CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 280: Mastering Identity Lifecycle Management (Domain 5.5)
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
The effective management of digital identities throughout their lifecycle is perhaps the most crucial yet overlooked aspect of organizational cybersecurity. This episode dives deep into CISSP Domain 5.5, offering practical insights on building robust identity and access management (IAM) governance frameworks that protect against insider threats while streamlining compliance efforts.
We begin by examining a real-world case study of how one company transformed its third-party risk management using AI-driven consolidation of security alerts, establishing clear accountability through a security champions program. This approach demonstrates how proper governance structures can turn overwhelming data into actionable intelligence.
The heart of our discussion centers on the identity lifecycle – from provisioning to deprovisioning and everything between. Learn why automated account creation processes dramatically reduce security risks while improving operational efficiency. We share cautionary tales, including one where improper deprovisioning allowed an ex-employee to deploy a devastating logic bomb costing millions in damages and legal fees.
Role-based access control (RBAC) emerges as a critical strategy for maintaining least privilege principles at scale. However, we warn against common pitfalls like overly complex role structures that become unmanageable or so simplified they create security gaps. The episode provides clear guidance on achieving the right balance for organizations of any size.
Perhaps most importantly, we expose the hidden dangers of service accounts – those often-forgotten credentials with extensive privileges that rarely change and receive minimal monitoring. These accounts represent prime targets for attackers seeking to escalate privileges, yet many organizations fail to properly secure them.
Whether you're studying for the CISSP exam or implementing IAM best practices in your organization, this episode delivers actionable strategies to strengthen your security posture through proper identity lifecycle management. Visit CISSPCyberTraining.com for additional resources to support your cybersecurity journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go. Cybersecurity knowledge.
Speaker 2:All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is Monday, and on Monday what do we do? We talk about CISSP training specifically designed around the CISSP, and today we're going to be focused on domain five and that's actually 5.5 of the CISSP exam, and so you get your two your ears tuned up and ready to go, because we're going to get into this in just a minute.
Speaker 2:But before we do, I had an article that I saw in CSO magazine that I think is pretty appropriate just for security professionals, and one of the things we run into a lot is third-party risk and basically supply chain risk. Wesco, they're a large supply chain company that was overwhelmed by having thousands and thousands of alerts that they're having to manage for their different supply chains, for the different people, right, and this basically made it really, really hard to do for understanding what is an urgent risk and what is a non urgent risk. So one of the things we've always struggled with is how do you incorporate AI into all of this aspect? Well, what they did was they consolidated their risk data from basically their various security platforms into one pane of glass into a single risk view and then they used AI right and then automation and threat intelligence to filter, prioritize and basically bring all that to a center spot. So it was very interesting in how they did this. I think it will be interesting to see how they if they market this product in the future, because it could provide a lot of value, I feel, to a lot of different people they did this is another one we talk about a lot in CISSP Cyber Training is that they established clear ownership through security champions program, and we've done this in the past in various different security organizations. You had to have a security champion design. The purpose is there has to be ownership, there has to be accountability, and that security champion is a big factor in anything that you're doing. They used integrated tools like GitHub, azure, devops, vericode and Kubernetes Defender and then CrowdStrike as well, into this whole process and they used their AI plus their application security posture management plus threat modeling to assign the risk scores and unify the overall risk data.
Speaker 2:Now, obviously, this took them a little bit longer than just a couple of days or a couple of weeks. It probably took them a better part of a year to do this and to do it well, but the problem is, the thing is that if you're going to do this within your company, you need to truly think about how do you want to actually make this happen. They had four cornerstones of their risk management strategy, and this was proactive defense, improved awareness, application security posture enhancement and then their AI-driven risk mitigation. So they had those four cornerstones built into this from the beginning, and what I come down to is they planned this from a strategy standpoint. They looked at it. They didn't just throw something on the wall to see if it would work. They actually had a full-up strategy on how they were going to do this. So, again, the lessons learned that came out of it was data consolidation gives unified view and helps reduce duplication.
