Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings Being Beautiful Control

Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

Quote I’m Musing

“If your choices are beautiful, so too will you be.”

-Epictetus

Not solely physical aesthetic but emanating from who we are as human beings. Think about those times you’ve been around these types of people. Content with themselves, they know they’re improving, and making positive choices in their life.

I take this as effectively managing oneself. Having a good diet (groceries instead of fast food), exercise at the level you can handle, doing things simply because they’re difficult and getting out of the comfort zone, having a good media diet (don’t live in an echo chamber, don’t watch negative news often), saying no to something that might be cool so that you can say “yes” to your family.

People living like this radiate a self-contented beauty. Regardless of physical attributes.

Reflection on Controls 4

Control 4 reminds me that it’s just as important to correctly configure our infrastructure and network equities as it is to have an accurate picture of what we have. Secondly, everything we do comes in layers. From acquisition, to implementation, to maintenance and updating; having multiple layers of security improves performance and effectiveness in delivering results.

CIS Critical Security Control #5

Account Management

What accounts are needed, and for how long.

Control 5 begins to drill down into specifics of controls and has overlaps with the logical jumps from our previous controls. This control is about recognizing who has credentials, what the credentials give access to, how our credentials are granted, and how they are used. Beginning with user accounts and the credentials they use; this is foundational to a secure environment. Harkening back to our previous controls and inventory management; having an accurate inventory of all accounts (admin, service, user, etc.) and auditing changes to (and creation of) those accounts as authorized and deliberate helps us establish a secure environment.

What is it?

I like to think of cyber and information security in a layered construct. Establishing multiple layers of security improves our overall effectiveness at imposing cost to would-be malicious actors or even negligent benign inside threats. It helps to slow and delay a threat long enough for us to neutralize it. Control 4 builds off 1-3 in securely configuring our assets and software we’ve already identified.

Implementation Group 1 (Essential Cyber Hygiene)

Safeguards 1-4

5.1 Establish and Maintain an Inventory of Accounts

Implementation Note: Identifying all accounts in our enterprise and ensuring they are valid accounts (attributed to an actual person with meta data). Setting up systems and processes to track and verify changes to accounts as well as new accounts. Additionally, auditing our accounts to ensure they’re being used as intended. Lastly, a procedure for responding to and mitigating unauthorized creation or modification of accounts as this is one of the first steps a malign actor takes for persistence.

5.2 Use Unique Passwords

Implementation Note: This is one where I would like to poll the audience and have a chat with some of the creators.

Password reuse is rampant. I do it, you do it, we all do it.

It’s just not possible today to memorize the (literally for me) hundreds of accounts with unique passwords that have 8-14 alpha-numeric characters with uppercase, lowercase, numbers, and symbols.

I agree, in the case of data breach, any credentials discovered can and will likely be used against any known account we or our users have. Always change default passwords, always use Multi-Factor Authentication (MFA).

Here’s the deal, in the attempt to improve security and protect our enterprises using strong passwords with the rules I described above, we’ve made it unacceptably difficult for our users. They must come up with ways to remember a myriad of complex passwords or use a password manager. What do they do? Reuse passwords, use keyboard walks, and use variants of the same password (1qaz2wsx!QAZ@WSX…then !QAZ@WSX1qaz2wsx…then zaq1xsw2ZAQ!XSW@) over and over.

This policy decreases the number of passwords that a user is likely to use. The password is stronger, but the social engineering becomes easier. I don’t have a great solution besides biometrics and MFA; we need to do better on this one.

5.3 Disable Dormant Accounts

Implementation Note: I’m back on the bandwagon. This is a basic housekeeping safeguard. The standard is 45 days of inactivity for deletion or disablement. While I can imagine niche cases where we wouldn’t, we should all make it standard practice to have an automation setup for disabling and/or deleting dormant accounts. While we’re at it, make it a part of our user offboarding process. CIS calls this a response action. I’d file it under Identify also.

5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts

Implementation Note: I think we all know I’m an advocate for this one. Protect the organization with a policy where Administrator and Root accounts are only used for tasks requiring those elevated privileges. All basic tasks like email, browsing, etc. should be done with non-privileged accounts.

Implementation Group 2 & 3 (Foundation Building & Complex and Tailored Expertise)

IG 1 + Safeguards 5&6

5.5 Establish and Maintain an Inventory of Service Accounts

Implementation Note: Identify, attribute, and audit all service accounts. I appreciate CIS making this a separate safeguard for added emphasis. For clarity, a service is an account created as an identity for a system service. All accounts should be attributable and tracked for a proper baseline understanding of our enterprise. This lets us identify anomalies.

5.6 Centralize Account Management

Implementation Note: Protect our enterprise by managing the accounts through Active Directory and domains, or a service of your choice.

Why Should We Care About Control #5?

Privileged and unused accounts afford malign actors a vector into our networks. Minimizing and controlling accounts through Identity and Access Management (IAM) helps us protect our data and networks from unauthorized access and access beyond intended scope.

There are myriad ways to obtain access to user accounts, including: weak passwords, accounts still valid after a user leaves, lingering test accounts, shared accounts (please don’t do this), service accounts embedded in applications for scripts, users with the same password as one they use that has been compromised, social engineering a user to give their password, or using malware to capture passwords or tokens in memory or over the network.

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
​-e

End of transmission.