CIS Control 16: Account Monitoring and Control

Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.

Why is this CIS Control Critical?

Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for security personnel watchers. Accounts of contractors and employees who have been terminated and accounts formerly set up for Red Team testing (but not deleted afterwards) have often been misused in this way. Additionally, some malicious insiders or former employees have gained access to accounts left behind in a system long after contract expiration, maintaining their access to an organization’s computing system, and sensitive data for unauthorized and sometimes malicious purposes.

• 16.1: Maintain an Inventory of Authentication Systems
• 16.2: Configure Centralized Point of Authentication
• 16.3: Require Multi-Factor Authentication
• 16.4: Encrypt or Hash All Authentication Credentials
• 16.5: Encrypt Transmittal of Username and Authentication Credentials
• 16.6: Maintain an Inventory of Accounts
• 16.7: Establish Process for Revoking Access
• 16.8: Disable Any Unassociated Accounts
• 16.9: Disable Dormant Accounts
• 16.10: Ensure All Accounts Have An Expiration Date
• 16.11: Lock Workstation Sessions After Inactivity
• 16.12: Monitor Attempts to Access Deactivated Accounts
• 16.13: Alert on Account Login Behavior Deviation