Speaker 2:Obviously, security champions are a shared responsibility across the teams to provide speed and accountability Another one very valuable. And then, finally, they had automation, and AI are critical in scaling without burning out security resources, and that's where you need to use the AI and your automation. Automation is a big factor in how to do this and again, I stress, if you're going to do this within your company, pick one thing to work on first and then come and move into the second and so forth, so it's just an important part of any organization. I've worked with lots of companies that have dealt with SIMs, their security, incident event management systems, and they have just all kinds of data. You really need to cut through it and decide how you're going to take this information and what is the single pane of glass in which you want to put this into, and then how to utilize AI to help you and cut through all the noise that you're having to deal with. Okay, let's move into what we're going to talk about today. Okay, this is domain 5, 5.5, managing Identity and Access Provisioning Lifecycle.
Speaker 2:This is all based off of ISC squared book and their study exam questions, and so, therefore, if you are studying for the CISSP, I highly recommend that you go and get the CISSP exam book that is out there. It's basically the book, and there's also some exam questions that are tied with that as well. You can get that on Amazon or pretty much anywhere you look, you can find that specific book, and this is all the training that I have at CISSP. Cyber training is tied to the ISC squared book. Now, just to kind of highlight the fact that, if you are studying for the CISSP, the podcast that we put this in, the video content that we put together, for this is one aspect. There is tons of stuff at CISSP Cyber Training that is available to you from all kinds of video content, audio content, as well as the blueprint that will help you pass the CISSP the first time. Most definitely it's there. It's designed, it's going to help you walk you through the process one step at a time. And again, if you're taking the time to do this and you're going to spend the money to take this test, let's do it right and you know what you can have all of that at CISSP Cyber Training at CISSPCyberTrainingcom.
Speaker 2:Before we get started in 5.5, one of the things I did want to add to this section, which is a little bit beyond what 5.5 has, is around identity and access governance that's associated with this lifecycle. It is an imperative. Part of this overall process is having a identity and access governance plan built in place. Now the overall objective is you want to protect the data by enforcing the appropriate access controls across the entire enterprise, and how to do this is done through identity, authentication, authorization and governance. So identity is the unique representation of users, systems or services. The authentication is the verifying of the identity presented. This is the passwords, your multi factor and so forth. Authorization this is granting rights based on policies and roles, and then governance is the continuous oversight of accounts, privileges and so forth. Authorization this is granting rights based on policies and roles, and then governance is the continuous oversight of accounts, privileges and entitlements. Now, the overall value of how this comes into play that, if you can do this correctly, is it does reduce your insider threat risk, and the insider threat risk can be both from your employees as well as accounts that are tied to these employees, so it doesn't have to be an employee specifically going and doing these bad things. It could be actually their account doing it. It also helps ensure your regulatory compliance and it does simplify your audits. You're going to want to do this because it does help substantially with any sort of regulatory aspects that are tied to it, and if you have audits, if you make your life, your auditor's life, easy, it makes your life easy. So, again, having a good plan in place is truly critical and I'd highly recommend that you follow these key concepts as you're building out your overall life cycle plan.
Speaker 2:Now, the importance of governance this is part one of this is that you're dealing with per a structure and accountability for your IAM processes. You're dealing with per structure and accountability for your IAM processes. Now the user accounts, service accounts, roles and policies. Those are all part of your overall governance aspects. Now, your key stakeholders that are tied into governance would be HR, your IT folks, your identity and access management folks, business managers and compliance. Those are the key folks that really have a vested interest in your overall governance plan. Now, the activities that would access, certification campaigns, your segregation of duties, reviews and your policy updates as well. Those would all be the aspects that you would want to have completed while you're doing this.
Speaker 2:Now, measurement is a key factor and this would be your KPIs and some things to deal with. Provisioning and deprovisioning would be time to provision versus deprovisioning, percentage of access reviews that have been done on time. This would be if you looked at the different accounts that you have are those access reviews being reviewed, segregation of duty, violations that are remediated those would all be good KPIs that would be put in place to allow you for metrics related to your provisioning and deprovisioning, your lifecycle management. So you want to really start thinking about what are some metrics you can have as you're building out this program for your company. Again, this is all part of the CISSP, but it's very practical for what you may do when you get to your organization. Now there's some common pitfalls that you deal with when you're dealing with lifecycle management Manual tracking Doing this manually is an extremely painful process and it's prone for mistakes.
