CCT 112: Understanding Account Provisioning and Maintenance Mastery (D5.5.1)

Prepare to be armed with the knowledge to secure your digital fortress as we confront the ATLASEN Confluence Data Center and Server Template injection bug, a critical vulnerability that could undermine your cybersecurity defenses. With a severity level that's maxed out the scale, I'm here, Sean Gerber, to ensure you're not left exposed to CVE 2023 22527. Transitioning from defense to offense, we'll unpack CISSP's domain 5.5.1, delivering best practices for onboarding systems and provisioning user accounts - an essential strategy in an age where data breaches are as common as coffee breaks.

Empowering your workforce is just as critical as fortifying your systems. In this episode, we tackle the nuances of creating a security awareness training program that doesn't just tick boxes but transforms every employee into a vigilant guardian of your organization's assets. From discussing cybersecurity threats with the delicacy they deserve to equipping new IT staff with the armor of encryption and multi-factor authentication, we ensure that your team is your strongest asset - not your weakest link.

Lastly, let's talk about exits. The offboarding process is a minefield of potential security breaches, but it doesn't have to be. We'll explore how automated systems and credential management can be your allies in ensuring that once someone says goodbye, their access to your network does the same. And for those in the know, the importance of discreetly handling access removal for sensitive positions cannot be understated. So join me, and let's navigate the complexities of cybersecurity together, ensuring your organization remains a fortress amidst a sea of threats.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning to Sean Gerber with CISSP Cyber Training and I hope you all are having a great day. Today we are going to be talking about some amazing things that come around the CISSP. We're going to be covering domain 5, domain 5 of the CISSP. It's 5.5.1 is the plan that we're going to be focused on today, specifically for the CISSP. So, before we get started, we're going to talk about the US Cyber Security and Infrastructure Security Agency that has issued an alert on the ATLASEN A-T-L-A-S-S-I-A-N Confluence Data Center and Server Template injection bug and what it's able to do. They recommend this one. This is a. From a security standpoint, it's a level 10, as it relates to the level of vulnerability that it could apply to your organization. Hence, that's the highest it can potentially go is level 10. And they are talking that this should affect the Confluence Data Servers versions 8.0.1.2.3.4.5.0.3. So it does will give you from a remote code execution. It will affect various versions and it's able to basically give them routes on those. It does affect out of date data center and server 8 versions before December 5th of 2023, as well as 8.4.5, which no longer receives the fixes. So one thing you want to do is, if you have this, you need to reach out to ATLASEN Now. If you have a system that has not been updated in a while, you may want to consider what are some of your options. Obviously, one of the big things to consider when you have a system like this that has access such a wide range of access for remote code execution standpoint is definitely limit the ability to have any sort of remote code access to it. I would recommend that, if you do have remote access into it, do you have a platform that people can use instead of going some direct level access into the environment? I know companies that have used a products like SourceForge, ics Shield, something like that, where you are able to get in, you're not able to actually able to run execution and to gain access to it you have to have an account. People can't just arbitrarily log in and gain access with credentials that they may have stolen from the internet, basically from the mother of all data breaches that occurred this week as well. So you need to make sure that you address this as much as quickly as possible and go look on the CISA website as it relates to this vulnerability. But it's again the ATLASEN Confluence Data Center and Server Template Injection Bug and you must get to that as soon as you possibly can. It's CVE 2023 22527. So if you're listening to this, you're obviously a cybersecurity professional, or if you're an infrastructure person who's trying to get their CISSP highly, talk to your folks and see what they have in your system. If you don't have it, hey. Hey, you just dodged the bullet. Good job. Okay. Let's move on to the lesson for today, okay. So in CISSP we're going to talk about 5.5.1 is the main process that we're going to be going after today and we're going to be. It's going to deal with provisioning and onboarding and maintenance of various systems and what you should know as a CISSP and as a security professional. So one of the big issues that you run into when you are bringing on systems and if you're an infrastructure person who's listening to this, you may you probably will relate to this very well is the fact that the provisioning of systems on does provide a significant security challenge, and it's important that you have this set up both from a system standpoint and from a user account standpoint, which includes assigning usernames, passwords and access provisions. You should have a great plan in place to manage this, and it's really is important to do this because, especially as we related to just a little bit ago, the mother of all data breaches that occurred recently your usernames and passwords are probably, in 99% of the time, compromised. Right, that's a number that I made up, but if you look at from the standpoint of how many breaches are occurring, there's a really good chance that many of your people within your organization will have a bit of a problem with their username and password, and so you need to make sure that you have a good plan with that. This also includes the access permissionings associated with the accounts that you're tied to. So if you have an individual and you've got to