September 15, 2025 • 34 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
The effective management of digital identities throughout their lifecycle is perhaps the most crucial yet overlooked aspect of organizational cybersecurity. This episode dives deep into CISSP Domain 5.5, offering practical insights on building robust identity and access management (IAM) governance frameworks that protect against insider threats while streamlining compliance efforts.
We begin by examining a real-world case study of how one company transformed its third-party risk management using AI-driven consolidation of security alerts, establishing clear accountability through a security champions program. This approach demonstrates how proper governance structures can turn overwhelming data into actionable intelligence.
The heart of our discussion centers on the identity lifecycle – from provisioning to deprovisioning and everything between. Learn why automated account creation processes dramatically reduce security risks while improving operational efficiency. We share cautionary tales, including one where improper deprovisioning allowed an ex-employee to deploy a devastating logic bomb costing millions in damages and legal fees.
Role-based access control (RBAC) emerges as a critical strategy for maintaining least privilege principles at scale. However, we warn against common pitfalls like overly complex role structures that become unmanageable or so simplified they create security gaps. The episode provides clear guidance on achieving the right balance for organizations of any size.
Perhaps most importantly, we expose the hidden dangers of service accounts – those often-forgotten credentials with extensive privileges that rarely change and receive minimal monitoring. These accounts represent prime targets for attackers seeking to escalate privileges, yet many organizations fail to properly secure them.
Whether you're studying for the CISSP exam or implementing IAM best practices in your organization, this episode delivers actionable strategies to strengthen your security posture through proper identity lifecycle management. Visit CISSPCyberTraining.com for additional resources to support your cybersecurity journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:26):
All right, let's get started.
Hey, I'm Sean Gerber with CISSPCyber Training, and hope you
all are having a beautifullyblessed day today.
Today is Monday, and on Mondaywhat do we do?
We talk about CISSP trainingspecifically designed around the
CISSP, and today we're going tobe focused on domain five and
that's actually 5.5 of the CISSPexam, and so you get your two
(00:47):
your ears tuned up and ready togo, because we're going to get
into this in just a minute.
But before we do, I had anarticle that I saw in CSO
magazine that I think is prettyappropriate just for security
professionals, and one of thethings we run into a lot is
third-party risk and basicallysupply chain risk.
Wesco, they're a large supplychain company that was
(01:09):
overwhelmed by having thousandsand thousands of alerts that
they're having to manage fortheir different supply chains,
for the different people, right,and this basically made it
really, really hard to do forunderstanding what is an urgent
risk and what is a non urgentrisk.
So one of the things we'vealways struggled with is how do
you incorporate AI into all ofthis aspect?
Well, what they did was theyconsolidated their risk data
(01:31):
from basically their varioussecurity platforms into one pane
of glass into a single riskview and then they used AI right
and then automation and threatintelligence to filter,
prioritize and basically bringall that to a center spot.
So it was very interesting inhow they did this.
I think it will be interestingto see how they if they market
(01:53):
this product in the future,because it could provide a lot
of value, I feel, to a lot ofdifferent people they did this
is another one we talk about alot in CISSP Cyber Training is
that they established clearownership through security
champions program, and we'vedone this in the past in various
different securityorganizations.
You had to have a securitychampion design.
(02:14):
The purpose is there has to beownership, there has to be
accountability, and thatsecurity champion is a big
factor in anything that you'redoing.
They used integrated tools likeGitHub, azure, devops, vericode
and Kubernetes Defender andthen CrowdStrike as well, into
this whole process and they usedtheir AI plus their application
(02:34):
security posture managementplus threat modeling to assign
the risk scores and unify theoverall risk data.
Now, obviously, this took them alittle bit longer than just a
couple of days or a couple ofweeks.
It probably took them a betterpart of a year to do this and to
do it well, but the problem is,the thing is that if you're
going to do this within yourcompany, you need to truly think
(02:54):
about how do you want toactually make this happen.
They had four cornerstones oftheir risk management strategy,
and this was proactive defense,improved awareness, application
security posture enhancement andthen their AI-driven risk
mitigation.
So they had those fourcornerstones built into this
from the beginning, and what Icome down to is they planned
this from a strategy standpoint.
(03:15):
They looked at it.
They didn't just throwsomething on the wall to see if
it would work.
They actually had a full-upstrategy on how they were going
to do this.
So, again, the lessons learnedthat came out of it was data
consolidation gives unified viewand helps reduce duplication.
Obviously, security championsare a shared responsibility
across the teams to providespeed and accountability Another
(03:36):
one very valuable.
And then, finally, they hadautomation, and AI are critical
in scaling without burning outsecurity resources, and that's
where you need to use the AI andyour automation.
Automation is a big factor inhow to do this and again, I
stress, if you're going to dothis within your company, pick
one thing to work on first andthen come and move into the
(03:58):
second and so forth, so it'sjust an important part of any
organization.
I've worked with lots ofcompanies that have dealt with
SIMs, their security, incidentevent management systems, and
they have just all kinds of data.
You really need to cut throughit and decide how you're going
to take this information andwhat is the single pane of glass
in which you want to put thisinto, and then how to utilize AI
(04:19):
to help you and cut through allthe noise that you're having to
deal with.
Okay, let's move into whatwe're going to talk about today.
Okay, this is domain 5, 5.5,managing Identity and Access
Provisioning Lifecycle.
This is all based off of ISCsquared book and their study
exam questions, and so,therefore, if you are studying
(04:40):
for the CISSP, I highlyrecommend that you go and get
the CISSP exam book that is outthere.
It's basically the book, andthere's also some exam questions
that are tied with that as well.
You can get that on Amazon orpretty much anywhere you look,
you can find that specific book,and this is all the training
that I have at CISSP.
Cyber training is tied to theISC squared book.
(05:00):
Now, just to kind of highlightthe fact that, if you are
studying for the CISSP, thepodcast that we put this in, the
video content that we puttogether, for this is one aspect
.
There is tons of stuff at CISSPCyber Training that is
available to you from all kindsof video content, audio content,
as well as the blueprint thatwill help you pass the CISSP the
(05:21):
first time.
Most definitely it's there.
It's designed, it's going tohelp you walk you through the
process one step at a time.
And again, if you're taking thetime to do this and you're
going to spend the money to takethis test, let's do it right
and you know what you can haveall of that at CISSP Cyber
Training atCISSPCyberTrainingcom.
(05:41):
Before we get started in 5.5,one of the things I did want to
add to this section, which is alittle bit beyond what 5.5 has,
is around identity and accessgovernance that's associated
with this lifecycle.
It is an imperative.
Part of this overall process ishaving a identity and access
governance plan built in place.
Now the overall objective isyou want to protect the data by
(06:02):
enforcing the appropriate accesscontrols across the entire
enterprise, and how to do thisis done through identity,
authentication, authorizationand governance.
So identity is the uniquerepresentation of users, systems
or services.
The authentication is theverifying of the identity
presented.
This is the passwords, yourmulti factor and so forth.
Authorization this is grantingrights based on policies and
(06:22):
roles, and then governance isthe continuous oversight of
accounts, privileges and soforth.
Authorization this is grantingrights based on policies and
roles, and then governance isthe continuous oversight of
accounts, privileges andentitlements.
Now, the overall value of howthis comes into play that, if
you can do this correctly, is itdoes reduce your insider threat
risk, and the insider threatrisk can be both from your
employees as well as accountsthat are tied to these employees
(06:43):
, so it doesn't have to be anemployee specifically going and
doing these bad things.
It could be actually theiraccount doing it.
It also helps ensure yourregulatory compliance and it
does simplify your audits.
You're going to want to do thisbecause it does help
substantially with any sort ofregulatory aspects that are tied
to it, and if you have audits,if you make your life, your
auditor's life, easy, it makesyour life easy.
(07:04):
So, again, having a good planin place is truly critical and
I'd highly recommend that youfollow these key concepts as
you're building out your overalllife cycle plan.