Speaker 2:So you really want to try to avoid any sort of manual tracking on a large scale basis. Understand, you may have to do this on a small scale and or just getting started, you may have to deal with manual tracking. That is not the long-term strategy you want to take. You really truly want to have an automated plan and a report that is generated for you on a timely basis. Delayed HR updates this can also have a common pitfall where someone maybe is leaving the organization and it doesn't get updated in HR quickly and because of that, the data is polluted. You may have people that have accounts that have left, but their accounts are still active. So it can result in inconsistent revocation of the accounts as they're being created. So again, it's a really important part that you try to think about all of this when you're coming up with a lifecycle for your organization's accounts. Now some examples you may have is a quarterly committee review to identify and resolve contractor account delays. You may put this in place just to verify those, and again, you want to start small and grow from there. I would highly recommend, more than anything, you pick one set of accounts that you're going to focus on and then you build the processes around that, and that would give you what you need to ensure that you're getting it done in a timely manner.
Speaker 2:So another important part of having governance is the framework. So you really want to follow a framework that's out there to help you with this. There's the NIST, csf, your cybersecurity framework, your ISO 27001, your COBIT, which deals with governance and management. One thing also to think about is CRI, which is your Cybersecurity Risk Institute's framework. I really like that, especially good for financial institutions and banking institutions A very, very positive framework. It's actually very in-depth and detailed. If you can follow the CRI framework and you put your processes in place based on that, you have set yourself up to be extremely successful with the overall program that you're trying to develop.
Speaker 2:Now. The benefits of a strong governance program is faster audits with documented access certifications. Again, that's an important part Having this done and having it automated and having it audited. That's an important aspect of any organization. Improved collaboration between HR, it and security. I had a very strong relationship with my HR and IT folks. You want to have that. You really need to have a good, strong foundation with your HR and IT organizations.
Speaker 2:Then, early detection of insider risk, insider threat and privilege misuse yes, if you have this built up, you can quickly see where people are using their privileges in an inappropriate manner. I have had many people fired because of the fact that they do this wrong Not that they set this up wrong, but that they were using their credentials inappropriately. And if you don't have the automated resources in place to help you with that, you then in turn, can end up in a situation where you don't even see it. So, very strong piece of this. Some examples of that could be a governance board review, iam metrics, quarterly and mandates. All these different types of aspects can be put in place for you and your organization.
Speaker 2:So let's get into account access and review. So the purpose of this would be like a certification that you're verifying that this has been done. This is to ensure that access is still required and appropriate for the individuals. Now, some components around this would be is there's active user accounts, right? You want to make sure that they are understanding that they have. They confirm that they have what they need to have. They're a current employee or a contractor and they're operating within their company. They have the various privilege levels which will ensure adherence to least privilege. Do they have the amount of privilege that is just needed for their job and nothing more? Again, adhering to least privilege.
Speaker 2:Orphaned accounts this is where you remove accounts that are from the departed users. Anybody's leaving that has left the organization both from just moving on to maybe a different role and their account was left dormant. That would be an orphaned account. Someone who is no longer with the company that is an orphaned account. You want to remove all of those accounts so that those cannot be used against you by an attacker because they will be used.
Speaker 2:I looked for all kinds of orphaned accounts and yes, they are. Now, these could be user accounts, these could be service accounts. These could be domain admin type accounts. You want to understand what accounts have been used and when are they not used. Dormant accounts this is where accounts that basically haven't been used for a while. I see this a lot in a service account that hasn't been used in a while. It was created many years ago. They used it maybe for a process, maybe even that process only runs once every six months. It could almost be a dormant account.
Speaker 2:You want to consider disabling these accounts if they're inactive for a period of time. So it could be 90 days, could be 180 days, whatever amount you feel is appropriate. Obviously, there will always be exceptions. There's always exceptions to every rule. But you need to keep in mind that if you have an account active out there, you need to consider when do you want to disable it? How many days do you want to set up as the litmus test, as the rule Now, frequency-wise, you need a.
