ICS-CERT: Credential Management

Wednesday, June 13, 2012

Infosec Island Admin


(part one - Preserving Forensic Data - here) (part two - Detection and Mitigation Recommendations- here)

Cyber Intrusion Mitigation Strategies Part Three: Credential Management

ICS-CERT developed this guidance to provide basic recommendations for owners and operators of critical infrastructure to enhance their network security posture.

It is not intended to be a detailed examination of all actions involved in incident response but is an attempt to provide high-level strategies that should can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur.

This guidance applies to both enterprise and control system networks, particularly where interconnectivity could allow movement between networks. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to implementing defensive measures to ensure there is no impact to normal operations.

The guidance is organized into topical areas within the major phases of incident response—detection, mitigation, and eradication/recovery—and closes with recommendations for long term security posture improvements.

The implementation of concepts discussed in this document is the responsibility of each organization and is dependent on the organization’s needs, network topology, and operational requirements.


Credential caching stores domain authenticators locally, allowing users to log in to a computer using domain credentials even if the machine is disconnected from the network. Credential caching should be disabled on all machines.

A common technique employed by attackers is referred to as “pass the hash.” The pass the hash technique uses cached password hashes extracted from a compromised machine to gain access to additional machines on the domain.

One caveat is that laptops will need to cache credentials so users can gain local computer access where the domain is unavailable. When it is necessary to cache credentials, only the least-privileged user credentials should be stored. Administrator account credential caching should be avoided whenever possible.

After credential caching has been disabled, execute an enterprise wide password reset. If a password reset is done first, the new credentials will be cached and continue to be at risk. Resetting passwords after disabling credential caching ensures the old passwords are no longer valid and the new passwords are not stored locally.

As a more long term strategy, ICS-CERT also recommends that organizations move away from using LAN Manager (LM) hashes, where possible. Companies that are switching from credential caching and doing a global password reset should disable LM hashes at the same time.

Otherwise, they’ll have to perform another global password reset when they disable that method of password storage. Not all companies will be able to make this switch (some legacy systems are incompatible), but it deserves serious consideration.

LM hashes are inherently weak and can be broken relatively quickly, allowing an attacker to use the actual password instead of relying on a pass the hash attack.

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01.pdf

Possibly Related Articles:
Industrial Control Systems
Passwords SCADA Access Control Attacks Network Security Guidelines ICS-CERT Industrial Control Systems Hashing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.