Now, the importance ofgovernance this is part one of
this is that you're dealing withper a structure and
accountability for your IAMprocesses.
You're dealing with perstructure and accountability for
(07:26):
your IAM processes.
Now the user accounts, serviceaccounts, roles and policies.
Those are all part of youroverall governance aspects.
Now, your key stakeholders thatare tied into governance would
be HR, your IT folks, youridentity and access management
folks, business managers andcompliance.
Those are the key folks thatreally have a vested interest in
your overall governance plan.
Now, the activities that wouldaccess, certification campaigns,
(07:49):
your segregation of duties,reviews and your policy updates
as well.
Those would all be the aspectsthat you would want to have
completed while you're doingthis.
Now, measurement is a key factorand this would be your KPIs and
some things to deal with.
Provisioning and deprovisioningwould be time to provision
versus deprovisioning,percentage of access reviews
(08:09):
that have been done on time.
This would be if you looked atthe different accounts that you
have are those access reviewsbeing reviewed, segregation of
duty, violations that areremediated those would all be
good KPIs that would be put inplace to allow you for metrics
related to your provisioning anddeprovisioning, your lifecycle
management.
So you want to really startthinking about what are some
(08:30):
metrics you can have as you'rebuilding out this program for
your company.
Again, this is all part of theCISSP, but it's very practical
for what you may do when you getto your organization.
Now there's some commonpitfalls that you deal with when
you're dealing with lifecyclemanagement Manual tracking Doing
this manually is an extremelypainful process and it's prone
(08:52):
for mistakes.
So you really want to try toavoid any sort of manual
tracking on a large scale basis.
Understand, you may have to dothis on a small scale and or
just getting started, you mayhave to deal with manual
tracking.
That is not the long-termstrategy you want to take.
You really truly want to havean automated plan and a report
that is generated for you on atimely basis.
(09:12):
Delayed HR updates this canalso have a common pitfall where
someone maybe is leaving theorganization and it doesn't get
updated in HR quickly andbecause of that, the data is
polluted.
You may have people that haveaccounts that have left, but
their accounts are still active.
So it can result ininconsistent revocation of the
(09:33):
accounts as they're beingcreated.
So again, it's a reallyimportant part that you try to
think about all of this whenyou're coming up with a
lifecycle for yourorganization's accounts.
Now some examples you may haveis a quarterly committee review
to identify and resolvecontractor account delays.
You may put this in place justto verify those, and again, you
(09:53):
want to start small and growfrom there.
I would highly recommend, morethan anything, you pick one set
of accounts that you're going tofocus on and then you build the
processes around that, and thatwould give you what you need to
ensure that you're getting itdone in a timely manner.
So another important part ofhaving governance is the
framework.
So you really want to follow aframework that's out there to
(10:15):
help you with this.
There's the NIST, csf, yourcybersecurity framework, your
ISO 27001, your COBIT, whichdeals with governance and
management.
One thing also to think aboutis CRI, which is your
Cybersecurity Risk Institute'sframework.
I really like that, especiallygood for financial institutions
and banking institutions A very,very positive framework.
(10:36):
It's actually very in-depth anddetailed.
If you can follow the CRIframework and you put your
processes in place based on that, you have set yourself up to be
extremely successful with theoverall program that you're
trying to develop.
Now.
The benefits of a stronggovernance program is faster
audits with documented accesscertifications.
Again, that's an important partHaving this done and having it
(10:58):
automated and having it audited.
That's an important aspect ofany organization.
Improved collaboration betweenHR, it and security.
I had a very strongrelationship with my HR and IT
folks.
You want to have that.
You really need to have a good,strong foundation with your HR
(11:18):
and IT organizations.
Then, early detection of insiderrisk, insider threat and
privilege misuse yes, if youhave this built up, you can
quickly see where people areusing their privileges in an
inappropriate manner.
I have had many people firedbecause of the fact that they do
this wrong Not that they setthis up wrong, but that they
were using their credentialsinappropriately.
(11:40):
And if you don't have theautomated resources in place to
help you with that, you then inturn, can end up in a situation
where you don't even see it.
So, very strong piece of this.
Some examples of that could bea governance board review, iam
metrics, quarterly and mandates.
All these different types ofaspects can be put in place for
you and your organization.
(12:00):
So let's get into account accessand review.
So the purpose of this would belike a certification that
you're verifying that this hasbeen done.
This is to ensure that accessis still required and
appropriate for the individuals.
Now, some components aroundthis would be is there's active
user accounts, right?
You want to make sure that theyare understanding that they
have.
They confirm that they havewhat they need to have.
(12:22):
They're a current employee or acontractor and they're
operating within their company.
They have the various privilegelevels which will ensure
adherence to least privilege.
Do they have the amount ofprivilege that is just needed
for their job and nothing more?
Again, adhering to leastprivilege.
Orphaned accounts this is whereyou remove accounts that are
(12:42):
from the departed users.
Anybody's leaving that has leftthe organization both from just
moving on to maybe a differentrole and their account was left
dormant.
That would be an orphanedaccount.
Someone who is no longer withthe company that is an orphaned
account.
You want to remove all of thoseaccounts so that those cannot
be used against you by anattacker because they will be
(13:02):
used.
I looked for all kinds oforphaned accounts and yes, they
are.
Now, these could be useraccounts, these could be service
accounts.
These could be domain admintype accounts.
You want to understand whataccounts have been used and when
are they not used.
Dormant accounts this is whereaccounts that basically haven't
been used for a while.
I see this a lot in a serviceaccount that hasn't been used in
(13:24):
a while.
It was created many years ago.
They used it maybe for aprocess, maybe even that process
only runs once every six months.
It could almost be a dormantaccount.
You want to consider disablingthese accounts if they're
inactive for a period of time.
So it could be 90 days, couldbe 180 days, whatever amount you
feel is appropriate.
Obviously, there will always beexceptions.
(13:46):
There's always exceptions toevery rule.
But you need to keep in mindthat if you have an account
active out there, you need toconsider when do you want to
disable it?
How many days do you want toset up as the litmus test, as
the rule Now, frequency-wise,you need a.
Regulatory standards oftenrequire quarterly reviews SOX,
pci, dss.
They will require some level ofquarterly understanding and
(14:08):
review of these various accounts.
So you need to decide what isthe regulatory requirements on
you and then make those changeshappen.
If you're not in that boatmaybe you're a smaller
organization and you don't haveregulatory pressures you may
want to do this at least onceevery six months to once a year
at a minimum.
I would highly recommend morethan once a year, just because
(14:29):
if someone's in your network andthey are using one of these
accounts.
If you wait a year and like,say you just did it and now you
just did your review, anattacker gets into your
organization the day after.
They're there for an entireyear before their account is
actually disabled.
So I mean, obviously you'dhopefully have more things going
on than just that, but it'ssomething to consider.
(14:51):
Critical systems may requiremonthly validation, and that's
an important part of anyorganization and you may just
want to consider that, dependingupon what you may have within
your company.
But again, that may not be acritical requirement because of
a regulatory aspect.
You just may choose to do it,which I would highly recommend.
Now an access review example.
So here's a scenario yougenerate a quarterly report of
(15:12):
all privileged domain adminaccounts.
The manager will receive anautomated certification request
saying they must approve ordecide to do something with this
domain admin account.
Now, keep in mind this issomething I would not email.
This is something that thisreport should probably be done
in a way that's in a SharePointsite that maybe somebody can
(15:33):
gain access to.
Now, the reason I say that isbecause if someone knows what
your domain admin accounts are,that can be intelligence that
they don't have right now, butyou sending it through email
could be.
Again.
I also say this on the flipside If they're already in your
domain, they probably figuredout what your domain admin
accounts are anyway, rather,rather than you sending them in
(15:54):
an email as well.
So this is why it's importantthat you have a really good
strategy around.
How do you want to handle theseaccounts?
Consider them extremelysensitive, and they have to be
managed appropriately.
