Password and Account Management (Part 10 of 20: CERT Best Practices to Mitigate Insider Threats Series)
The tenth practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 10: Implement strict password and account management policies and practices. In this post, I discuss the importance of having strict policies for managing passwords and accounts.
The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, and provides case studies of organizations that failed to do so. The 10th of the 20 best practices follows.
Practice 10: Implement strict password and account management policies and practices.
Despite thorough network and systems defenses, even after decades of usage and countless hours of security awareness training, passwords still can be considered one of the weakest and most easily circumvented defenses. An attacker can compromise an account password using numerous methods, including social engineering, unattended workstations, as well as sophisticated methods such as keystroke loggers and password crackers.
Since it is possible for accounts to be compromised via password issues, it is critical that they managed to mitigate the impact of account breaches. This tight management includes implementing strategies such as password complexity, rotation, and inactivity timeouts as well as following the principle of least privilege with regard to the permissions assigned to accounts.
Organizations can establish a culture of security by including good password hygiene in security refresher and other training methods and materials. Besides policies and technical controls, end-user knowledge and awareness is an undeniable asset to maintaining secure accounts. Password reuse ("nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more ") across applications and services (both internal and external to the organization), and predictable password permutations will continue to be one of the greatest risks to account security. Ensure that users have a fundamental understanding of why complex, unique passwords are of paramount importance.
In addition, shared accounts for user-level functions should be avoided at all costs. These accounts make it difficult (and potentially impossible) to track the users who have knowledge of account credentials. Shared accounts also make attribution difficult because an analyst or investigator would need to correlate other pieces of data, such as the IP address of a user's workstation in conjunction with an active session, to determine who was logged into a shared account at a given time.
There are many cases in our corpus of insider incidents where an insider was able to connect back to organizational systems after termination using shared accounts that were not changed. Therefore, it is important that the organization ensure either shared credentials known by a terminated employee are changed or that shared credentials are avoided entirely.
In the case of necessary service accounts with static passwords, limit and track the users who have access to the account password. Alternatively, use shared account password management (SAPM) tools that are capable of automatically updating shared credentials and the applications that use them. Moreover, where shared accounts are unavoidable, SAPM tools can enforce periodic changes or manually initiate a change in the event of an employee's termination.
Backdoor accounts, those unknown by the organization, are also used by insiders, so it is critical that accounts be associated with individuals (or functions in the case of service accounts). In some insider incidents, insiders used training or test accounts; in other cases, insiders used accounts set up for external trusted business partners.
Periodic account auditing should help to identify
- accounts that have no owner or no currently employed owner
- shared account passwords that may be known by former employees
- password resets performed without a user's knowledge or without a valid record of why the password was reset
- account that have not been accessed for a "significant" amount of time
It is critical that these policies apply to not only full-time employees, but also part-time workers, contractors, subcontractors, interns, and other trusted business partners (TBP) who require access to organizational assets. Managing TBP accounts may be difficult, depending on the contractual relationship. For example, these accounts may not be contractually obligated to inform the contracting organization that an employee was terminated (with or without cause), thus allowing an account to remain unnecessarily active.
Overall, policies and procedures, coupled with strong user training, provide a better baseline for securing passwords and accounts against both intentional and unintentional insider threats.
Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned in this post.
Check back next week to read about the related Practice 11: Institute stringent access controls and monitoring policies on privileged users, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.