If you ever played the massively multiplayer online role-playing game (MMORPG) World of Warcraft, you entered a fantastical world where you create a character, embark on quests, and explore vast virtual landscapes.
In the early days of "World of Warcraft," the default account for players was the "Guest" account. The account had limited capabilities and was mainly meant for players who were trying out the game before subscribing to a full account. Not surprisingly, some players discovered that the "Guest" account had certain vulnerabilities, allowing them to exploit the system and gain unintended advantages.
To address this issue and ensure fair gameplay, the game developers, Blizzard Entertainment, took action to manage default accounts effectively. They disabled the "Guest" account feature and replaced it with a proper subscription system. By doing so, they eliminated the risk of exploitation and provided a level playing field for all players.
In the dynamic landscape of today's digital era, securing enterprise assets and software is a top priority to safeguard sensitive information and maintain uninterrupted business operations. CIS Safeguard 4.7 emphasizes the critical significance of managing default accounts on these crucial assets. Default accounts, such as root, administrator, and pre-configured vendor accounts, are often present in enterprise assets and software. Typically established during initial setup, these accounts serve administrative purposes. However, leaving them unchanged poses significant security risks.
Benefits of Managing Default Accounts:
Efficiently managing default accounts offers several key advantages. Foremost, it reduces the attack surface for potential cyberthreats. By deactivating or securing default accounts, organizations close potential entry points for unauthorized individuals aiming to compromise sensitive data or disrupt business operations.
Implementing Best Practices:
CIS Safeguard 4.7 provides clear guidance on managing default accounts to enhance security. One approach is to disable or render these default accounts unusable after the initial setup is complete. This proactive measure ensures that these accounts cannot be exploited by malicious actors seeking unauthorized access. A common recommendation is to change passwords every 60 to 90 days. This practice helps mitigate the risk of password-based attacks, such as brute force or credential stuffing.
Additionally, organizations should create strong, unique passwords that are not easily guessable. Implementing multi-factor authentication (MFA) alongside regular password changes further enhances security by requiring an additional layer of verification beyond the password.
Here’s a link to a Secure Configuration Management Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/secure-configuration-management-for-cis-control-4
Here are some details on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 4 – Secure Configuration of Enterprise Assets & Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software
(operating systems and applications).
Implementation Group 1
CIS Safeguard 4.7 - Manage Default Accounts on Enterprise Assets and Software
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.