To be managed appropriately,the manager will receive
automated certification requestsand then they just do what they
need to do.
So they need to approve, modifyor revoke the user's access
(16:16):
within the system based on whatthey find, and that's what they
should be doing Now.
The outcome this would be toreduce the attack surface of the
individual, remove stale adminrights from users who have
changed roles, and this is animportant part.
This but this in court requiresthat you have engagement into
what's actually occurring withinyour organization.
Highly recommend you do this.
(16:37):
This is an important part, andyou need to do these reviews at
least, at least quarterly, or atleast I should say at least
yearly.
At a minimum, I would do themevery six months, just to be
perfectly honest with you allnow best practices for access
reviews.
You again automate this.
Can you automate these plat oruse an automated platform to
help you, such as sale point,saviant, octa, identity
(16:59):
governance and so forth?
I've used saviant and salepoint as well.
They work very well.
They are very intensive andthey can be.
You may need some people thatwill help you develop these
systems, but they work really,really well.
I don't know how well they willwork for a small organization
If they have smaller,lightweight packages available.
I would just use this from anenterprise standpoint and they
(17:21):
do work very, very well.
But you've got to have good HRintegrations and so forth.
Notify and escalate.
You need to have automaticreminders and escalation paths
to management if there is noresponse, so if there's nobody
doing something about it.
There needs to be an escalationprocess in place that has been
built and then you need to haveevidence that has been these
(17:43):
accounts have been signed off.
I've seen this happen beforewhere you send it up to the
manager and the manager doesn'tdo anything with it.
So you need to have anescalation path that will then
take it up to the next level ofauthority between in your
organization and then when theyfinally click on a button and
say yes, I want to, I agree tothis, these accounts, get rid of
(18:04):
them.
Then you have a sign off reportthat has been done and it shows
and can track who actuallyagreed to turn these off.
Now last thing is continuousimprovement, which is an
important part of anyorganization.
This is where you track, reviewcompletion rates and remediate
any recurring issues.
Again, it's an important pathfor you to have access reviews
(18:24):
completed on a routine andautomated ongoing basis.
I cannot stress this enough.
I saw an account when I was aprevious company and it hadn't
been touched in nine years Nineyears and this account had
significant levels of abilitywith the service account.
So it had the ability to do alot of different things within a
(18:46):
company because it was set upnine years ago and people forgot
about it.
So, again, you see this all thetime and if you have an
organization that's been aroundfor more than a couple of years,
I guarantee that you have someaccounts that are very, very
similar.
Okay, so account provisioning,onboarding this is the creation
of new users, accounts andentitlements, so there has to be
(19:09):
some steps in place that wouldmake this happen.
So HR would trigger anonboarding process in their HR
IS system, their informationsystem system, and the IAM tool
would then create the accountsautomatically in AD, your cloud
apps, and eventually, if you hada remote access, you would add
a VPN to that as well, or a verysimilar type of activity.
(19:29):
I'm not a big fan of VPNs.
I prefer remote desktopapplications such as that are
within Microsoft, or even I'mdrawing a blank on the other one
that we use a lot Citrix and soforth.
I would not.
I'm not a big fan of VPNs.
They just give too much access.
Now you can crank those down sothey don't, but in so often the
(19:53):
VPNs are just stood up andforgotten about.
Then you want to applyrole-based entitlements
specifically to those accounts,to enforce least privilege, and
again, role-based is animportant part of all of this.
You must do it.
You really must do it for allthe accounts that you're focused
on.
Notify the manager and theemployee when the provisioning
is complete, and that way theyget an email that's saying yes,
(20:14):
it's been done and completed,and then also send it to the new
prospective employee orcontractor that it's been
completed as well.
So faster onboarding is animportant part, right?
I've been onboarded as acontractor with companies and
it's like, omg, it's painful.
And these are big companies andyou're just like what in the
world are you people doing?
And it's not just some of thepeople, it's just they have so
(20:34):
many bureaucratic processes inplace.
It is very painful.
I've also seen it happen whereyou, in the same situation of a
big enterprise, you say, ok, I'mon board, the paperwork has
been signed.
And once the paperwork issigned, within a day you have
accounts provisioned, you havethe ability to do whatever you
need to do.
So onboarding is an importantpart.
(20:54):
Consistent access, again, itallows you to have access.
That is, once it starts, it'scontinuing providing you the
information you need or theaccess you need, and then it
does reduce any sort of manualerrors that are happening.
I've seen this happen time andagain, where somebody will hand
jam you in right, well, let meadd your account to this and
they go in.
They tick, tock, tick, tock,tick, tock.
They put it in and what do theydo?
(21:15):
They screw up what your nameand guess what my name is really
fun it's sean s-h-o-n.
How many times you think that'sbeen screwed up?
Oh, more times than I can evercount.
So that's why my friends callme Enrique, because it's just so
much easier and it's sexier.
I like it, it's much better.
But, that being said, sean isgoofed up all the time when
someone does it, and I can tellwhen someone does it manually
(21:38):
and it comes back S-E-A-N, evenif they look at the paperwork
and they go, oh that must besomething wrong with that.
It's got to be Sean withS-H-A-W-N or S-E-A-N.
I'm not sure how S-E-A-N evenlooks anything like Sean, but it
does.
It's better than I'm notdissing you if you got that name
good on you.
You don't have S-H-O-N, sohappy you.
So, again, it's very fast.
(22:00):
It makes things a lot easier.
The next step is accountdeprovisioning.
This is the off-boardingprocess.
So this is a timely removal ofaccounts and permissions, right?
So this is how they're removedas quickly as they possibly can
be.
There's critical steps that areinvolved in this, and this
would be immediately disableaccounts upon termination or
notification.
You revoke your email, yourVPNs and your privileged
(22:22):
accounts.
This is all done once youdecide that this person no
longer going to be with you, soyou start removing it and then
you remove from a distributionlist shared folders, folders and
your various collaborationtools that you may have so again
, this happens.
And now, if you're doing thismanually, this takes a long time
.
If you're doing thisautomatically automatically then
it's a much better process.
(22:43):
And then, finally, you'retransferring ownership of data,
such as mailboxes files to amanager and you may have a
period of time where the managermust go through and look at all
of these files to keep whatthey want to keep before they
are deleted.
And this process, thislifecycle management process if
you can do it right, it willsave so much time and it is so
nice.
It truly is, but it takes somelevel of focused effort and
(23:08):
energy on it to make it happen.
Now, the risks of failureOrphaned accounts exploited by
attackers.
That was one of the primarythings that I went after all the
time, so you really truly needto do this, if you can.
Some lifecycle aspects of itEx-employees retaining access
had this happen Individual setup a VPN he's an IT individual
and he set it up by, withoutanybody knowing about it, and
(23:31):
allowed access into the networkremotely.
And then what did he do?
He still had an account andbecause his account was still
active, what did he do?
I'm saying what did he do?
A lot, he nuked the place.
Yeah, baby, he just dropped alogic bomb on it and just
trashed it.
About two and a half to threemillion dollars later, yes, he's
in prison, breaking big rocksinto little rocks and on top of
(23:54):
that.
But now you spent two milliondollars on stuff that you really
can't get back.
It's on lawyers, that's it.
You spent two million dollarson lawyers that you didn't need
to spend it on.
You could have spent the twomillion dollars on getting your
life cycle management process inplace and it would have saved
you a gob of money in the longrun.
But in this case they had tospend $2 million on the lawyers
and then probably another $2million on lifecycle management.
(24:16):
So for a total net in for about$4 to $5 million.
That's where they were.
So lesson learned you just gotto move on.
Problem is if you're a smallbusiness, that can get really
expensive Role definition inRBAC, role-based access.
So, role-based access well, yousee this a lot in CISSP and in
the CISSP cyber training that isavailable to you all the time.
(24:38):
This role-based access controls.
This assigns permissions basedon job function, such as HR,
finance and engineering.
So, based on the role you have,this is how much access.
