Control Summary
Use processes and tools to assign and manage authorisation to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Why is it needed?
Gaining unauthorised access to enterprise assets or sensitive data is often more straightforward for both external and internal threat actors when they exploit valid user credentials rather than attempting to “hack” into the environment. Numerous covert methods exist for surreptitiously accessing user accounts. These methods encompass weak password exploitation, the persistence of accounts beyond a user’s departure from the enterprise, the existence of dormant or lingering test accounts, unchanged shared account passwords over extended periods, service accounts discreetly embedded within applications or scripts, instances where a user employs the same password compromised in a public password dump for online accounts, social engineering tactics to coax users into disclosing their passwords, and the utilisation of malware to intercept passwords or tokens stored in memory or transmitted over the network.
Administrative or highly privileged accounts stand out as particularly attractive targets for cyber adversaries. Compromising these accounts provides attackers with the ability to create additional accounts or manipulate assets, potentially introducing vulnerabilities that can be exploited in subsequent attacks. Additionally, service accounts warrant careful attention, as they are frequently shared among both internal and external teams within the enterprise. Their presence may sometimes go unnoticed until revealed during routine account management audits, making them susceptible to exploitation as well.
Implementing Control
Account Management can be effectively controlled using properly configured systems or centralised authentication.
Implementation Group 1 requires the following four safeguards:
5.1 Establish and Maintain an Inventory of Accounts
Create and sustain a comprehensive account registry for all enterprise-managed accounts, incorporating both user and administrator accounts. This registry should, at a minimum, comprise the individual’s name, username, commencement and cessation dates, along with their respective department. Regularly verify the authorisation of all active accounts on a recurring basis, with a minimum frequency of quarterly checks or more frequent assessments.
5.2 Use Unique Passwords
Utilise distinct passwords for every enterprise asset. Implementing best practices necessitates employing an 8-character password for accounts with Multi-Factor Authentication (MFA) and a 14-character password for accounts lacking MFA.
5.3 Disable Dormant Accounts
Remove or deactivate any inactive accounts after a period of 45 days, where applicable.
5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts
Limit administrative privileges to dedicated administrator accounts for enterprise assets. For routine computing tasks like internet browsing, email, and using productivity suites, encourage users to utilise their primary, non-privileged accounts.
Additional safeguards at level 2 or 3:
5.5 Establish and Maintain an Inventory of Service Accounts
5.6 Centralise Account Management
Incident Response Solutions 