use names and passwords, but this individual has got access within your network to pretty much be able to touch anything, that also is a problem as well. So you need to really understand, when you're dealing with provisioning, the critical role in ensuring that individual individuals who are joining your organization, either from a full time employment standpoint or from a contractual standpoint, that they have the necessary credentials and the rights to perform their jobs appropriately. Now this may be up to the supervisor, the hiring supervisor, that will do that, but they must have that set up correctly and it is your responsibility as a security professional one to help them set that up, if they haven't already done it. Or two, to provide some level of guidance on how to set up these accounts and these credentials effectively. Hopefully, you would like some level of automation in the provisioning process. It does allow for efficient and accurate access to these accounts, so we would recommend highly recommend that there is some level of automation in this. It does also allow for the streamlining and onboarding experience of your new employees. What that basically means is that, as you are bringing a new person on, if they all they have to do is, for the most part, go to a website, fill in their information and then it automatically puts this information into their provisions, the account. It gives them a password, it gives them the credentials on how to do it. It tells them how to walk through multi factor. All of those pieces are very, very helpful and they also will help reduce the manual errors that do occur. I've seen it time and again where a company will have a very manual process involved In one, the individual will be given too many writes with their account, or a situation will arise where the person who manually put that information in to do it correctly. The account gets provisioned, the person logs in and they can't get access to what they want, and then they get frustrated. And when they get frustrated, then it just causes all kinds of drama and it can end up being a situation where it takes weeks to get the person set up when it should only take minutes at the most. So automation is a really key factor in doing that. Now, one example is you could think of is just that, as an employee joins an organization, the provisioning process would involve creating the user account in Active Directory. If you're using Active Directory you may not be using Active Directory depending upon your company assigning a unique username obviously their name and also configuring access permissions based on their role. And they have multi factor, which I would highly recommend you have that process already defined for them as well. Now that can also be a separate situation. They may not. They may not automate into their multi factor setup within your tenant, but at least at a minimum you have the processes and documentation to help them get that enabled. Another thing went around automated provisioning. That can be very helpful is the fact that when you have an individual so say, you have a large multinational and you have individuals within your company and you set up role based access. So this person has a role. They are working as widget a fixer. Right, that's their role. They're widget a fixer. And they move on to a new role within the company to become, let's say it's car cleaner role, a I don't know something, something other than widget a fixer. And so they move into this new role and as they move into this new role, they in many cases will take the rights that they have with them from being a widget a fixer to be the car cleaner fixer, and so now they're not just a car cleaner or car car fixer. I see I'm trying to come over really good roles, but those are really terrible roles, sorry. You have car fixer and then you have widget fixer. Well, the car with fixer now has all of the same rights as the widget fixer because they took all of those with them. You want an automated process that when a person moves from a role, that they lose that access and they gain the access in their new role, but they lose the access that they previously had. Now there might be situations where you want them to continue carrying that capability with them, those, those rights with them, but what ends up happening? We call this credential creep and eventually these individuals have. They've been with a company for any period of time. Their credentials are extremely permissive and they allow lots of things because they had rights from one job to another job, to another job, and they were never removed or reevaluated. So you really need to have an automated process that will help you streamline this process, especially within HR. So this is where it's important that when you do account provisioning, that you try to have a situation set up where your accounts that are provisioned are directly integrated with your HR environment. It makes it much better, makes it much more safer for your organization. The challenge is that can be very daunting to do that. It can be very problematic to do that. So it's just important that you kind of think about that when you are putting in place these various roles within your organization and you're allowing that to happen. You also need to consider defining new roles within your organization, and that would be where, if there's a role that maybe didn't exist before and now it needs to. One example that I've seen this happen before is individuals will create a role for web development and they will use it in conjunction with their normal network role, but the role themselves they try to give themselves more permissions with their normal network network role and they didn't create the new role specifically for the web development piece of this. So you want to consider that as well. Is there a way to ensure that if you, rather than just giving this role more permissions to do web development, how do you create a new role specifically for the web development aspects? Again, you want to have the least amount of privileges that you possibly can with that