Speaker 2:Regulatory standards often require quarterly reviews SOX, pci, dss. They will require some level of quarterly understanding and review of these various accounts. So you need to decide what is the regulatory requirements on you and then make those changes happen. If you're not in that boat maybe you're a smaller organization and you don't have regulatory pressures you may want to do this at least once every six months to once a year at a minimum. I would highly recommend more than once a year, just because if someone's in your network and they are using one of these accounts. If you wait a year and like, say you just did it and now you just did your review, an attacker gets into your organization the day after. They're there for an entire year before their account is actually disabled. So I mean, obviously you'd hopefully have more things going on than just that, but it's something to consider. Critical systems may require monthly validation, and that's an important part of any organization and you may just want to consider that, depending upon what you may have within your company. But again, that may not be a critical requirement because of a regulatory aspect. You just may choose to do it, which I would highly recommend.
Speaker 2:Now an access review example. So here's a scenario you generate a quarterly report of all privileged domain admin accounts. The manager will receive an automated certification request saying they must approve or decide to do something with this domain admin account. Now, keep in mind this is something I would not email. This is something that this report should probably be done in a way that's in a SharePoint site that maybe somebody can gain access to. Now, the reason I say that is because if someone knows what your domain admin accounts are, that can be intelligence that they don't have right now, but you sending it through email could be. Again. I also say this on the flip side If they're already in your domain, they probably figured out what your domain admin accounts are anyway, rather, rather than you sending them in an email as well. So this is why it's important that you have a really good strategy around.
Speaker 2:How do you want to handle these accounts? Consider them extremely sensitive, and they have to be managed appropriately. To be managed appropriately, the manager will receive automated certification requests and then they just do what they need to do. So they need to approve, modify or revoke the user's access within the system based on what they find, and that's what they should be doing Now. The outcome this would be to reduce the attack surface of the individual, remove stale admin rights from users who have changed roles, and this is an important part. This but this in court requires that you have engagement into what's actually occurring within your organization. Highly recommend you do this. This is an important part, and you need to do these reviews at least, at least quarterly, or at least I should say at least yearly. At a minimum, I would do them every six months, just to be perfectly honest with you all now best practices for access reviews.
Speaker 2:You again automate this. Can you automate these plat or use an automated platform to help you, such as sale point, saviant, octa, identity governance and so forth? I've used saviant and sale point as well. They work very well. They are very intensive and they can be. You may need some people that will help you develop these systems, but they work really, really well. I don't know how well they will work for a small organization If they have smaller, lightweight packages available. I would just use this from an enterprise standpoint and they do work very, very well. But you've got to have good HR integrations and so forth.
Speaker 2:Notify and escalate. You need to have automatic reminders and escalation paths to management if there is no response, so if there's nobody doing something about it. There needs to be an escalation process in place that has been built and then you need to have evidence that has been these accounts have been signed off. I've seen this happen before where you send it up to the manager and the manager doesn't do anything with it. So you need to have an escalation path that will then take it up to the next level of authority between in your organization and then when they finally click on a button and say yes, I want to, I agree to this, these accounts, get rid of them. Then you have a sign off report that has been done and it shows and can track who actually agreed to turn these off.
Speaker 2:Now last thing is continuous improvement, which is an important part of any organization. This is where you track, review completion rates and remediate any recurring issues. Again, it's an important path for you to have access reviews completed on a routine and automated ongoing basis. I cannot stress this enough. I saw an account when I was a previous company and it hadn't been touched in nine years Nine years and this account had significant levels of ability with the service account. So it had the ability to do a lot of different things within a company because it was set up nine years ago and people forgot about it. So, again, you see this all the time and if you have an organization that's been around for more than a couple of years, I guarantee that you have some accounts that are very, very similar.
