Manage Accounts, Vulnerabilities, and Audit Logs
After completing this unit, you’ll be able to:
- Define why account management is critical.
- Describe procedures and tools to manage access control.
- Explain how to use Safeguards to continuously manage vulnerabilities.
- Identify how managing audit logs enables an organization to detect malicious activity quickly.
- List procedures and tools for managing audit logs.
You now have a better idea of how to inventory, control, and configure assets. Next let’s take a look at how to manage accounts, access control, vulnerabilities, and audit logs.
Meet Matthaeus, a security auditor at a state government office. As a security auditor, Matthaeus knows it’s critical that his organization uses processes and tools to identify, assign, and manage users and their credentials for their accounts. To improve his office’s account management capabilities, Matthaeus works with the office’s Identity and Access Management (IAM) team to verify that credentials are inventoried and tracked, since this is the primary entry point into the enterprise.
Matthaeus works with the IAM team to verify that appropriate password policies are in place, and guidance is issued not to reuse passwords. He also asks the IAM team to make sure that individuals’ passwords are uniquely assigned and that no sharing exists. Additionally, he audits his organization’s security controls to verify that these Safeguards are in place.
- Establish and Maintain an Inventory of Accounts: He verifies that the IAM team has established an inventory of all accounts the office manages.
- Use Unique Passwords: He verifies that the IAM team has put in place technical controls to enforce the use of unique passwords for all the office’s assets, that passwords are at a minimum of eight characters, and that accounts use multi-factor authentication (MFA).
- Disable Dormant Accounts: He verifies that the IAM team has a process to delete or disable any dormant accounts after a period of 45 days of inactivity.
- Restrict Administrator Privileges to Dedicated Administrator Accounts: He validates that the IAM team has implemented technical controls to restrict administrators from conducting general computing activities such as internet browsing, email, and productivity suite use from their privileged account.
Matthaeus knows these Safeguards are critical to help the organization identify, assign, and manage users and their credentials for their accounts.
Manage Access Control
Now that Matthaeus has verified how the office manages accounts, he next turns to reviewing the processes and tools the office uses to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for assets and software. He works with the IAM team to verify the implementation of these Safeguards to improve the office’s access control management.
- Establish an Access Granting Process: The IAM team establishes an automated process for granting access to assets when a user is hired, when a user’s rights are granted, or when a user’s role changes.
- Establish an Access Revoking Process: The IAM team follows an automated process for revoking access to enterprise assets, by disabling accounts immediately upon a user’s termination, removal of the user’s access rights, or a user’s transition to a new role.
Require MFA for:
- Externally Exposed Applications: The IAM team requires users to log in to all externally exposed (internet-facing) applications using MFA, where supported.
- Remote Network Access: The IAM team requires MFA for remote access to the state government’s network.
- Administrative Access: The IAM team requires MFA for all administrative accounts, where supported, on all assets, whether managed onsite or through a third-party provider.
Matthaeus knows that implementing these Safeguards helps ensure that users have access only to the data or assets appropriate for their role, and that there is strong authentication for critical data or functions.
Continuously Manage Vulnerabilities
Next, Matthaeus meets with the vulnerability management team to review their plans to assess and track vulnerabilities on the office’s assets, in order to remediate and minimize the window of opportunity for attackers. He suggests that, at a minimum, they use Security Content Automation Protocol (SCAP) tools to automate the discovery of asset vulnerabilities and items out of compliance.
Matthaeus also suggests increasing the frequency of scanning activities as the diversity of the office’s assets increases, to account for the varying patch cycles of each vendor. He also recommends that the office consider the use of evaluated open-source tools with a high level of community support to evaluate security settings and configurations of the office’s assets.
In addition, Matthaeus works with the vulnerability management team to verify that these Safeguards are in place.
- Establish and Maintain a Vulnerability Management Process: He verifies that the team has established a documented vulnerability management process, policy, and procedures to identify, evaluate, mitigate, and report on asset security vulnerabilities.
- Establish and Maintain a Risk Remediation Process: He verifies that the team maintains a risk-based remediation strategy documented in a remediation process, with regular reviews.
- Perform Automated Operating System Patch Management: He verifies that the vulnerability management team performs operating system updates on the office’s assets through automated patch management on a regular basis, after first verifying that they don’t cause further harm on a test system.
- Perform Automated Application Patch Management: He verifies that the team performs application updates on all the office’s assets through automated patch management on a regular basis.
Matthaeus knows that implementing these Safeguards will help the office’s cyberdefenders fight back against attackers who are looking to exploit vulnerabilities within the office’s infrastructure and gain unauthorized access.
Manage Audit Logs
Finally, Matthaeus is ready to evaluate the office’s audit log management, including how the organization collects, alerts, reviews, and retains audit logs of events that could help detect, understand, or recover from an attack. He knows that log collection and analysis is critical for the office’s ability to detect and analyze malicious activity quickly.
Sometimes audit records are the only evidence of a successful attack. Attackers know that many enterprises keep audit logs for compliance purposes, but rarely analyze them. Attackers use this knowledge to prevent detection of their activities, and to prevent detection of any installed malicious software on victim machines. Due to poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target organization knowing.
Matthaeus knows that there are two types of logs that are generally treated and often configured independently: system logs and audit logs. System logs typically provide system-level events that show various system process start/end times, crashes, and more. These are native to systems, and take less configuration to turn on. Audit logs typically include user-level events—when a user logged in, accessed a file, and so on—and take more planning and effort to set up as part of an organization’s monitoring strategy.
Logging records are critical for incident response. After an incident is detected and confirmed, the incident response team analyzes logs to help them understand the extent of an attack. Complete logging records can show, for example, when and how the attack occurred, what information was accessed, and if data was exfiltrated.
Procedures and Tools for Audit Log Management
Most assets and software offer built-in logging capabilities. Matthaeus works with the office’s infrastructure support specialist to verify that this logging is enabled, and that logs are sent to centralized logging servers (often called a Security Information and Event Management [SIEM] tool).
He verifies that all network and system assets such as firewalls, routers, switches, proxies, servers (to include remote access servers or virtual private networks [VPNs], and more) are configured for verbose logging where beneficial. He also discusses with the specialist the processes for data log retention, which is important if an incident investigation is required.
Matthaeus works with the office’s infrastructure support team to verify that all assets are configured to a standardized security baseline, and that the assets generate log entries to share with a centralized log server (SIEM tool) when a user attempts to access resources without the appropriate privileges.
He also verifies that the team periodically scans through its logs and compares them with the office’s asset inventory, to ensure that each managed asset actively connected to the network is generating logs. In addition, Matthaeus verifies these Safeguards for audit log management are also in place.
- Establish and Maintain an Audit Log Management Process: He verifies that the team has established an audit log management process that defines the office’s logging requirements. He validates that they review and update the documentation annually, or when significant changes occur that could impact this Safeguard.
- Collect Audit Logs: He validates that the team collects audit logs in a centralized location, and ensures that logging, per the office’s audit log management process, has been enabled across the office’s assets.
- Ensure Adequate Audit Log Storage: He verifies the logging destinations maintain adequate storage to comply with the office’s audit log management process.
Matthaeus knows that implementing these Safeguards can really help identify attack patterns and follow up on investigations.
Sum It Up
In this unit, you’ve been introduced to why account management is critical. You’ve learned about procedures and tools to manage access control. You’ve also learned about Safeguards to continuously manage vulnerabilities, and reasons why managing audit logs is critical.
Next, you learn about protecting email, defending against malware, Safeguards to recover data, and reasons why managing networks is critical.