CIS Logo
tagline: Confidence in the Connected World

Understanding CIS Control 5

This week, we’re focusing on CIS Control 5: Controlled Use of Administrative Privileges. More specifically: “The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.” 1

The ultimate goal of CIS Control 5 is to protect your organization’s information and assets from theft and misuse. This applies not just to employee computers, but to all devices – including phones, ID badges, printers, and tablets. Control 5 is increasingly necessary to protect your systems and information from both outside attackers and an insider threats. For example, an outside attacker will often take advantage of weak administrator passwords as a means to gain access to your organization’s entire network. An insider threat, on the other hand, might involve an employee taking advantage of lax internal policies to gain access to high-level networks or file systems and steal proprietary data or intellectual property. Cybercriminals can also trick administrators (through spear phishing or social engineering) into granting unnecessary access to systems. Once an unauthorized user gets in, they can operate below the radar, gathering information over long periods of time and causing significant financial or reputational harm to your organization.

Achieving CIS Control 5

Implementing this Control increases in complexity depending on your organization’s number of employees. For large global networks, automated tools are typically the best route for inventorying users and monitoring privileges.

Here are the key steps for successfully applying Control 5:

  • Maintain an inventory of all users on the network
  • Minimize the use of administrator accounts
  • Use multi-factor authentication or complex passwords
  • Require administrators to use dedicated machines for administrative tasks

To get started, you’ll want to implement policies and processes for managing user accounts. First, create an inventory of all users on your organization’s network. Similar to the software and hardware inventories discussed in the first two CIS Controls, this isn’t a “set and forget” task. Be sure to continually update and manage your user inventory – for example, IT administrators and human resources teams should work together to ensure that the accounts of new employees or those leaving the organization have accounts and privileges added or removed as necessary. Knowing who is on the network is essential to keeping it safe.

IT managers should also work to minimize the number of admin-privileged accounts. Ensure that the fewest number of staff have access to the your company’s most sensitive data. Enable a range of range of privileges (modify, view, or access) appropriately on your systems, so that users can access only certain types of information on servers as necessary. Remember that the more people who can access critical information, the higher the possibility for compromise.

Where possible, organizations should use multi-factor authentication; the process of requiring users to verify their identity using several types of evidence. While sophisticated multi-factor authentication may not be possible for all organizations, requiring complex passwords is a good way to ensure control over systems. Administrators should never share passwords or use commonly known passwords, since these make it easier for cybercriminals to gain access. In addition, organizational policies should be in place to restrict employees from giving out account passwords to anyone outside the company.

Finally, administrators should use dedicated machines – separated from the rest of the network – to perform administrative functions. When logging into these systems, admins should never surf the web or read personal email, as this opens the door for cybercriminals to gain access to admin-privileged accounts.

Although initially implementing privilege control may seem arduous, Control 5 is essential to ensuring and maintaining your organization’s cybersecurity posture. With proper policies and a user inventory established, upkeep is typically minimal, yet provides major security benefits.

Ready to get started? Check out these resources:

Previous posts from this page:

[1] CIS Critical Security Controls for Effective Cyber Defense, Version 6.1.