Equifax Rant #6 of 7 - Identity, Access, and Privilege
Where to start on these 3 topics? So much words and so little blog!
When a hacker is inside of your network snooping around, stealing things, destroying things, escalating things, doing anything they have 3 things. These are the same 3 things regular users have.
Users and hackers both have identities. Users typical identify themselves by logging into their workstations and, unless SSO is working brilliantly, also logging into various applications and systems throughout the day. Hackers have somehow commandeered a user's credentials and are playing around in your house acting like one of your children....
But if you look closely at their identity, they're really not your children. They may call themselves your children, but they came in from a different door, they've been there a different amount of time, they're not in the location that your child normally is. If you look at the behavior of this so called child, you could tell me right away they're not yours. Even though they may look like yours on the outside.
Identity verification and authentication are one of the cornerstones to information security. You can't prevent bad guys from getting your goodies if you don't even know who the good guys are.
Now that we have a handle of who are users are and what their behaviors are. We can begin to lock down access. Both users and hackers have access. Group, Department, and Individual access management is key to a successful layered security approach.
If my IT department is 1/100th the size of my entire company, I can narrow my attack surface by 99% with one department level policy. If IT is 100 people and only 5 developers need for this application need access to it, I can further limit my attack surface by an additional 95%. Now only 5 people in the company have access to this application.
This all goes out of the window if non-centralized accounts are used... Like root/admin. So... stop that right now! Bad kitty!
So now our 5 developers are the only people in the world with access to said application. Great. What kind of access do they have? Carte blanche nuclear capabilities? NO WAY JOSE! This is where we get into privileges.
Let's start by giving them the least amount of privileges possible. This is called the principle of least privilege.
Let them ask for more, let them justify needing more. And when they do get more, lets give it to them for a specified amount of time. Let's log/record everything they do while controlling the escalated privileges. After they're finished, let's make them check back in with us and permanently destroy their temporary privileges.
Even though my database administrator architected the database, built the database, maintains the database, and has created all of the fancy views and clustering, doesn't mean he/she should have the right to view payroll information. If they need to do work on a table/view with sensitive information, let them check out an escalated privilege and we'll watch them like a hawk while they have the whole company's Crown Jewels in their hands.
This is called privileged access management and is all part of an overarching strategy to secure information through identity, access, and privilege. And once we have that, we can get to the real meat of the Equifax hack. Who's responsible? Rant #7 incoming!
Expert in delivering innovative AI-driven capabilities, products, cloud transformation, and cybersecurity solutions, with a proven track record of boosting revenue and EBIT across all functions and levels.
7 年But I have to have root! Good article spot on. Stop stupid