The Network: A U.S. federal government agency that is a long-standing user of EventTracker SIEM from Netsurion.
The Expectation: It is common practice for government agencies to engage contractors to perform IT related tasks. These contractors must go through a well-established clearance procedure, including background checks before access is permitted to the network they will be use. System Admins in IT should monitor authentication and access promptly and remove logins immediately once a vendor or employee leaves.
The Catch: Accounts setup for IT contractors were not disabled after their task was completed, or their contract ended.
The Find: Lax account login processes allow an unguarded door into the federal government network. No activity should be seen on an account set up for a person who no longer needs access to the network.
The Lesson: Identity and Access Management (IAM) is crucial to maintain U.S. federal government cybersecurity. Compliance mandates such as NIST 800-171 outline access control procedures to help eliminate insider threats as well as external security gaps. Other cybersecurity recommendations include:
- Admins immediately removing former contractors and employees from systems – especially individuals with elevated privileges to sensitive data
- Reviewing logs and reports regularly for suspicious behavior
- Implementing password best practices such as pass phrases, longer terms, and rotation
- Adopting least privilege access based on a “need to know”
- Being vigilant knowing the human element is a large threat vector
Learn more about how EventTracker SIEM supports government access and authentication controls.