specific account. You do not want to have one account that has God rights over many. It's just something you just truly want to avoid, and the more automation you can use around that process, the better off you are. Another aspect that you need to consider as it relates to onboarding of individuals is to ensure that they have some level of security awareness training during that onboarding process. So when you bring a new person on, a new employee, and you have them with a new account, they're brand new to the company, they're new to their, your ideas, and so you want to ensure that you then treat, teach them the security awareness training that you have for your organization on top of as you provide the credentials for them. So I've seen it in many cases where HR will have a new employee orientation time and during that time they will have you will walk them through. This is your network account, this is how you use it, these are the rights that you have, and then, by the way, here's a security awareness training that we have available for you. Here is the site which you can go get your training and then these are the things that you'd be considering with your account. And I also tell them during that security awareness training these are the areas that were that are being watched within your organization from an insider threat standpoint. I don't get into the details, but I will tell them that your activities are being monitored. So be careful what you do right, because we will. We're watching it to protect the company and to protect you. So it's important that you have that when you're bringing on new employees and you're educating them in your environment. This doesn't have to be super complex. So, as you're studying for your CISP, you may be with a company that you are the only security professional they have, and if you're the only person they have, let's just say you're an infrastructure person who's just studying this information because you feel it's good for you in your career, it's good for you in opportunities you can help create a security awareness training program specifically for your company with not a lot of work. It really doesn't take a lot. You can do this in a way that it could be a one point or one page document that has links on it with that are tied to your policies that you have, and that is sufficient, is more than enough to help them. The goal is not to overwhelm them with reams of data and lots of information is to provide them the information they can. They have. They need to be a successful partner in your environment organization, as well as protecting your company data and yourselves from outside attackers. It's important that when you create this document, though, as well, or the training that you have, if you understand any sort of industry standards, regulatory requirements or best practices, would be important for your role. If you deal a lot with the US government and you're dealing with the defense contractors, you may have to do some training around CMMC, and that may be required based on what your company does. It just depends. You need to make sure, though, that you have a good grasp of what you're trying to teach them and the responsibilities of these individuals. A good example of that would be GDPR and, in EU, how would you deal with data transfers and just educating them around that process? One other aspect that I tend to I forgot about as well that you would have in the security awareness training that would be important would be the reporting of a security incident. One thing that we have done in the past is created training, video training, as well as just regular document level training for individuals, ongoing Okay, if you see something, say something, and what that means is if you see this event that's occurring, say something to this group or this individual, and this can be done in multiple ways. It can be done through IM. Maybe you're using some sort of teams or other type of instant communication. It can be done through email. That's another option. It could be done through, maybe if you have direct communication with like walkie talkie kind of aspects. It could be done that way as well. However, your organization wants to do it, but you'd want to set up them up so they understand that in the event that they see something, they should say something. And this is where you come back to that. Every employee within your organization I kind of call this back from my military days is a red teamer. We would teach this that every person within your organization is a sensor. They're paying attention to what's going on. Now, some sensors are better than others and some sensors will see things better than others. Some sensors will see there's a boogeyman around every corner and there isn't. So you have to couch that a little bit. But it's important that if people see something that seems out of place or inaccurate or just they don't really know, they should reach out and say something, because the moment that they they don't and something bad happens it maybe you could have mitigated a large part of the risk that affects your organization by properly teaching your people how to understand the risk and then how to report the risk. So those are the pieces that are pretty important. You're talking about educating your employees, also you. It's important that when you educate your employees on that initial onboarding aspect, do teach them about the threat, teach them about who is potentially affecting your company's organization. You may. I would just also say that if you, depending upon the size of your company, and if your company's a multinational, I would recommend you're sensitive to where your employees are from and what level of detail you're actually sharing with them. If you have employees that are operating in spaces that maybe aren't always the most friendly towards Western governments, you want to make sure that you don't. You make sure you're very careful on how you say that around people's countries and around their beliefs. One thing that I've learned in the past is that many times these countries and