Answer yes if your organisation records and stores administrator activity logs for its IT production systems and endpoint devices.
What is the control?
Administrator level accounts, also known as “super user” or “root” accounts are of particular importance. They allow the user to read from, write to, or execute anything on the system. This also makes them a key target for attackers.
The use of these accounts should be closely monitored as they could be the first sign of a breach. This is especially true as, under normal operations, the use of these accounts should be very limited.
Why should I have it?
In a mature IT organisation, role-based access principles dictate that separate accounts, assigned to a particular individual for purposes of non-repudiation, be used for specific roles and their associated tasks (even administrative ones). Therefore the “super user” administrative accounts are typically only used to create these other [administrative] accounts and should not be used for other operational functions.
It’s very important to monitor these accounts as their use for anything else can indicate a compromise or that your policies, processes, and controls around administrative and role-based access are not being adhered to.
So fundamental are these accounts to security that their monitoring is prescribed in virtually every compliance framework and as part of most companies’ security due diligence questionnaires.
Have your logging policy require the logging of all activity for any account with administrative privileges. Your policy should also state that logs be sent to also be sent to a central system such as your SIEM for safekeeping and correlation purposes if present.
Once you have a policy, ensure it is applied by all your teams for their respective areas in order to cover the full array of systems used in the environment (network devices, servers, desktops, etc.).
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.