everyone welcome back to the course. So in the last video, we talked about control number 15 more or less access control and how it maps up to the NIST cybersecurity framework. In this video, we're gonna talk about control 16 which is account monitoring and control.
So when we think of
accounts, we think of yes, users have left,
but also think about if a penetration test is performed, a lot of times accounts are created, and sometimes they're not deleted or deactivated.
So a lot of what happens is Attackers can use thes various accounts whether that an insider threat or an external attacker, they can use these accounts to continue to access our systems. You also see that quite a bit. Like I mentioned with employees that have left a company eso when they're either termination or voluntarily,
but they can still log into their stuff. In fact, I had that experience
where I left a company and I still had access to things. Ah, and I never got, you know, they never terminated me in their system. And so I noticed that I kept getting certain alerts
to this stuff without I didn't log in or anything to use my credentials, but I kept getting alerts, so I knew I still had an active account. So it took several times reaching out to them for them. Say, Oh, yes, Whoops. I guess you do, Right?
So let's talk about the sub controls now. So sub control 16 1
We need to make sure we maintain an inventory of the authentication systems. Right? So making sure we understand what actual counts we have,
make sure what we understand, what authentication systems we have.
And basically also knowing. Are we doing this on site, or is this some type of remote service provider?
Some control? 16 2 We're talking about configuring a centralized point of authentication. So again, we don't want to be going in and trying to do all this stuff manually in multiple locations. We just want to have a single spot. We could say Yes, Jane and accounting needs access. Let's give her that access or Jane and Aquatic County just quit or got fired.
What's take away that access from one single location?
Some control 16 3 Of course, we always want to enable multi factor authentication, right, So require that for people s o all accounts, all systems, whether that's done through third party. So, for example, like the cloud a cloud environment or you've got something on premise that you need to make sure you've got multi factor authentication in place.
Some control. 16 4 Encrypting or hashing all of the authentication credentials. Eso Basically, as we're storing that information, we want to make sure we either encrypt or hash it. And preferably, I would say, you probably want encrypted
sub control 16 5 So encrypt any transmission of years or names or other authentication credentials.
So again Attackers can sniff
your network. And so you want to make sure it's encrypted, so even if they do sniff it, they are not able to. In most cases, they're not able to get access to the information.
Sub Control. 16 6 Mystery Maintain an inventory of account so again, going back to
what accounts do you have and have them organized by the authentication system that you're using.
Sub Control 16 7 Establish a process for revoking access. As I mentioned that example earlier, they didn't really have a process for revoking access once an employee left right, so that's why my account was still activity because everyone thought somebody else was doing it. So establish a process in place for revoking access when someone either leaves or the terminated
or when a contract ends or when
Ah, maybe a pen testers hired for a contract. When that stuff hands make sure you revoked that access and have a process behind doing so.
16.8 Disable Any unassociated counts if you can't. If you don't know why this accounts there like, what's the actual business process or why do we have this or you can't associate it with the specific business user. Then disable it immediately. Right, Because
the worst case scenario there is that somebody will call you say, hey, I can't access anymore
And then, you know Oh, wait, that was that was associated. We just didn't have the name in there.
So disable any unassociated accounts.
Self control 16 9 disabled Any dormant accounts as well. So again, going back to If you don't know whose account it is, then make sure you disable it. And then for the doorman accounts, make sure you've got a set period of in activity, right? So if somebody doesn't use her account for,
you know, x amount of time. Then you disable it
actually had that in place at a health care organization I worked at because HR was terrible about Tell me like when people quit or when they were fired. And so a lot of times I didn't know to disable these accounts in the EMR system. And so
the only time I knew that is because period of time would elapse for for their log in and I would I would email them and get a bounce back. And then I would contact HR and say, Hey, is this person still employed? They say, No, it's like, OK, that explains it. And then I would disable the account A very bad process, by the way, A terrible thing to have to do.
organizations like that will fix the issues moving forward like that.
Sub control 16 10 And sure, all accounts haven't expiration. Dates were kind of going back to
two dormant accounts here. If they're inactive for a period of time, we also want to set an expiration date. Say, hey, look, at a certain point, this accounts is going to expire, especially when his contract accounts of your hiring like group of pen testers. Make sure you got specific expiration date in place,
some control. 16 11 lock workstations after and activity. One of the ways I instructed clinicians on doing this when I work in healthcare was basically think about it this way. Let's say you walk away from the computer
and someone else comes up
and they delete all of your charting you've done for the day
and it's 4 30 you know, it's five o'clock. You're already out. Gonna get out late because you figured finishing. You know, given this patient, the medications, you're already gonna get out late.
Your husband's Colony Response colony and the kids are screaming on the phone. All these things were happening because it's never perfect, right? So all these things were happening. You've missed lunch, you've got a full bladder
and you forgot to lock your workstation. So someone comes in to lead, tell your charting, and now you've got to stay for hours to finish that charting and redo it all.
So, once I put it like that, nurses consistently across the board were locking their work statements. It was great, but what you can do is an organization is. You can set a time out on that. So after a certain period of time of in activity than the workstation will lock itself
16 12 monitor attempts to access deactivated account. So if you know, let's say, for example, I leave a company and my accountant deactivated. What's you want to make sure that you're monitoring and logging if someone's trying to log into that account, cause maybe it's not me, but maybe an attacker has found that information is trying to get into it to see if it's still a valid account
and 16 13 alert on account log and behavior deviation. So as an example, if I normally log in from 9 to 5
and I logged in a 2 a.m. or someone from my credentials logs into 2 a.m. That might be a red flag rights you might send an alert. Could also this mean I had a big project. I mean, working late on it, but usually it's some kind of behavior deviation, and it's abnormal. And so that should be a flag and alert, and you get a notification about that.
So this video it is talk through CS Control 16. And the next video were to see how it maps up to the C I s excuse into the mist that cybersecurity framework.