Speaker 2:Okay, so account provisioning, onboarding this is the creation of new users, accounts and entitlements, so there has to be some steps in place that would make this happen. So HR would trigger an onboarding process in their HR IS system, their information system system, and the IAM tool would then create the accounts automatically in AD, your cloud apps, and eventually, if you had a remote access, you would add a VPN to that as well, or a very similar type of activity. I'm not a big fan of VPNs. I prefer remote desktop applications such as that are within Microsoft, or even I'm drawing a blank on the other one that we use a lot Citrix and so forth. I would not. I'm not a big fan of VPNs. They just give too much access. Now you can crank those down so they don't, but in so often the VPNs are just stood up and forgotten about.
Speaker 2:Then you want to apply role-based entitlements specifically to those accounts, to enforce least privilege, and again, role-based is an important part of all of this. You must do it. You really must do it for all the accounts that you're focused on. Notify the manager and the employee when the provisioning is complete, and that way they get an email that's saying yes, it's been done and completed, and then also send it to the new prospective employee or contractor that it's been completed as well. So faster onboarding is an important part, right?
Speaker 2:I've been onboarded as a contractor with companies and it's like, omg, it's painful. And these are big companies and you're just like what in the world are you people doing? And it's not just some of the people, it's just they have so many bureaucratic processes in place. It is very painful. I've also seen it happen where you, in the same situation of a big enterprise, you say, ok, I'm on board, the paperwork has been signed. And once the paperwork is signed, within a day you have accounts provisioned, you have the ability to do whatever you need to do. So onboarding is an important part.
Speaker 2:Consistent access, again, it allows you to have access. That is, once it starts, it's continuing providing you the information you need or the access you need, and then it does reduce any sort of manual errors that are happening. I've seen this happen time and again, where somebody will hand jam you in right, well, let me add your account to this and they go in. They tick, tock, tick, tock, tick, tock. They put it in and what do they do? They screw up what your name and guess what my name is really fun it's sean s-h-o-n. How many times you think that's been screwed up? Oh, more times than I can ever count. So that's why my friends call me Enrique, because it's just so much easier and it's sexier. I like it, it's much better. But, that being said, sean is goofed up all the time when someone does it, and I can tell when someone does it manually and it comes back S-E-A-N, even if they look at the paperwork and they go, oh that must be something wrong with that. It's got to be Sean with S-H-A-W-N or S-E-A-N. I'm not sure how S-E-A-N even looks anything like Sean, but it does. It's better than I'm not dissing you if you got that name good on you. You don't have S-H-O-N, so happy you. So, again, it's very fast. It makes things a lot easier.
Speaker 2:The next step is account deprovisioning. This is the off-boarding process. So this is a timely removal of accounts and permissions, right? So this is how they're removed as quickly as they possibly can be. There's critical steps that are involved in this, and this would be immediately disable accounts upon termination or notification. You revoke your email, your VPNs and your privileged accounts. This is all done once you decide that this person no longer going to be with you, so you start removing it and then you remove from a distribution list shared folders, folders and your various collaboration tools that you may have so again, this happens. And now, if you're doing this manually, this takes a long time. If you're doing this automatically automatically then it's a much better process. And then, finally, you're transferring ownership of data, such as mailboxes files to a manager and you may have a period of time where the manager must go through and look at all of these files to keep what they want to keep before they are deleted. And this process, this lifecycle management process if you can do it right, it will save so much time and it is so nice. It truly is, but it takes some level of focused effort and energy on it to make it happen.
Speaker 2:Now, the risks of failure Orphaned accounts exploited by attackers. That was one of the primary things that I went after all the time, so you really truly need to do this, if you can. Some lifecycle aspects of it Ex-employees retaining access had this happen Individual set up a VPN he's an IT individual and he set it up by, without anybody knowing about it, and allowed access into the network remotely. And then what did he do? He still had an account and because his account was still active, what did he do? I'm saying what did he do? A lot, he nuked the place. Yeah, baby, he just dropped a logic bomb on it and just trashed it. About two and a half to three million dollars later, yes, he's in prison, breaking big rocks into little rocks and on top of that.
