What is controlled use of administrative privileges?
From my first blog post, Importance of Cyber Security, I briefly talked about simple steps to take to properly secure data. Two of the four steps mentioned from the previous post is covered by the fourth CIS control: Controlled Use of Administrative Privileges. What is a CIS control and what exactly is controlled use of administrative privileges? The Center for Internet Security (CIS) published top 20 security controls to support organizations defend against cyber attacks. CIS explains controlled use of administrative privilege as “the processes and tools used to track, control, prevent, correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.”
There are total of nine sub controls that provide detailed information on the steps that should be taken to protect our accounts, data and our systems.
Maintain Inventory of Administrative Accounts
There are tools such as Active Directory to support organizations to maintain an inventory of all the administrative accounts to make sure only authorized users have elevated privileges. This also leads to the idea principle of least privilege, which refers to giving users only the privilege (or access) needed to perform their jobs.
Change Default Passwords
New systems or programs may come with default passwords. All default passwords must be changed and must use unique passwords.
Use of Dedicated Administrative Accounts
A dedicated administrative account should be created so users are able to use that certain account to carry out elevated tasks. For normal and daily tasks, users should be using an account with the least privileged access.
Use Unique Passwords
This was mentioned with the second sub control regarding default passwords. All systems and accounts must have different passwords with complex password requirements.
Use Multi-Factor Authentication for All Administrative Access
I understand how annoying it can be to have to go through multiple steps to access your email account, or to even unlock your phone. But if you think from the attackers perspective, this might take too long trying to find out a way to crack through multiple lines of defense so the attacker might give up without even trying. It is very important to have multi-factor authentication to protect data and systems. One time tokens can be used which is like sending a “token” or a passcode to your phone to verify yourself, or biometric authentication which can be using your fingerprint.
Use Dedicated Workstations For All Administrative Tasks
Along with having dedicated administrative accounts, setting up dedicated workstations separated from the primary network without internet access will help prevent attackers from breaching.
Limit Access to Scripting Tools
There are tools such as PowerShell, command prompt, terminals, and python which are used often by attackers to create malicious scripts and codes. Best suggestion is that if the employees do not need access to these tools, it should be restricted.
Log and Alert on Changes to Administrative Group Membership
This can be done by configuring systems to create a log and an alert when an account is added or removed from specific groups with administrative access.
Log and Alert Unsuccessful Administrative Account Login
With the correct configurations, the system can create a log and send an alert for failed logins which could be a sign of an attack.
Controlled Use of Administrative Privileges is necessary to deter an attacker from trying to access proprietary information through system compromise and gain control over administrative accounts to steal, modify and, or delete sensitive data. Strong policies should be applied through active directories for administrative accounts, implement least privilege access controls, encrypt folders containing sensitive data and use multi-factor authentication to include either one time tokens, or biometric authentication to prevent the attacker from gaining access in case the administrative account has been compromised. Implementing the control will support the organization in maintaining administrative accounts, keep track of who is using the accounts, which files, folders and directories were modified, and prevent attackers from gaining access to perform malicious acts.