Account Monitoring and Control
CIS Control 16This is a foundational Control
Actively manage the life cycle of system and application accounts - their creation, use, dormancy, deletion - in order to minimize opportunities for attackers to leverage them.
Why is this CIS Control critical?
Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for security personnel watchers. Accounts of contractors and employees who have been terminated and accounts formerly set up for Red Team testing (but not deleted afterwards) have often been misused in this way. Additionally, some malicious insiders or former employees have gained access to accounts left behind in a system long after contract expiration, maintaining their access to an organization’s computing system and sensitive data for unauthorized and sometimes malicious purposes.
- Require multi-factor authentication for all user accounts, on all systems, whether managed onsite or by a third-party provider.
- Disable any account that cannot be associated with a business process or business owner.
Want to implement this foundational Control?
Information Hub : CIS Controls
Media mention • 15 Jan 2021
Blog post • 12 Jan 2021
Blog post • 06 Jan 2021
White paper • 22 Dec 2020