Speaker 2:But now you spent two million dollars on stuff that you really can't get back. It's on lawyers, that's it. You spent two million dollars on lawyers that you didn't need to spend it on. You could have spent the two million dollars on getting your life cycle management process in place and it would have saved you a gob of money in the long run. But in this case they had to spend $2 million on the lawyers and then probably another $2 million on lifecycle management. So for a total net in for about $4 to $5 million. That's where they were. So lesson learned you just got to move on. Problem is if you're a small business, that can get really expensive Role definition in RBAC, role-based access.
Speaker 2:So, role-based access well, you see this a lot in CISSP and in the CISSP cyber training that is available to you all the time. This role-based access controls. This assigns permissions based on job function, such as HR, finance and engineering. So, based on the role you have, this is how much access. You should have Engineering. Folks should do engineering stuff. They don't need access to HR stuff. Hr people need access to HR. They don't need access to finance, so on and so forth. So, again, you align the permissions based on the job function of what they're doing.
Speaker 2:Don't just say, hey, everybody has access to everything to make my life easier. Yes, that would make your life easier, but then in the long run it'll make it much more painful and it's just not good. Not good, especially if you're dealing with some sort of certification that you need, such as CMMC or any of these other fun ones that are tied to regulatory requirements. Yeah, that's not a good idea. It reduces complexity by managing groups of permissions. That's what role-based access does and allows the individuals to have the access and the permissions they need specifically for their role. Benefits of this it's consistent permissions across similar roles and, again, you can have same kinds of permissions. The HR and engineering people may have certain permissions that are very similar and they may have access to the same accounts or not accounts, but locations within or assets within their organization. But it's designed specifically for HR. It also limits what HR people can see, and the same with engineering as well Simplified audits and role reviews much easier.
Speaker 2:Keep it simple, though, too. Don't do I need role-based access for engineering one, two, three and four. I need. Each of those has a different role-based access. Now, not to say you shouldn't do that, but if you do that level of granularity on each of these engineering things, you better have a good plan. Like an apprentice in engineering may specifically have only maybe engineering one, and they have very limited access on what visibility they have into different types of drawings and so forth. You may have a different, like mechanical engineering versus electrical engineering. Those might be different role-based accesses, but don't highly stress not doing if you can avoid it engineering one, two, three, four, five. Be very specific about what engineering you wanted to do mechanical, electrical, aerodynamics, whatever and just keep it as simple as you possibly can, but not too simple, right? Not just say, okay, we're all in the same bucket. Avoid that. I hope I've stressed that enough. But it does. It does reduce the complexity of managing groups and their permissions if you can allow role-based access. Another benefit is it's scalable. As the organization grows, as your company grows in size and strength, it will help simplify it.
Speaker 2:But again, think about the long-term when you're coming out with these accounts. Think of long-term strategy, of what is easy and what is not. And then, when you make changes to these roles and the access they have as your company grows, be very thoughtful in how you do that, because the reason I tell you that is don't be so quick to make these changes. Have a lot of thought around it, because what's going to happen is is whatever you put in place is not going away anytime soon. So think about that. So sorry, I'm just kind of beating on that drum because I've seen it happen where, because I'm pointing fingers at myself where I've made, hey, let's do a roll, one, two, three, four, five, and you're like, oh my gosh, why did I do that? And I didn't have a real good thought process through it, just thought it made sense, but I didn't kind of sit on it, noodle it. Think about the long-term strategy around it.
Speaker 2:So, as an example, your HR may have access to HRIS we talked about their information systems and the payroll. The finance role may have access to ERP, the general ledger systems and so forth, and then there basically is no cross-access unless it is explicitly required. And if that happens, where there is cross-access, then you may have a separation of duties type of approval process in place to ensure that whoever is allowing this also has eyes on of what actually is occurring. So, privilege escalation risk there's unauthorized increase of privilege users this would basically be from user to admin. This is a common attack vector around this and this again going after unmonitored service accounts. Yeah, baby, those are awesome. I love them because they're 24 by 7 and nobody looks at them. Uh, service accounts, baby, if you're going to clean anything up, anything at all is two things domain admins reduce them to like two, okay, and then have separation of duties approval approach on your, on your domain admin one, two service accounts. Clean them boogers up, get rid of as many of them as you possibly can, because they are like candy to an attacker. So again, look at all of those, clean them up, get rid of them. Misconfigure permissions or group memberships Group memberships those get inherited really quick and they cause all kinds of issues. So that would be your step. Two and three would be to look at your permissions and then your group memberships and then stolen admin credentials from phishing, right. So if you're not allowing local admin login and you're just, that's a great thing to help remove the overall admin credentials from being stolen via phishing Service account risks. These are often have a domain-wide or application-wide rights and they can create havoc. A lot of times people will go well, I only have two domain admins, yeah, but your service accounts you've given them domain admin access, so it's just as like you have 2,000 domain admins. Again, I know we're exaggerating just a little bit, but maybe not so much. It depends on the size of the company that you're in Frequently shared static passwords across environments.
