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity. Quick win
CSC 16-6 (NEW) Configure screen locks on systems to limit access to unattended workstations. Quick win
CSC 16-7 Monitor account usage to determine dormant accounts, notifying the user or user's manager. Disable such accounts if not needed, or document and monitor exceptions (e.g., vendor maintenance accounts needed for system recovery or continuity operations). Quick win
CSC 16-8 Require that all non-administrator accounts have strong passwords that contain letters, numbers, and special characters, be changed at least every 90 days, have a minimal age of one day, and not be allowed to use the previous 15 passwords as a new password. These values can be adjusted based on the specific business needs of the organization. Quick win
CSC 16-9 Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time. Quick win
CSC 16-10 Require that managers match active employees and contractors with each account belonging to their managed staff. Security or system administrators should then disable accounts that are not assigned to active employees or contractors. Visibility/Attribution
CSC 16-11 Monitor attempts to access deactivated accounts through audit logging. Visibility/Attribution
CSC 16-12 (NEW) Configure access for all accounts through a centralized point of authentication, for example Active Directory or LDAP. Configure network and security devices for centralized authentication as well. Configuration/ Hygiene
CSC 16-13 Profile each user's typical account usage by determining normal time-of-day access and access duration. Reports should be generated that indicate users who have logged in during unusual hours or have exceeded their normal login duration. This includes flagging the use of the user's credentials from a computer other than computers on which the user generally works. Configuration/Hygiene
CSC 16-14 (NEW) Require multi-factor authentication for accounts that have access to sensitive data or systems. Multi-factor authentication can be achieved using Smart cards with certificates, One Time Password (OTP) tokens, or biometrics. Advanced
CSC 16-15 (NEW) For authenticated access to web services within an enterprise, ensure that account usernames and passwords are passed over an encrypted channel and associated password hash files are stored securely if a centralized service is not employed. Advanced
CSC 16-16 (NEW) Configure all systems to use encrypted channels for the transmission of passwords over a network. Advanced
CSC 16-17 (NEW) Verify that all password files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system. Advanced

CSC 16 Procedures and Tools

Although most operating systems include capabilities for logging information about account usage, these features are sometimes disabled by default. Even when such features are present and active, they often do not provide fine-grained detail about access to the system by default. Security personnel can configure systems to record more detailed information about account access, and use home-grown scripts or third-party log analysis tools to analyze this information and profile user access of various systems.

Accounts must also be tracked very closely. Any account that is dormant must be disabled and eventually removed from the system. All active accounts must be traced back to authorized users of the system, and it must be ensured that their passwords are robust and changed on a regular basis. Users must also be logged out of the system after a period of no activity to minimize the possibility of an attacker using their system to extract information from the organization.

CSC 16 Effectiveness Metrics

In order to test the effectiveness of the automated implementation of this control, organizations should measure the following:

1. Does the system audit and report on valid and invalid log-ins to user accounts?

2. Does the system audit and report on valid and invalid log-ins to network and security device user accounts?

3. Does the system lock users out after five (5) invalid attempts?

4. Do user account passwords expire at least every 90 days?

5. Does the system report on dormant accounts that have not been used for a configurable period of time?

6. How long does it take to send an alert or e-mail to administrative personnel that the comparison report has been created (time in minutes)?

CSC 16 Automation Metrics

In order to automate the monitoring and control of user accounts, organizations should gather the following information with automated technical sensors:

1. How many invalid attempts to access user accounts have been detected within a period of time?

2. How many accounts have been locked out within a period of time?

3. How many attempts to gain access to password files in the system have been detected within a period of time?

4. Perform authorized password cracking against password files and identify the number of administrator account passwords that are cracked during the attempt. Remediate any compromised passwords immediately.

5. Is an automated list of user accounts on the system created daily & compared to a baseline (yes or no)?

6. How long does it take to send an alert or e-mail to administrative personnel that the comparison report has been created (time in minutes)?

CSC 16 Effectiveness Test

To evaluate the implementation of Control 16 on a periodic basis, the evaluation team must attempt a variety of techniques to gain access to user accounts within the system. Each of the following tests must be performed at least three times:

1. Attempt to configure weak user account passwords that are non-compliant with established policy. Verify that the system does not allow weak passwords to be used.

2. Attempt to re-use a user account password that was previously used for the account. Verify that the system requires unique new passwords during each update.

3. Attempt to capture passwords by monitoring network traffic to server resources. Remediate any instances where passwords are transmitted in clear text.

4. Attempt to gain access to password files stored on the system. If successful, identify whether passwords are cryptographically secured.

Each of these tests must be performed from multiple, widely distributed systems on the organization's network in order to test the effectiveness of user account controls.

CSC 16 System Entity Relationship Diagram

Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.

A control system is a device or set of devices used to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining user accounts and how they interact with the data systems and the log management systems. Another key component of these systems is the reports generated for management of user accounts.

The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. It also delineates each of the process steps in order to help identify potential failure points in the overall control.

Step 1: User accounts are properly managed on production systems

Step 2: User accounts are assigned proper permissions to production data sets

Step 3: User account access is logged to log management system

Step 4: Log management systems generate user account and access reports for management

Step 5: Account baseline information is sent to log management system

Step 6: Critical information is properly protected and encrypted for each user account.

Creative Commons - Attribution-NoDerivs 3.0 Unported (CC BY-ND 3.0)

This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

To further clarify the Creative Commons license related to the 20 Critical Controls content, (i) All persons are authorized to use the content as a framework in their organization or to sell professional services related to the content (e.g. a consulting engagement to implement the 20 Critical Controls), and (ii) sale of the contents as a framework model is not authorized. Users of the 20 Critical Controls framework are also required to refer to when referring to the 20 Critical Controls in order to ensure that users are employing the most up to date guidance.

You may use the following code to embed the 20 Critical Controls on your site:

<iframe src="" width="1000" height="1200" />