they all do it are hacking other countries, and that doesn't mean it's right, but the when you're dealing with employees, they do not have the control over any of this and, like all of us, I'm proud of where I live and I'm proud of the country I live in most days and, just like them, they are proud of the location they live in, the country they live in. So offending them by saying blatant statements around countries that are attacking us are bad is a really bad way to do business and it's a bad way to keep your employees. So, again, be sensitive to that and understand that. Just talk about the facts of what you know and that there are cybersecurity threats that are coming from all over the globe, affecting all companies, and in some cases they are coming from nation states, both from China, russia, united States, even Israel, france. They're coming from various places that are doing the hacking and that you need to understand, not who are the nation states, but more or less, what are their capabilities and what are they capable of doing. If you, that's, focus on the capabilities of what these nation states can do, not necessarily where they're from, and again, this is important if you're dealing with a multinational organization and you have employees that are scattered around the world, just be sensitive to that nature. One thing to think about when you're provisioning a new employee if they are going to be in the IT world, consider the fact of how can you use that as an opportunity to teach them around encryption tools, multi factor authentication or secure communication channels. One would be, if you're dealing with IP sec tunnels between locations, or if you have enabled an encryption capability on servers that are in a potentially soft or secure environment, you would want to make sure that that would be a good time to really kind of drive that home. What I've learned is when, especially in infrastructure, individuals, as they start on with a company, if they're of any size they're just focused on doing the run and maintain having a security per person. Come in and help them understand the risk and what their role is in it is a really important factor as well. So, again, you want to make sure that you try to tie this off and, if you haven't do it when they first joined the organization, circle back around with them after a period of time and just reach out to them and explain who you are, the risk and what they can do to help in the situation. So now, when you're dealing with deprovisioning and offboarding of individuals and accounts, so that this can be needs also be a systematic process Because, like we talk about, the more you have the ability to automate this process, the better off you will be. There's been numerous times and you'll go to any company. I guarantee you will see this is that when you compare the amount of people that have left the organization, who are no longer part of it, you can go and do an audit of the accounts and, as you do this, complete this audit of these accounts, you will, in most cases not always, but in most cases you will find accounts that are still alive, still active, of individuals who have left the organization. Now, is this a terrible thing? Not necessarily. It did a lot of it comes down to the rights of these individuals. But what it comes, what can happen, is these stale or defunct accounts that are just kind of lying there in an orphan state are usually the ones that bad guys and gals will target. First One because they're not well known. You can operate as Joe Smith, who's been gone from the company for 10 years, and if nobody's watching it, you could operate as Joe Smith within the network and no one would ever know, whereas if you operate it as Jenny Smith, who is a person who's within the company, operating right now doing what she's supposed to be doing, if you were to compromise her account, odds are a little bit higher that they would probably get. You would probably get caught doing that. So if you can find an old account and leverage it as a hacker, that's a great thing. Now it's even better, as if that account has elevated credentials within your organization, then that's the mother load. That's what you want. So it's important that you go through and you have these things cleaned up over a period of time. Ideally, like we mentioned earlier, it's important that if you had some level of automation to clean up these accounts, that that would be the best part and then you would go back in and do an assessment of these accounts once a year and make sure that the actual automation process is working. And I say once a year if you are a little bit, maybe you're just starting that process off. You may want to do it once every six months, just to make sure. I just did a cleanup not too long ago on some accounts and it was an automated, but it wasn't. It was a very manual process because it the automated process missed. And in the process of doing that we I came back later about four months and went through all the accounts that I had to go through. Then and the end of that four month period I went and just did an assessment to see if they had been deleted and they had been put in a position where they were no longer active. Come to find out that majority about 98% of them was were in a deleted or turned off state, but there were 2% that got missed and it was a lot of. It was due to the fact that it was a very manual process. So you want to make sure that you go back over and ensure that these rights have been removed and this process is completed. So, again, this with if you do have a good deprovisioning process, it will significantly reduce the security risks within your company, especially with terminated employees that maybe have left the organization. Delaying it can cause you challenges. Now, another part is there's credential management systems that are out there that will help you automate this deep provisioning process, and I would highly recommend that you enable something like that within your organization, if you have not already. Now, the one thing that comes into this as well is money. It costs