You should have Engineering.
Folks should do engineeringstuff.
They don't need access to HRstuff.
Hr people need access to HR.
They don't need access tofinance, so on and so forth.
So, again, you align thepermissions based on the job
(24:59):
function of what they're doing.
Don't just say, hey, everybodyhas access to everything to make
my life easier.
Yes, that would make your lifeeasier, but then in the long run
it'll make it much more painfuland it's just not good.
Not good, especially if you'redealing with some sort of
certification that you need,such as CMMC or any of these
other fun ones that are tied toregulatory requirements.
(25:19):
Yeah, that's not a good idea.
It reduces complexity bymanaging groups of permissions.
That's what role-based accessdoes and allows the individuals
to have the access and thepermissions they need
specifically for their role.
Benefits of this it'sconsistent permissions across
similar roles and, again, youcan have same kinds of
permissions.
The HR and engineering peoplemay have certain permissions
(25:42):
that are very similar and theymay have access to the same
accounts or not accounts, butlocations within or assets
within their organization.
But it's designed specificallyfor HR.
It also limits what HR peoplecan see, and the same with
engineering as well Simplifiedaudits and role reviews much
easier.
Keep it simple, though, too.
Don't do I need role-basedaccess for engineering one, two,
(26:04):
three and four.
I need.
Each of those has a differentrole-based access.
Now, not to say you shouldn'tdo that, but if you do that
level of granularity on each ofthese engineering things, you
better have a good plan.
Like an apprentice inengineering may specifically
have only maybe engineering one,and they have very limited
access on what visibility theyhave into different types of
(26:25):
drawings and so forth.
You may have a different, likemechanical engineering versus
electrical engineering.
Those might be differentrole-based accesses, but don't
highly stress not doing if youcan avoid it engineering one,
two, three, four, five.
Be very specific about whatengineering you wanted to do
mechanical, electrical,aerodynamics, whatever and just
(26:47):
keep it as simple as youpossibly can, but not too simple
, right?
Not just say, okay, we're allin the same bucket.
Avoid that.
I hope I've stressed thatenough.
But it does.
It does reduce the complexityof managing groups and their
permissions if you can allowrole-based access.
Another benefit is it'sscalable.
As the organization grows, asyour company grows in size and
(27:07):
strength, it will help simplifyit.
But again, think about thelong-term when you're coming out
with these accounts.
Think of long-term strategy, ofwhat is easy and what is not.
And then, when you make changesto these roles and the access
they have as your company grows,be very thoughtful in how you
do that, because the reason Itell you that is don't be so
quick to make these changes.
(27:28):
Have a lot of thought around it, because what's going to happen
is is whatever you put in placeis not going away anytime soon.
So think about that.
So sorry, I'm just kind ofbeating on that drum because
I've seen it happen where,because I'm pointing fingers at
myself where I've made, hey,let's do a roll, one, two, three
, four, five, and you're like,oh my gosh, why did I do that?
And I didn't have a real goodthought process through it, just
(27:50):
thought it made sense, but Ididn't kind of sit on it, noodle
it.
Think about the long-termstrategy around it.
So, as an example, your HR mayhave access to HRIS we talked
about their information systemsand the payroll.
The finance role may haveaccess to ERP, the general
ledger systems and so forth, andthen there basically is no
cross-access unless it isexplicitly required.
And if that happens, wherethere is cross-access, then you
(28:14):
may have a separation of dutiestype of approval process in
place to ensure that whoever isallowing this also has eyes on
of what actually is occurring.
So, privilege escalation riskthere's unauthorized increase of
privilege users this wouldbasically be from user to admin.
This is a common attack vectoraround this and this again going
(28:36):
after unmonitored serviceaccounts.
Yeah, baby, those are awesome.
I love them because they're 24by 7 and nobody looks at them.
Uh, service accounts, baby, ifyou're going to clean anything
up, anything at all is twothings domain admins reduce them
to like two, okay, and thenhave separation of duties
approval approach on your, onyour domain admin one, two
(29:00):
service accounts.
Clean them boogers up, get ridof as many of them as you
possibly can, because they arelike candy to an attacker.
So again, look at all of those,clean them up, get rid of them.
Misconfigure permissions orgroup memberships Group
memberships those get inheritedreally quick and they cause all
kinds of issues.
So that would be your step.
Two and three would be to lookat your permissions and then
(29:23):
your group memberships and thenstolen admin credentials from
phishing, right.
So if you're not allowing localadmin login and you're just,
that's a great thing to helpremove the overall admin
credentials from being stolenvia phishing Service account
risks.
These are often have adomain-wide or application-wide
rights and they can create havoc.
A lot of times people will gowell, I only have two domain
(29:46):
admins, yeah, but your serviceaccounts you've given them
domain admin access, so it'sjust as like you have 2,000
domain admins.
Again, I know we'reexaggerating just a little bit,
but maybe not so much.
It depends on the size of thecompany that you're in
Frequently shared staticpasswords across environments.
These happens a lot with serviceaccounts.
The service accounts typicallythe password is set once it is
(30:09):
created and it is never, everchanged.
So those things have beensitting there forever in what
they're doing and the problem ispeople don't change them
because the moment you decide tochange it it breaks stuff.
So people don't like stuffbreaking because then they got
to go in and fix it.
So think about your staticpasswords.
And then they're rarely rotatedor monitored.
(30:29):
Service accounts, yeah, they'renot monitored much at all
unless you have a very robustand a very mature organization.
Now some ways you can do toprevent privilege escalation
again is assign unique serviceaccounts per the application or
the service, rotate yourpasswords regularly and store
them in a secure vault such asCyberArk and CyberArk just got
bought by somebody for agazillion dollars.
(30:51):
Again, it's an important partof what you do is rotate them
and secure them.
It is expensive, but do it, youwill not regret it by doing it.
Implement just-in-time adminprivileges, and this would be
for Azure, pim and BeyondTrust.
You can put those in place andmake sure that just in time is
that if they need adminprivileges on something, they
(31:13):
can check them out of apotential cyber arc and it will
then provide them the adminaccount as needed.
It rotates the admin account ona routine basis and therefore
you can't really copy it.
It doesn't work that well.
Monitor logins with SIE sim andtrigger alerts for unusual
activities and then remove anyunnecessary local admin rights
(31:34):
on endpoints.
That's a big one.
So, service accounts and localadmin if you can get rid of
those two, you have dramaticallyreduced the overall attack size
of your organizationsubstantially.
So, if you're going to focus onit service accounts and
endpoints, local admin.
So some key takeaways in all ofthis Access reviews are an
(31:55):
important part.
Reduce your overallover-provisioning.
Find orphans accounts early.
Do this quickly.
Provisioning and deprovisioningStrong joiner, mover, leaver
process Okay, how does someonejoin it, how do they move inside
the organization and how dothey leave?
What does that look like?
Is it will reduce your overallrisk.
And then role definition RBACenforces consistent and
auditable access controls.
(32:16):
Highly recommend you implementsome level of RBAC within your
company Service accountmanagement.
This is critical to preventingprivilege misuse and lateral
movement.
And then, finally, you have alevel of governance that sets up
oversight to ensure that allyour processes are enforced.
And I had that at the beginningbecause I wanted to kind of
stress the fact that governanceis important no matter what you
(32:38):
do.
And a lot of companies don'treally do it because it isn't as
sexy and Gucci as they wouldlike, so they don't do it as
much.
But governance is the glue thatholds all of this together.
So I highly recommend that youfollow that and go from there.
Okay, so that's all I've gotfor you today.
Head on over tocisspcybertrainingcom.
Check it out.
(32:59):
It's got a lot of free stuff, alot of.
There's some paid stuff there,depends what you want.
My free stuff is great.
It will give you, get you agood level of consistency of
what you need to be able toaccess and pass the CISSP, if
you need that extra help and youneed the ability to know.
