If you’ve ever been subject to typical IT security compliance regulations you’ve no doubt experienced the frustration of putting into action what can at times seem like complex, almost unintelligible requirements.
You’re in for a pleasant surprise the first time you read through the Consensus Audit Guidelines (GAG), published on the SANS website. It’s a very different kind of document.
Don’t let the CAG’s pedigree fool you: despite being compiled by federal government agencies, commercial forensics experts and penetration testers, the CAG gives no-nonsense, highly actionable guidelines for securing IT – written in language that’s easily understood by almost anyone in an IT organization.
The CAG consists of 20 sections, each outlining a different, critical security control.
Critical Security Control #12 – Administrative Privileges
With the rise in data breaches attributed to unauthorized access to privileged accounts, most regulatory compliance initiatives now mandate proper controls for these powerful identities. CAG is no exception. CAG Control 12 (formerly CAG 8) lists precisely the minimum controls necessary – and the actions you’ll need to take – to secure privileged credentials. The section starts by saying, “The misuse of administrator privileges is a primary method for attackers to spread inside a target enterprise” and I couldn’t agree more.
Today software solutions are available to help you comply with each of the fourteen CAG 12 requirements by proving the ability to:
- Continuously inventory all privileged accounts – on all hardware and appliance platforms; including administrative logins, application-to-application passwords and service accounts.
- Programmatically change all default privileged logins present in operating systems, applications, appliances, and elsewhere to cryptographically complex values.
- Change all privileged passwords on intervals not longer than 60 days.
- Enforce cryptographically complex, frequently-changed passwords on service accounts.
- Store system passwords in an encrypted format, accessible only by authorized super users.
- Enforce least-privilege so that privileged accounts are used only for system administration and never for activities requiring lesser privileges.
- Establish unique, different passwords for administrator and non administrative accounts.
- Enforce rules to prevent privileged password re-use.
- Audit the use of privileged logins and alert management to any unusual activity.
- Log, audit and alert whenever privileged accounts are added, deleted or changed.
- Require multi-factor authentication for privileged access.
- Avoid direct logins with administrative accounts; instead use proxies wherever possible.
- Protect and control privileged access to your systems and databy third parties.
- Segregate privilege accounts based on defined roles.
If your organization is looking for automated ways to secure privileged identities, you can do yourself a big favor and test competing software solutions – in a realistic, frequently changing test environment – to ensure that your chosen product meets every one of these CAG 12 requirements.
Fast Track to Compliance
My company, Lieberman Software Corporation, provides privileged identity management solutions, including our flagship product Enterprise Random Password Manager (ERPM), to make it easier for organizations of all sizes to satisfy each of these 14 requirements. And, our latest version of ERPM has improvements that make it even faster to deploy and monitor these controls. For example:
- In addition to RSA SecurID two-factor authentication ERPM now supports time-based authentication by email and SMS with no further hardware or software to buy – plus added support for numerous other third-party hardware keys. This gives you the widest range of options – several at no added cost – to secure privileged access using multi-factor authentication.
- Along with pass-through authentication for administrative access to Windows machines, ERPM adds pass-through authentication for UNIX / Linux and mainframe computers and appliances. This allows you to grant subcontractors, outside vendors, and other configured personnel fast, audited, administrative access without their ever seeing a password.
- In addition to numerous options for directly alerting authorized staff to any unexpected events, ERPM integrates with leading helpdesk solutions to better control, audit and alert on privileged account access. Our latest version adds HP Service Manager to a long and growing list of integrated helpdesk solutions – also including BMC Remedy, Microsoft System Center Service Manager, and others. These integrations also allow you to configure privileged access only to the extent needed to resolve each documented IT service issue.
For more information about meeting the Consensus Audit Guidelines requirements visit the Lieberman Software CAG Compliance page.
What are your thoughts on the Consensus Audit Guidelines? Leave a comment below.