money, it's not cheap, and so you may have to weigh into your organization. What is the most important thing you should do? Maybe you have an automated process for all of your accounts. That is very simple, and it may be just a script that runs that you just have to go and assess that script every so often, but I highly recommend some level of credential management systems to automate the deprovisioning process. One other thing to think about is when you're talking with accounts, usernames and passwords is the ability for these usernames and passwords to be stored in a central location. What happens in seeing it time and again is where an organization will disable and delete an account of a username and a password maybe just an elevated credential and the person who left the organization is the only individual who knows those credentials to gain access to that more sensitive system. So it's important that you focus on helping, maybe having a centralized location for that information so that it's stored in a proper place and it is able to be transferred to others in the event something were to happen. So some of the off-boarding significance that you need to be aware of is, when you're dealing with off-boarding, it's important that you remove those accesses right really quickly of your ex-employees, because you've I've seen it where an employee, especially in IT and this is where you're dealing with a high-risk environment is an individual within IT has set themselves up a backdoor within their organization. They knew they're going to be getting let go. They set up a backdoor within their company. In the process of setting up that backdoor, when they were terminated from the organization, they came back around and logged in and remotely accessed the organization and caused significant amounts of damage within the organization. So it's important that you have, once you know that a person, especially in a critical position, is going to be leaving the organization, you take swift and immediate action to terminate access. Now, this is one of those things where you have to weigh on the employee. If the employee has is a great employee and has been treating you well over the years and you feel you have a very good relationship with them, then you may not have to do be as quick to shut them off and walk them out the door. I've seen it where you know, typically in the United States you have two weeks notice, you give your two weeks, you work for two weeks, kind of do a transition and then from there you leave the company and it's all very amicable. But I've also seen it where employees were gave, were told you are leaving the organization and I'm walking you out the door today and that's that has happened. And so it's highly it's recommended that if you have a plan with your employees, depending upon the situation, if it's an amicable relationship and it's amicable separation, it's a positive separation then at that point you have to weigh it. But if it's any sort of performance issues that you're letting the person go for. I would recommend that once that information is delivered to that person, their account is suspended and they are then allowed to leave the organization. When people are leaving on good terms, odds of them doing something bad to your organization are highly unlikely. If they're leaving on bad terms, you don't know to crash you, so you just need to make sure that you have a good process in place to deal specifically with that. You also want to communicate with other departments. This would be on collaborating with them, including HR, hr and IT. It's important as a security professional, you do that. You are the ones that help plan that. If you ideally if you have an automated system, it would do it for you. But if you don't have that, as a security person and if the person is in a sensitive location, you may want to communicate that to various organizations to make sure that they're aware. One piece of this is I've seen it where, especially in IT individuals, when they leave the company, even on amicable terms, I have then reached back after the person has left the organization and reached back with HR and within the IT organization to make sure their account was disabled. That included remote access. I was more. I was more worried about the remote access than I was their actual normal access, because in in the case of the companies that I work with, you cannot just get directly into our organization. You have to have remote access to do that, and that would be ideally the best way you would want to, and so therefore, you need to ensure that if someone has any sort of technical significance within your organization, you remove that remote access capability. So I kind of alluded to it earlier a little bit about role based access, and you want to ensure that you have some level of RBAC and you'll see this in on your CISSP. You'll see this insert, cissp questions, because it's a typical term that you feel that are that's out there, along with other basically access requirements. You have RBAC, you have a back, you have various other ones that are can be associated to this, but RBAC in this case is just the role based access. This is a security model that ties your permissions and access rights to a job role rather than an individual user, and so it does. It simplifies the process, associates permissions with predefined roles, and it's a really good way to ensure that it's not. They're not tied to Joe Smith or tied to Joe Smith's role, and it does provide help, enforce the principle of least privilege. If you're not familiar with, least privilege just basically means you only have access to the things that you should have access to and no more. This is where that credential creep comes into play, where you go from one job to the next job and if you don't clean up your credentials, you can have this credential creep where you have access to way more than you should. So therefore, rbac is an important factor in any organization and you should really truly define it Well. The only downside with it is there's other downsides, but the only one there's. One of the