You know what I want to likeget a bootcamp and I want to
have this bootcamp in a videoformat that I can walk through
(33:20):
step by step by step, and Idon't want to pay 10 grand, then
pay for the paid version of it.
This is no kidding a bootcampthat you need, these $10,000
boot camps that you're spendinggobs of money on.
You can get that at CISSP CyberTraining with my programs that
I have available.
It walks through each of thesewith overall questions that are
(33:40):
there, as well as all the CISSPquestions, the overall blueprint
, the training plan.
It's all available to you atCISSP Cyber Training.
Again, it's the best moneyspent if you're serious about
taking the CISSP and getting itdone.
All right, have a wonderful,wonderful day and we will catch
you all on the flip side, seeyou.
Thanks so much for joining metoday on my podcast.
(34:00):
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora or a cornucopia ofcontent to help you pass the
CISSP exam the first time.
(34:20):
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:26):
All right, let's get started.
Hey, I'm Sean Gerber with CISSPCyber Training, and hope you
all are having a beautifullyblessed day today.
Today is Monday, and on Mondaywhat do we do?
We talk about CISSP trainingspecifically designed around the
CISSP, and today we're going tobe focused on domain five and
that's actually 5.5 of the CISSPexam, and so you get your two
(00:47):
your ears tuned up and ready togo, because we're going to get
into this in just a minute.
But before we do, I had anarticle that I saw in CSO
magazine that I think is prettyappropriate just for security
professionals, and one of thethings we run into a lot is
third-party risk and basicallysupply chain risk.
Wesco, they're a large supplychain company that was
(01:09):
overwhelmed by having thousandsand thousands of alerts that
they're having to manage fortheir different supply chains,
for the different people, right,and this basically made it
really, really hard to do forunderstanding what is an urgent
risk and what is a non urgentrisk.
So one of the things we'vealways struggled with is how do
you incorporate AI into all ofthis aspect?
Well, what they did was theyconsolidated their risk data
(01:31):
from basically their varioussecurity platforms into one pane
of glass into a single riskview and then they used AI right
and then automation and threatintelligence to filter,
prioritize and basically bringall that to a center spot.
So it was very interesting inhow they did this.
I think it will be interestingto see how they if they market
(01:53):
this product in the future,because it could provide a lot
of value, I feel, to a lot ofdifferent people they did this
is another one we talk about alot in CISSP Cyber Training is
that they established clearownership through security
champions program, and we'vedone this in the past in various
different securityorganizations.
You had to have a securitychampion design.
(02:14):
The purpose is there has to beownership, there has to be
accountability, and thatsecurity champion is a big
factor in anything that you'redoing.
They used integrated tools likeGitHub, azure, devops, vericode
and Kubernetes Defender andthen CrowdStrike as well, into
this whole process and they usedtheir AI plus their application
(02:34):
security posture managementplus threat modeling to assign
the risk scores and unify theoverall risk data.
Now, obviously, this took them alittle bit longer than just a
couple of days or a couple ofweeks.
It probably took them a betterpart of a year to do this and to
do it well, but the problem is,the thing is that if you're
going to do this within yourcompany, you need to truly think
(02:54):
about how do you want toactually make this happen.
They had four cornerstones oftheir risk management strategy,
and this was proactive defense,improved awareness, application
security posture enhancement andthen their AI-driven risk
mitigation.
So they had those fourcornerstones built into this
from the beginning, and what Icome down to is they planned
this from a strategy standpoint.
(03:15):
They looked at it.
They didn't just throwsomething on the wall to see if
it would work.
They actually had a full-upstrategy on how they were going
to do this.
So, again, the lessons learnedthat came out of it was data
consolidation gives unified viewand helps reduce duplication.
Obviously, security championsare a shared responsibility
across the teams to providespeed and accountability Another
(03:36):
one very valuable.
And then, finally, they hadautomation, and AI are critical
in scaling without burning outsecurity resources, and that's
where you need to use the AI andyour automation.
Automation is a big factor inhow to do this and again, I
stress, if you're going to dothis within your company, pick
one thing to work on first andthen come and move into the
(03:58):
second and so forth, so it'sjust an important part of any
organization.
I've worked with lots ofcompanies that have dealt with
SIMs, their security, incidentevent management systems, and
they have just all kinds of data.
You really need to cut throughit and decide how you're going
to take this information andwhat is the single pane of glass
in which you want to put thisinto, and then how to utilize AI
(04:19):
to help you and cut through allthe noise that you're having to
deal with.
Okay, let's move into whatwe're going to talk about today.
Okay, this is domain 5, 5.5,managing Identity and Access
Provisioning Lifecycle.
This is all based off of ISCsquared book and their study
exam questions, and so,therefore, if you are studying
(04:40):
for the CISSP, I highlyrecommend that you go and get
the CISSP exam book that is outthere.
It's basically the book, andthere's also some exam questions
that are tied with that as well.
You can get that on Amazon orpretty much anywhere you look,
you can find that specific book,and this is all the training
that I have at CISSP.
Cyber training is tied to theISC squared book.
(05:00):
Now, just to kind of highlightthe fact that, if you are
studying for the CISSP, thepodcast that we put this in, the
video content that we puttogether, for this is one aspect
.
There is tons of stuff at CISSPCyber Training that is
available to you from all kindsof video content, audio content,
as well as the blueprint thatwill help you pass the CISSP the
(05:21):
first time.
Most definitely it's there.
It's designed, it's going tohelp you walk you through the
process one step at a time.
And again, if you're taking thetime to do this and you're
going to spend the money to takethis test, let's do it right
and you know what you can haveall of that at CISSP Cyber
Training atCISSPCyberTrainingcom.
(05:41):
Before we get started in 5.5,one of the things I did want to
add to this section, which is alittle bit beyond what 5.5 has,
is around identity and accessgovernance that's associated
with this lifecycle.
It is an imperative.
Part of this overall process ishaving a identity and access
governance plan built in place.
Now the overall objective isyou want to protect the data by
(06:02):
enforcing the appropriate accesscontrols across the entire
enterprise, and how to do thisis done through identity,
authentication, authorizationand governance.
So identity is the uniquerepresentation of users, systems
or services.
The authentication is theverifying of the identity
presented.
This is the passwords, yourmulti factor and so forth.
Authorization this is grantingrights based on policies and
(06:22):
roles, and then governance isthe continuous oversight of
accounts, privileges and soforth.
Authorization this is grantingrights based on policies and
roles, and then governance isthe continuous oversight of
accounts, privileges andentitlements.
Now, the overall value of howthis comes into play that, if
you can do this correctly, is itdoes reduce your insider threat
risk, and the insider threatrisk can be both from your
employees as well as accountsthat are tied to these employees
(06:43):
, so it doesn't have to be anemployee specifically going and
doing these bad things.
It could be actually theiraccount doing it.
It also helps ensure yourregulatory compliance and it
does simplify your audits.
You're going to want to do thisbecause it does help
substantially with any sort ofregulatory aspects that are tied
to it, and if you have audits,if you make your life, your
auditor's life, easy, it makesyour life easy.
(07:04):
So, again, having a good planin place is truly critical and
I'd highly recommend that youfollow these key concepts as
you're building out your overalllife cycle plan.
Now, the importance ofgovernance this is part one of
this is that you're dealing withper a structure and
accountability for your IAMprocesses.
You're dealing with perstructure and accountability for
(07:26):
your IAM processes.
Now the user accounts, serviceaccounts, roles and policies.
Those are all part of youroverall governance aspects.
Now, your key stakeholders thatare tied into governance would
be HR, your IT folks, youridentity and access management
folks, business managers andcompliance.
Those are the key folks thatreally have a vested interest in
your overall governance plan.
Now, the activities that wouldaccess, certification campaigns,
(07:49):
your segregation of duties,reviews and your policy updates
as well.
Those would all be the aspectsthat you would want to have
completed while you're doingthis.
Now, measurement is a key factorand this would be your KPIs and
some things to deal with.
