COI Report – Part VII
Page
310 of
425 logging
in interactively, and logging in remotely
via RDP. In the context of the attack, the attacker used this account to login to Citrix Server 2 on multiple occasions in June 2018.
906.
As detailed in the HITSPS, this account, being an unused account, should have been identified and disabled in order to prevent usage in unauthorised activity.
Moving forward, there must be a recognition that such accounts with such high privileges need to be managed and controlled.
40.6.1 Establish clear policies in relation to the use and management of service accounts 907. The compromise and use of the SA. account in the Cyber Attack clearly illustrates the real risk that presents when service accounts with high privileges are not properly managed and controlled. We note however that HITSPS is silent on the specific policies and measures in relation to the management of service accounts.
908. Because service accounts are
not tied directly to a human, they must be treated differently from other accounts. A specific policy should be formulated in respect of service accounts. Examples of such policies include a) Longer Password Length – A policy requiring very long and complex passwords for service accounts is appropriate, as there is no memory burden on the part of a human user to remember such passwords. b) Longer Password Expiration – It is hard to set password expiration policies that are short because resetting a service account password may break an application. However, a policy requiring the password to be changed,
albeit at a longer interval, should still be imposed. This is necessary as, in the event a password is compromised by an attacker, he would otherwise have perpetual access to the service account.
