Account Management
A preferred technique of attackers is to become “normal” privileged users of the systems they compromise as soon as possible. They can accomplish this in at least three ways: compromise an existing privileged account, create a new privileged account, or elevate the privileges of a regular user account.
Adding Accounts
First, all new users should be required to read through and acknowledge they understand (typically by signing) all policies that apply to them. At a minimum, every organization should have (and every user should sign) an acceptable use policy (AUP) that specifies what the organization considers acceptable use of the information systems that are made available to the employee.
Testing that all employees are aware of the AUP and other applicable policies can be the first step in auditing user accounts.
Modifying Accounts
Organizations that are mature in their security processes will have a change control process in place to address user privileges. While many auditors will focus on who has administrative privileges in the organization, there are many custom sets of permissions that approach the level of an admin account. It is important, then, to have and test processes by which elevated privileges are issued.
Suspending Accounts
Another important practice in account management is to suspend accounts that are no longer needed.
Backup Verification
Whatever the approach to backing up our organizational data, we need to periodically test it to ensure that the backups will work as promised when we need them.