Provisioning and deprovisioningwould be time to provision
versus deprovisioning,percentage of access reviews
(08:09):
that have been done on time.
This would be if you looked atthe different accounts that you
have are those access reviewsbeing reviewed, segregation of
duty, violations that areremediated those would all be
good KPIs that would be put inplace to allow you for metrics
related to your provisioning anddeprovisioning, your lifecycle
management.
So you want to really startthinking about what are some
(08:30):
metrics you can have as you'rebuilding out this program for
your company.
Again, this is all part of theCISSP, but it's very practical
for what you may do when you getto your organization.
Now there's some commonpitfalls that you deal with when
you're dealing with lifecyclemanagement Manual tracking Doing
this manually is an extremelypainful process and it's prone
(08:52):
for mistakes.
So you really want to try toavoid any sort of manual
tracking on a large scale basis.
Understand, you may have to dothis on a small scale and or
just getting started, you mayhave to deal with manual
tracking.
That is not the long-termstrategy you want to take.
You really truly want to havean automated plan and a report
that is generated for you on atimely basis.
(09:12):
Delayed HR updates this canalso have a common pitfall where
someone maybe is leaving theorganization and it doesn't get
updated in HR quickly andbecause of that, the data is
polluted.
You may have people that haveaccounts that have left, but
their accounts are still active.
So it can result ininconsistent revocation of the
(09:33):
accounts as they're beingcreated.
So again, it's a reallyimportant part that you try to
think about all of this whenyou're coming up with a
lifecycle for yourorganization's accounts.
Now some examples you may haveis a quarterly committee review
to identify and resolvecontractor account delays.
You may put this in place justto verify those, and again, you
(09:53):
want to start small and growfrom there.
I would highly recommend, morethan anything, you pick one set
of accounts that you're going tofocus on and then you build the
processes around that, and thatwould give you what you need to
ensure that you're getting itdone in a timely manner.
So another important part ofhaving governance is the
framework.
So you really want to follow aframework that's out there to
(10:15):
help you with this.
There's the NIST, csf, yourcybersecurity framework, your
ISO 27001, your COBIT, whichdeals with governance and
management.
One thing also to think aboutis CRI, which is your
Cybersecurity Risk Institute'sframework.
I really like that, especiallygood for financial institutions
and banking institutions A very,very positive framework.
(10:36):
It's actually very in-depth anddetailed.
If you can follow the CRIframework and you put your
processes in place based on that, you have set yourself up to be
extremely successful with theoverall program that you're
trying to develop.
Now.
The benefits of a stronggovernance program is faster
audits with documented accesscertifications.
Again, that's an important partHaving this done and having it
(10:58):
automated and having it audited.
That's an important aspect ofany organization.
Improved collaboration betweenHR, it and security.
I had a very strongrelationship with my HR and IT
folks.
You want to have that.
You really need to have a good,strong foundation with your HR
(11:18):
and IT organizations.
Then, early detection of insiderrisk, insider threat and
privilege misuse yes, if youhave this built up, you can
quickly see where people areusing their privileges in an
inappropriate manner.
I have had many people firedbecause of the fact that they do
this wrong Not that they setthis up wrong, but that they
were using their credentialsinappropriately.
(11:40):
And if you don't have theautomated resources in place to
help you with that, you then inturn, can end up in a situation
where you don't even see it.
So, very strong piece of this.
Some examples of that could bea governance board review, iam
metrics, quarterly and mandates.
All these different types ofaspects can be put in place for
you and your organization.
(12:00):
So let's get into account accessand review.
So the purpose of this would belike a certification that
you're verifying that this hasbeen done.
This is to ensure that accessis still required and
appropriate for the individuals.
Now, some components aroundthis would be is there's active
user accounts, right?
You want to make sure that theyare understanding that they
have.
They confirm that they havewhat they need to have.
(12:22):
They're a current employee or acontractor and they're
operating within their company.
They have the various privilegelevels which will ensure
adherence to least privilege.
Do they have the amount ofprivilege that is just needed
for their job and nothing more?
Again, adhering to leastprivilege.
Orphaned accounts this is whereyou remove accounts that are
(12:42):
from the departed users.
Anybody's leaving that has leftthe organization both from just
moving on to maybe a differentrole and their account was left
dormant.
That would be an orphanedaccount.
Someone who is no longer withthe company that is an orphaned
account.
You want to remove all of thoseaccounts so that those cannot
be used against you by anattacker because they will be
(13:02):
used.
I looked for all kinds oforphaned accounts and yes, they
are.
Now, these could be useraccounts, these could be service
accounts.
These could be domain admintype accounts.
You want to understand whataccounts have been used and when
are they not used.
Dormant accounts this is whereaccounts that basically haven't
been used for a while.
I see this a lot in a serviceaccount that hasn't been used in
(13:24):
a while.
It was created many years ago.
They used it maybe for aprocess, maybe even that process
only runs once every six months.
It could almost be a dormantaccount.
You want to consider disablingthese accounts if they're
inactive for a period of time.
So it could be 90 days, couldbe 180 days, whatever amount you
feel is appropriate.
Obviously, there will always beexceptions.
(13:46):
There's always exceptions toevery rule.
But you need to keep in mindthat if you have an account
active out there, you need toconsider when do you want to
disable it?
How many days do you want toset up as the litmus test, as
the rule Now, frequency-wise,you need a.
Regulatory standards oftenrequire quarterly reviews SOX,
pci, dss.
They will require some level ofquarterly understanding and
(14:08):
review of these various accounts.
So you need to decide what isthe regulatory requirements on
you and then make those changeshappen.
If you're not in that boatmaybe you're a smaller
organization and you don't haveregulatory pressures you may
want to do this at least onceevery six months to once a year
at a minimum.
I would highly recommend morethan once a year, just because
(14:29):
if someone's in your network andthey are using one of these
accounts.
If you wait a year and like,say you just did it and now you
just did your review, anattacker gets into your
organization the day after.
They're there for an entireyear before their account is
actually disabled.
So I mean, obviously you'dhopefully have more things going
on than just that, but it'ssomething to consider.
(14:51):
Critical systems may requiremonthly validation, and that's
an important part of anyorganization and you may just
want to consider that, dependingupon what you may have within
your company.
But again, that may not be acritical requirement because of
a regulatory aspect.
You just may choose to do it,which I would highly recommend.
Now an access review example.
So here's a scenario yougenerate a quarterly report of
(15:12):
all privileged domain adminaccounts.
The manager will receive anautomated certification request
saying they must approve ordecide to do something with this
domain admin account.
Now, keep in mind this issomething I would not email.
This is something that thisreport should probably be done
in a way that's in a SharePointsite that maybe somebody can
(15:33):
gain access to.
Now, the reason I say that isbecause if someone knows what
your domain admin accounts are,that can be intelligence that
they don't have right now, butyou sending it through email
could be.
Again.
I also say this on the flipside If they're already in your
domain, they probably figuredout what your domain admin
accounts are anyway, rather,rather than you sending them in
(15:54):
an email as well.
So this is why it's importantthat you have a really good
strategy around.
How do you want to handle theseaccounts?
Consider them extremelysensitive, and they have to be
managed appropriately.
To be managed appropriately,the manager will receive
automated certification requestsand then they just do what they
need to do.
So they need to approve, modifyor revoke the user's access
(16:16):
within the system based on whatthey find, and that's what they
should be doing Now.
The outcome this would be toreduce the attack surface of the
individual, remove stale adminrights from users who have
changed roles, and this is animportant part.
This but this in court requiresthat you have engagement into
what's actually occurring withinyour organization.
Highly recommend you do this.
(16:37):
This is an important part, andyou need to do these reviews at
least, at least quarterly, or atleast I should say at least
yearly.
At a minimum, I would do themevery six months, just to be
perfectly honest with you allnow best practices for access
reviews.
You again automate this.
Can you automate these plat oruse an automated platform to
help you, such as sale point,saviant, octa, identity
(16:59):
governance and so forth?