main downsides that rolls with RBAC is you have to be very, very clear on defining the roles and how they are within your organizational structure. This also define is important that you tie them to your security policies as well. So implementation is an important factor when you're defining these roles and helping that set up. So RBAC is an important factor. It takes time and acts, time and effort to make it and get it set up, but it is an important thing that you should consider doing. One example of an RBAC would be if you have a financial analyst and you have financial analyst and you have financial I'm just saying engineer, I don't know. At least, security is a better option. You have a security engineer and you have a security analyst. As a security analyst, you may have a very specific role than the engineer. The engineer typically has more of a hands on direct access to these systems, so if you're an analyst, you're reading the data. If you're an engineer, you're working on the information that creates the data. You would have two separate roles, depending upon the permissions that they were allow. Now, does that always happen? No, do you need to be that granular? Maybe, maybe not. Maybe your security analyst and engineer are both the same role, but your security architect is a different level of permissions. You have to decide what is the best course of action for you and your company, and how granular do you really truly want to get with that? Now, the benefits of having least privilege is that users only have access to their specific job functions, and reduces unauthorized access and potential misuse. The important part of this, though, is you need to have a security of policy, stating this specifically one for the individual to know what their, what their role is, and also two to define that for your organization, so they know what is the expectation around these specific roles. So you need to, as a professional CISP professionals, to ensure that you have these defined, these roles defined. Now you may not do the actual definitions you will most likely work with someone who leads that but you'll need to work with them on how to define these roles and then how to document this and ensure that it meets industry standards and best practices. So now, when you're dealing with account maintenance, one of the big things is regular password changes. Now, as we talked about at the beginning of this, the password breach mother of all password breaches, or mother of all breaches data breaches has like a 300 billion usernames and passwords, which means there's a lot of duplication because not everybody is on the internet. A lot of people are, most people are, but not everybody, and so, with that being said, you need to have regular password changes where it is Appropriate. Now, if you have an organization that has multi-factor, I've seen it where the organization's password, individual password never changes. It stays the same, and Then you use multi-factor to allow you in. I Mean there's pros and cons with all of that. You're relying a lot on a multi-factor enablement and If someone gets in the man in the middle on that multi-factor, then game is over. So it's important that you do password rotations on your accounts, especially since if you're having to gain access and you're living on multi-factor, you have a username, you have a password and then you have multi-factor so those three different factors that you have to have to gain access. If any one of those falls apart which username pretty much falls apart all the time, because everybody knows the usernames of everyone Then you're relying on a password. That is One of the three-legged stool and I don't know if that's a good idea or not, but I would say password changes are an important part, especially Especially if you do not have any multi-factor enabled within your organization. It's a proactive way to mitigate the risk for unauthorized access. You need to ensure that you have an education system set up to teach people with strong password practices, raising awareness To ensure that they have. You have all of that in place and you then should have a policy to ensure that the regular password changes are occurring, such as password complexity, frequency of updates and so forth. Now Some people will say that the password complex password should be rotated every 90 days, some say six months, some say yearly, some say never. So you have to determine, working with your folks, on how much of a Challenge your password policy is going to be. This takes senior leadership buy-in, because if the senior leaders don't think that the password needs to be rotated and people don't need to be bugged, then you are going to be fighting an uphill battle. So it's important that you help Define this within your role as a CISSP. Is what should be the password rotation Something? The standard is night, every 90 days? Again, it just depends upon the organization and what your risk tolerance is. I would say that that in most cases, unless you have a really good password management program, changing the password every 90 days Is marginal. Why do I say that? Because people will reuse passwords. They will go and say Monkey butts one, two, three, four, and then, when the 90 days comes up, they'll say monkey butts one, two, three, four, five, and then monkey butts one, two, three, four, five, six. They'll say something like that during for their password. So unless you have a way to stop them from reusing parts of the password, you're going to run into that. And then the other piece you got to deal with, as the overall example around this is having some sort of password Keeper product, something to make do password management for them, because if you don't, they're going to keep it on an Excel spreadsheet Sitting on their computer or they'll have a sticky note. Ideally they have it on a spreadsheet. It won't be password protected on the spreadsheet. So if a hacker gets access to their account, well then he just has access to all their passwords. So you need to come with a good plan to help them as well. Now as you're monitoring