QW: Match active employees and contractors with all accounts and disable accounts that are not assigned to active employees or contractors.
Vis/Attrib: Monitor attempts to access deactivated accounts through audit logging.
Config/Hygiene: Profile each user’s typical account usage by determining normal time-of-day access and access duration for each user. Generate daily reports that indicate users who have logged in during unusual hours or have exceeded their normal login duration by 150%.
Procedures and tools for implementing this control:
A test account should be created every month, with very limited privileges so that it cannot access anything except public files on a system. No user should log into this test account. Any login activity to this test account should be investigated immediately. Automated software should check to ensure that the system generates a notice about such a test account after thirty days of non-use. Furthermore, an automated script should verify that the account has been disabled sixty days after the account was first created, notifying security personnel if the account has not been automatically disabled. At the end of this test interval, the first test account should be deleted, with a new limited test account created for the next round of automated checking.
Critical Control 12: Anti-Malware Defenses
How do attackers exploit the lack of this control?
Tens of thousands of viruses and other malicious code examples are circulating on the Internet either in email attachments or downloaded from web sites or through other means of delivery. Some malicious code actually turns anti-malware features off, giving the attacker’s malware unfettered access to the system.
How can this control be implemented, automated, and its effectiveness measured?