I've used saviant and salepoint as well.
They work very well.
They are very intensive andthey can be.
You may need some people thatwill help you develop these
systems, but they work really,really well.
I don't know how well they willwork for a small organization
If they have smaller,lightweight packages available.
I would just use this from anenterprise standpoint and they
(17:21):
do work very, very well.
But you've got to have good HRintegrations and so forth.
Notify and escalate.
You need to have automaticreminders and escalation paths
to management if there is noresponse, so if there's nobody
doing something about it.
There needs to be an escalationprocess in place that has been
built and then you need to haveevidence that has been these
(17:43):
accounts have been signed off.
I've seen this happen beforewhere you send it up to the
manager and the manager doesn'tdo anything with it.
So you need to have anescalation path that will then
take it up to the next level ofauthority between in your
organization and then when theyfinally click on a button and
say yes, I want to, I agree tothis, these accounts, get rid of
(18:04):
them.
Then you have a sign off reportthat has been done and it shows
and can track who actuallyagreed to turn these off.
Now last thing is continuousimprovement, which is an
important part of anyorganization.
This is where you track, reviewcompletion rates and remediate
any recurring issues.
Again, it's an important pathfor you to have access reviews
(18:24):
completed on a routine andautomated ongoing basis.
I cannot stress this enough.
I saw an account when I was aprevious company and it hadn't
been touched in nine years Nineyears and this account had
significant levels of abilitywith the service account.
So it had the ability to do alot of different things within a
(18:46):
company because it was set upnine years ago and people forgot
about it.
So, again, you see this all thetime and if you have an
organization that's been aroundfor more than a couple of years,
I guarantee that you have someaccounts that are very, very
similar.
Okay, so account provisioning,onboarding this is the creation
of new users, accounts andentitlements, so there has to be
(19:09):
some steps in place that wouldmake this happen.
So HR would trigger anonboarding process in their HR
IS system, their informationsystem system, and the IAM tool
would then create the accountsautomatically in AD, your cloud
apps, and eventually, if you hada remote access, you would add
a VPN to that as well, or a verysimilar type of activity.
(19:29):
I'm not a big fan of VPNs.
I prefer remote desktopapplications such as that are
within Microsoft, or even I'mdrawing a blank on the other one
that we use a lot Citrix and soforth.
I would not.
I'm not a big fan of VPNs.
They just give too much access.
Now you can crank those down sothey don't, but in so often the
(19:53):
VPNs are just stood up andforgotten about.
Then you want to applyrole-based entitlements
specifically to those accounts,to enforce least privilege, and
again, role-based is animportant part of all of this.
You must do it.
You really must do it for allthe accounts that you're focused
on.
Notify the manager and theemployee when the provisioning
is complete, and that way theyget an email that's saying yes,
(20:14):
it's been done and completed,and then also send it to the new
prospective employee orcontractor that it's been
completed as well.
So faster onboarding is animportant part, right?
I've been onboarded as acontractor with companies and
it's like, omg, it's painful.
And these are big companies andyou're just like what in the
world are you people doing?
And it's not just some of thepeople, it's just they have so
(20:34):
many bureaucratic processes inplace.
It is very painful.
I've also seen it happen whereyou, in the same situation of a
big enterprise, you say, ok, I'mon board, the paperwork has
been signed.
And once the paperwork issigned, within a day you have
accounts provisioned, you havethe ability to do whatever you
need to do.
So onboarding is an importantpart.
(20:54):
Consistent access, again, itallows you to have access.
That is, once it starts, it'scontinuing providing you the
information you need or theaccess you need, and then it
does reduce any sort of manualerrors that are happening.
I've seen this happen time andagain, where somebody will hand
jam you in right, well, let meadd your account to this and
they go in.
They tick, tock, tick, tock,tick, tock.
They put it in and what do theydo?
(21:15):
They screw up what your nameand guess what my name is really
fun it's sean s-h-o-n.
How many times you think that'sbeen screwed up?
Oh, more times than I can evercount.
So that's why my friends callme Enrique, because it's just so
much easier and it's sexier.
I like it, it's much better.
But, that being said, sean isgoofed up all the time when
someone does it, and I can tellwhen someone does it manually
(21:38):
and it comes back S-E-A-N, evenif they look at the paperwork
and they go, oh that must besomething wrong with that.
It's got to be Sean withS-H-A-W-N or S-E-A-N.
I'm not sure how S-E-A-N evenlooks anything like Sean, but it
does.
It's better than I'm notdissing you if you got that name
good on you.
You don't have S-H-O-N, sohappy you.
So, again, it's very fast.
(22:00):
It makes things a lot easier.
The next step is accountdeprovisioning.
This is the off-boardingprocess.
So this is a timely removal ofaccounts and permissions, right?
So this is how they're removedas quickly as they possibly can
be.
There's critical steps that areinvolved in this, and this
would be immediately disableaccounts upon termination or
notification.
You revoke your email, yourVPNs and your privileged
(22:22):
accounts.
This is all done once youdecide that this person no
longer going to be with you, soyou start removing it and then
you remove from a distributionlist shared folders, folders and
your various collaborationtools that you may have so again
, this happens.
And now, if you're doing thismanually, this takes a long time
.
If you're doing thisautomatically automatically then
it's a much better process.
(22:43):
And then, finally, you'retransferring ownership of data,
such as mailboxes files to amanager and you may have a
period of time where the managermust go through and look at all
of these files to keep whatthey want to keep before they
are deleted.
And this process, thislifecycle management process if
you can do it right, it willsave so much time and it is so
nice.
It truly is, but it takes somelevel of focused effort and
(23:08):
energy on it to make it happen.
Now, the risks of failureOrphaned accounts exploited by
attackers.
That was one of the primarythings that I went after all the
time, so you really truly needto do this, if you can.
Some lifecycle aspects of itEx-employees retaining access
had this happen Individual setup a VPN he's an IT individual
and he set it up by, withoutanybody knowing about it, and
(23:31):
allowed access into the networkremotely.
And then what did he do?
He still had an account andbecause his account was still
active, what did he do?
I'm saying what did he do?
A lot, he nuked the place.
Yeah, baby, he just dropped alogic bomb on it and just
trashed it.
About two and a half to threemillion dollars later, yes, he's
in prison, breaking big rocksinto little rocks and on top of
(23:54):
that.
But now you spent two milliondollars on stuff that you really
can't get back.
It's on lawyers, that's it.
You spent two million dollarson lawyers that you didn't need
to spend it on.
You could have spent the twomillion dollars on getting your
life cycle management process inplace and it would have saved
you a gob of money in the longrun.
But in this case they had tospend $2 million on the lawyers
and then probably another $2million on lifecycle management.
(24:16):
So for a total net in for about$4 to $5 million.
That's where they were.
So lesson learned you just gotto move on.
Problem is if you're a smallbusiness, that can get really
expensive Role definition inRBAC, role-based access.
So, role-based access well, yousee this a lot in CISSP and in
the CISSP cyber training that isavailable to you all the time.
(24:38):
This role-based access controls.
This assigns permissions basedon job function, such as HR,
finance and engineering.
So, based on the role you have,this is how much access.
You should have Engineering.
Folks should do engineeringstuff.
They don't need access to HRstuff.
Hr people need access to HR.
They don't need access tofinance, so on and so forth.
So, again, you align thepermissions based on the job
(24:59):
function of what they're doing.
Don't just say, hey, everybodyhas access to everything to make
my life easier.
Yes, that would make your lifeeasier, but then in the long run
it'll make it much more painfuland it's just not good.
Not good, especially if you'redealing with some sort of
certification that you need,such as CMMC or any of these
other fun ones that are tied toregulatory requirements.
(25:19):
Yeah, that's not a good idea.
It reduces complexity bymanaging groups of permissions.
That's what role-based accessdoes and allows the individuals
to have the access and thepermissions they need
specifically for their role.
Benefits of this it'sconsistent permissions across
similar roles and, again, youcan have same kinds of
permissions.