account activity, it's important that you have tools in place to monitor these accounts. This would come down to look logins, access patterns, detecting any sort of anomalies, suspicious behavior, and then you need to incorporate that within your incident response planning Overall mantra. It's your plan, what are you going to do that? And that needs to be tested on a routine basis. So it's important that you have all of these pieces enabled and operational before you. Well, you won't have them before you get going, but you want to make sure you build this capability as time goes on. If you have a sim as a security information, that event management tool, it would be good to have all of these set up in there so that it's looking for any sort of account credentials. That might not be doing the right thing, and that is where your sim will come into play, and we'll talk about sims later here in the podcast down the road. But you're the security information. Event management tools are very important to help monitor account activity within your organization. Okay, so the last thing I want to talk about is periodic access reviews. You do want to go we kind of alluded to this during the podcast that you have some level of audit and assessment that are done on these accounts. You should do this on a very routine basis. Now that routine basis may be once a year, maybe every six months. I would recommend that you do it at least every six months, or at a minimum of six months, and then do it All. Right, what's the right word? Maximum of six months? I don't know. Six months is usually a good sweet spot, right, six months works. About every year is positive, but a lot can happen in a year. A lot can happen in six months as well, but at least you're not waiting an entire year to look at all of these accounts. This would contribute to document access reviews, generating reports and so forth. If you have this automated, it makes it really easy and in most cases, account changes over a period of six months Aren't substantial, depending upon the organization that you're in. If you're in a very large organization, you'll want automated tools to help you do this process, but I would set aside time during that period, for about every six months, to look at the accounts that have changed within your organization. Now you may not look at all the accounts. Maybe you'll look and do an assessment of the security. Are the service accounts that have occurred? You may look at all the administrative accounts that have occurred. You may take a subset of those during the course of the year as well. So Just come up with a plan that's. Having a plan that you can deviate from is better than no plan at all. So that's what I would highly recommend when you're dealing with that. Now there might be some compliance requirements that you have to do this based on regulations I had mentioned. Cmmc is one of those. There's others out there, but they may require you to do some sort of audit and assessment of these accounts to ensure that you're meeting what they're wanting you to do. So again, it's quarterly is an important factor. If you can do it, ideally six months would be the minimum, I would say, and then the maximum that you wait to do it would be one year. So that's it's. That kind of timeline has served me well. Now, what are the benefits of doing this? Well, it reduces your risk, obviously, between the accounts that are potentially could be vulnerable and could be Available to people to take advantage of. That does help you with the compliance piece of this. You are more and more compliance requirements are focused on Accounts and ensuring that you have a good process in place. All of the frameworks that I deal with your NIST, your ISO 27001 they all talk about account maintenance and account management, and this is an important factor in how you will Ensure that you're taking the care of your organization as best as you possibly can, and, as a security professional, it's an important part of your role one. It also helps build credibility with your senior leaders that you are watching for any sort of issues that these accounts may have. It does it's. I'll tell you it's not the most sexy thing in the world, it is not the most fun thing in the world, but it's done right can dramatically reduce the risk to your organization. These are one of the number one things that bad guys will leverage is Accounts, because they're already known within your organization. They are not being watched and they know that in many cases they have elevated credentials. So why would I go out and try to use a zero-day against a device that potentially could get me Exposed or caught, when I can just use an account that is sitting dormant, that nobody is using, that has godlike rights? You'd be stupid to use anything other than that. So if you clean this up and you keep this clean, you now dramatically reduce the risk to your organization. So just something to kind of think about. All right, that is all I have for you today. Next, just keep in mind, thursday will be CISP question Thursday, which will be going over all the questions that are kind of tied to this and dealing with account provisioning, and you can get all of this information at CISP cyber training. It's CISP cyber training comm. You can go there and get access to all of this. This is podcast. We talked about account provisioning, maintenance, mastery of all the different pieces that you're focusing when provisioning and deprovisioning accounts within your organization. Go to I'm putting a plug in again Go to CISP cyber training. There's the great content for you there. You can get access to me directly. If you want, you can get access to the CISP training that's available to you. If you are a small business and you need cyber security support, you can gain access to me there as well. The ultimate goal is to help you one pass the CISP, but two is to provide you what you need to be able to be successful and protect your company in the event of a cyber security incident. All right hope. You guys have a wonderful day and we will catch you on the flip side, see you.