Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings Islands Of Knowledge

Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

Quote I’m Musing

“We live on an island surrounded by a sea of ignorance. As our island of knowledge grows, so does the shore of our ignorance.”

-John Wheeler

Accompanying our expansion in knowledge and understanding is the realization that there’s so much more we don’t know.

The challenge is to continually examine what we know, what we think we know, and what we don’t know. Put in another way, in the same vein as having two ears and only one mouth, we should spend twice as much effort examining the expanding shoreline of what we don’t know as we do admiring the size of the island we’ve built.

While I’ve been thinking on Wheeler, I realized that more immediate attention and gratification comes from focusing on our island. Risking hubris. Following our shore delays gratification but rewards us with self-regulation and discipline to help live life with purpose.

Reflection on Control 5

Most of what we can control is understanding what we have that is of value and how to get to it. Once we understand that, we monitor, manage, and audit these vectors to minimize an attacker’s ability to threaten our organization.

CIS Critical Security Control #6

Access Control Management

What accesses are needed, and for how long.

Control 6 is about ensuring that only authorized users and programs have access to systems, information, and applications based on their assigned roles and functions, ensuring that they have only the necessary privileges to perform their functions, and monitoring activity for unauthorized actions and actions that exceed authorized privileges.

What is it?

Control 6 builds on Control 5, Account Management. Now that we have accounts, we focus on what accesses they have, making sure they have access to only the data and assets appropriate for their function(s). Essential is to focus on ‘least privilege’, or only giving them enough access to conduct their function, escalating those privileges ephemerally based on neccessity.

Implementation Group 1 (Essential Cyber Hygiene)

Safeguards 1-5

6.1 Establish an Access Granting Process

Implementation Note: Essentially, this protect-based safeguard means to ensure that users and programs (RBAC, more on this in 6.8) are provisioned accesses in a regulated manner. We must ensure our organizations implement this. I can’t advocate enough for judicious implementation. If we can automate the process, even better for auditing.

6.2 Establish an Access-Revoking Process

Implementation Note: The second protect-based safeguard. This goes hand in hand with 6.1 in ensuring those identities with accesses are deprovisioned appropriately when their need for access ends.

6.3 Require MFA for Externally-Exposed Accounts

Implementation Note: Simply, protect the infrastructure by imposing cost in the form of time and complexity via a second authorization method (something you know plus something you have). In today’s age, this should be another mandatory safety measure.

6.4 Require MFA for Remote Network Access

Implementation Note: This protection-based safeguard is part and parcel with our previous safeguard. Equities we cannot directly control must impose cost to limit the likelihood and impact of breach.

The breach will happen at some point, it’s not a matter of if, but when. Controlling the impact and reach is how we keep business operation momentum while still adhering to reporting and compliance requirements.

6.5 Require MFA for Administrative Access

Implementation Note: Our privileged accounts are the prime targets for malicious actors. Additional rigor should be employed to protect and audit them against malign intent. Just as in the previous two safeguards, multi-factor authentication is a must and minimum element of security.

Implementation Group 2 (Foundation Building)

IG 1 + Safeguards 6&7

6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems

Implementation Note: Safeguard 6 is a bit of safeguarding safeguards (safeguard inception?). In more complex organizations, our authentication and authorization systems need to be audited regularly. Just like our other inventory controls and safeguards, this one is about identifying those systems and making sure we have a system to validate our systems.

6.7 Centralize Access Control

Implementation Note: This safeguard is about taking the step to protect our enterprise and assets by making our access controls easier to automate and maintain. As we increase in operational complexity, to include regulatory and compliance requirements, centralizing our controls becomes a way to more effectively and efficiently manage accesses.

Implementation Group 3 (Complex and Tailored Expertise)

IG 1&2 + Safeguard 8

6.8 Define and Maintain Role-Based Access Control

Implementation Note: Second week in a row I suggest a change. RBAC should start from the beginning. Clearly defining, standardizing, and maintaining roles within the organization is foundational to more than just cybersecurity. It defines the who, what, where, when, and how our personnel will conduct themselves and their efforts in the organization.

Stating with RBAC costs a bit more up front in person hours and preparation but is vastly less costly that waiting until you are under the thumb of strict oversight that will determine the viability of your organization for expansion or even continued operations.

Implementing RBAC means that we can assign users permanently and ephemerally to roles they perform instead of assigning privileges individually. This translates to a much more effective and efficient strategy for access controls, onboarding and offboarding for both users and programs. I can’t advocate enough for starting with Role Based Access Controls.

Why Should We Care About Control #6?

Control 6 is all about access control management. This is a critical element for maintaining information and system security. Building and standardizing a system and set of processes that control access and enforcing those policies that govern access control (preferably in automated fashion) make our organizations better able to streamline operations and maintain regulatory and compliance oversight requirements while mitigating threats from malign actors.

When we accept that there are only two types of organizations in cybersecurity - those that have been hacked, and those that don’t realize they’ve been hacked - we can really begin to understand the methodology.

Impose cost for malign actors to attempt to operate in our networks, limit their ability to pivot and expand access when they spend the resources to get in, and make them uncertain as to whether they were even able to obtain anything of value.

Think about a car. If we leave the doors unlocked and the windows down, even people who wouldn’t normally steal something out of a car will be tempted to just reach in and grab. Roll the windows up, and now there’s a little deterrence. Lock the doors, and now there’s a time cost. Continue to layer security with alarms, cameras, kill switches, etc. and we see how we are imposing cost.

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
​-e

End of transmission.