The HR and engineering peoplemay have certain permissions
(25:42):
that are very similar and theymay have access to the same
accounts or not accounts, butlocations within or assets
within their organization.
But it's designed specificallyfor HR.
It also limits what HR peoplecan see, and the same with
engineering as well Simplifiedaudits and role reviews much
easier.
Keep it simple, though, too.
Don't do I need role-basedaccess for engineering one, two,
(26:04):
three and four.
I need.
Each of those has a differentrole-based access.
Now, not to say you shouldn'tdo that, but if you do that
level of granularity on each ofthese engineering things, you
better have a good plan.
Like an apprentice inengineering may specifically
have only maybe engineering one,and they have very limited
access on what visibility theyhave into different types of
(26:25):
drawings and so forth.
You may have a different, likemechanical engineering versus
electrical engineering.
Those might be differentrole-based accesses, but don't
highly stress not doing if youcan avoid it engineering one,
two, three, four, five.
Be very specific about whatengineering you wanted to do
mechanical, electrical,aerodynamics, whatever and just
(26:47):
keep it as simple as youpossibly can, but not too simple
, right?
Not just say, okay, we're allin the same bucket.
Avoid that.
I hope I've stressed thatenough.
But it does.
It does reduce the complexityof managing groups and their
permissions if you can allowrole-based access.
Another benefit is it'sscalable.
As the organization grows, asyour company grows in size and
(27:07):
strength, it will help simplifyit.
But again, think about thelong-term when you're coming out
with these accounts.
Think of long-term strategy, ofwhat is easy and what is not.
And then, when you make changesto these roles and the access
they have as your company grows,be very thoughtful in how you
do that, because the reason Itell you that is don't be so
quick to make these changes.
(27:28):
Have a lot of thought around it, because what's going to happen
is is whatever you put in placeis not going away anytime soon.
So think about that.
So sorry, I'm just kind ofbeating on that drum because
I've seen it happen where,because I'm pointing fingers at
myself where I've made, hey,let's do a roll, one, two, three
, four, five, and you're like,oh my gosh, why did I do that?
And I didn't have a real goodthought process through it, just
(27:50):
thought it made sense, but Ididn't kind of sit on it, noodle
it.
Think about the long-termstrategy around it.
So, as an example, your HR mayhave access to HRIS we talked
about their information systemsand the payroll.
The finance role may haveaccess to ERP, the general
ledger systems and so forth, andthen there basically is no
cross-access unless it isexplicitly required.
And if that happens, wherethere is cross-access, then you
(28:14):
may have a separation of dutiestype of approval process in
place to ensure that whoever isallowing this also has eyes on
of what actually is occurring.
So, privilege escalation riskthere's unauthorized increase of
privilege users this wouldbasically be from user to admin.
This is a common attack vectoraround this and this again going
(28:36):
after unmonitored serviceaccounts.
Yeah, baby, those are awesome.
I love them because they're 24by 7 and nobody looks at them.
Uh, service accounts, baby, ifyou're going to clean anything
up, anything at all is twothings domain admins reduce them
to like two, okay, and thenhave separation of duties
approval approach on your, onyour domain admin one, two
(29:00):
service accounts.
Clean them boogers up, get ridof as many of them as you
possibly can, because they arelike candy to an attacker.
So again, look at all of those,clean them up, get rid of them.
Misconfigure permissions orgroup memberships Group
memberships those get inheritedreally quick and they cause all
kinds of issues.
So that would be your step.
Two and three would be to lookat your permissions and then
(29:23):
your group memberships and thenstolen admin credentials from
phishing, right.
So if you're not allowing localadmin login and you're just,
that's a great thing to helpremove the overall admin
credentials from being stolenvia phishing Service account
risks.
These are often have adomain-wide or application-wide
rights and they can create havoc.
A lot of times people will gowell, I only have two domain
(29:46):
admins, yeah, but your serviceaccounts you've given them
domain admin access, so it'sjust as like you have 2,000
domain admins.
Again, I know we'reexaggerating just a little bit,
but maybe not so much.
It depends on the size of thecompany that you're in
Frequently shared staticpasswords across environments.
These happens a lot with serviceaccounts.
The service accounts typicallythe password is set once it is
(30:09):
created and it is never, everchanged.
So those things have beensitting there forever in what
they're doing and the problem ispeople don't change them
because the moment you decide tochange it it breaks stuff.
So people don't like stuffbreaking because then they got
to go in and fix it.
So think about your staticpasswords.
And then they're rarely rotatedor monitored.
(30:29):
Service accounts, yeah, they'renot monitored much at all
unless you have a very robustand a very mature organization.
Now some ways you can do toprevent privilege escalation
again is assign unique serviceaccounts per the application or
the service, rotate yourpasswords regularly and store
them in a secure vault such asCyberArk and CyberArk just got
bought by somebody for agazillion dollars.
(30:51):
Again, it's an important partof what you do is rotate them
and secure them.
It is expensive, but do it, youwill not regret it by doing it.
Implement just-in-time adminprivileges, and this would be
for Azure, pim and BeyondTrust.
You can put those in place andmake sure that just in time is
that if they need adminprivileges on something, they
(31:13):
can check them out of apotential cyber arc and it will
then provide them the adminaccount as needed.
It rotates the admin account ona routine basis and therefore
you can't really copy it.
It doesn't work that well.
Monitor logins with SIE sim andtrigger alerts for unusual
activities and then remove anyunnecessary local admin rights
(31:34):
on endpoints.
That's a big one.
So, service accounts and localadmin if you can get rid of
those two, you have dramaticallyreduced the overall attack size
of your organizationsubstantially.
So, if you're going to focus onit service accounts and
endpoints, local admin.
So some key takeaways in all ofthis Access reviews are an
(31:55):
important part.
Reduce your overallover-provisioning.
Find orphans accounts early.
Do this quickly.
Provisioning and deprovisioningStrong joiner, mover, leaver
process Okay, how does someonejoin it, how do they move inside
the organization and how dothey leave?
What does that look like?
Is it will reduce your overallrisk.
And then role definition RBACenforces consistent and
auditable access controls.
(32:16):
Highly recommend you implementsome level of RBAC within your
company Service accountmanagement.
This is critical to preventingprivilege misuse and lateral
movement.
And then, finally, you have alevel of governance that sets up
oversight to ensure that allyour processes are enforced.
And I had that at the beginningbecause I wanted to kind of
stress the fact that governanceis important no matter what you
(32:38):
do.
And a lot of companies don'treally do it because it isn't as
sexy and Gucci as they wouldlike, so they don't do it as
much.
But governance is the glue thatholds all of this together.
So I highly recommend that youfollow that and go from there.
Okay, so that's all I've gotfor you today.
Head on over tocisspcybertrainingcom.
Check it out.
(32:59):
It's got a lot of free stuff, alot of.
There's some paid stuff there,depends what you want.
My free stuff is great.
It will give you, get you agood level of consistency of
what you need to be able toaccess and pass the CISSP, if
you need that extra help and youneed the ability to know.
You know what I want to likeget a bootcamp and I want to
have this bootcamp in a videoformat that I can walk through
(33:20):
step by step by step, and Idon't want to pay 10 grand, then
pay for the paid version of it.
This is no kidding a bootcampthat you need, these $10,000
boot camps that you're spendinggobs of money on.
You can get that at CISSP CyberTraining with my programs that
I have available.
It walks through each of thesewith overall questions that are
(33:40):
there, as well as all the CISSPquestions, the overall blueprint
, the training plan.
It's all available to you atCISSP Cyber Training.
Again, it's the best moneyspent if you're serious about
taking the CISSP and getting itdone.
All right, have a wonderful,wonderful day and we will catch
you all on the flip side, seeyou.
Thanks so much for joining metoday on my podcast.
(34:00):
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora or a cornucopia ofcontent to help you pass the
CISSP exam the first time.
(34:20):
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!