Effective vulnerability scanning tools compare the results of the current scan with previous scans to determine how the vulnerabilities in the environment have changed over time. Security personnel use these features to conduct vulnerability trending from month-to-month.
As vulnerabilities related to unpatched systems are discovered by scanning tools, security personnel should determine and document the amount of time that elapsed between the public release of a patch for the system and the occurrence of the vulnerability scan. If this time window exceeds the organization’s benchmarks for deployment of the given patch’s criticality level, security personnel should note the delay and determine if a deviation was formally documented for the system and its patch. If not, the security team should work with management to improve the patching process.
Critical Control 11: Dormant Account Monitoring and Control
How do attackers exploit the lack of this control?
Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for network watchers. Accounts of contractors and employees who have been terminated have often been misused in this way. Additionally, some malicious insiders or former employees have accessed accounts left behind in a system long after contract expiration, maintaining their access to an organization’s computing system and sensitive data for unauthorized and sometimes malicious purposes.
How can this control be implemented, automated, and its effectiveness measured?
QW: Regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity.
QW: Monitor account usage to determine dormant accounts that have not been used for a given period, such as thirty days, notifying the user or user’s manager of the dormancy. After a longer period, such as sixty days, the account should be disabled.