Speaker 2:These happens a lot with service accounts. The service accounts typically the password is set once it is created and it is never, ever changed. So those things have been sitting there forever in what they're doing and the problem is people don't change them because the moment you decide to change it it breaks stuff. So people don't like stuff breaking because then they got to go in and fix it. So think about your static passwords. And then they're rarely rotated or monitored. Service accounts, yeah, they're not monitored much at all unless you have a very robust and a very mature organization. Now some ways you can do to prevent privilege escalation again is assign unique service accounts per the application or the service, rotate your passwords regularly and store them in a secure vault such as CyberArk and CyberArk just got bought by somebody for a gazillion dollars. Again, it's an important part of what you do is rotate them and secure them. It is expensive, but do it, you will not regret it by doing it.
Speaker 2:Implement just-in-time admin privileges, and this would be for Azure, pim and BeyondTrust. You can put those in place and make sure that just in time is that if they need admin privileges on something, they can check them out of a potential cyber arc and it will then provide them the admin account as needed. It rotates the admin account on a routine basis and therefore you can't really copy it. It doesn't work that well. Monitor logins with SIE sim and trigger alerts for unusual activities and then remove any unnecessary local admin rights on endpoints. That's a big one. So, service accounts and local admin if you can get rid of those two, you have dramatically reduced the overall attack size of your organization substantially. So, if you're going to focus on it service accounts and endpoints, local admin. So some key takeaways in all of this Access reviews are an important part.
Speaker 2:Reduce your overall over-provisioning. Find orphans accounts early. Do this quickly. Provisioning and deprovisioning Strong joiner, mover, leaver process Okay, how does someone join it, how do they move inside the organization and how do they leave? What does that look like? Is it will reduce your overall risk. And then role definition RBAC enforces consistent and auditable access controls. Highly recommend you implement some level of RBAC within your company Service account management. This is critical to preventing privilege misuse and lateral movement.
Speaker 2:And then, finally, you have a level of governance that sets up oversight to ensure that all your processes are enforced. And I had that at the beginning because I wanted to kind of stress the fact that governance is important no matter what you do. And a lot of companies don't really do it because it isn't as sexy and Gucci as they would like, so they don't do it as much. But governance is the glue that holds all of this together. So I highly recommend that you follow that and go from there. Okay, so that's all I've got for you today.
Speaker 2:Head on over to cisspcybertrainingcom. Check it out. It's got a lot of free stuff, a lot of. There's some paid stuff there, depends what you want. My free stuff is great. It will give you, get you a good level of consistency of what you need to be able to access and pass the CISSP, if you need that extra help and you need the ability to know. You know what I want to like get a bootcamp and I want to have this bootcamp in a video format that I can walk through step by step by step, and I don't want to pay 10 grand, then pay for the paid version of it.
Speaker 2:This is no kidding a bootcamp that you need, these $10,000 boot camps that you're spending gobs of money on. You can get that at CISSP Cyber Training with my programs that I have available. It walks through each of these with overall questions that are there, as well as all the CISSP questions, the overall blueprint, the training plan. It's all available to you at CISSP Cyber Training. Again, it's the best money spent if you're serious about taking the CISSP and getting it done. All right, have a wonderful, wonderful day and we will catch you all on the flip side, see you. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora or a cornucopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
