A Wand For Each Wizard ft. Bryon Singh, RailWorks Corporation

A Wand For Each Wizard ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On September 27, 2023

One of the most famous wizards of all time, Harry Potter, learned that he was destined to attend Hogwarts School of Witchcraft and Wizardry on his 11th birthday. It was then that Harry acquired his first wand at Ollivanders shop in Diagon Alley.

From the moment he received his first wand, Harry had to learn how to wield the power of his wand. Similarly, in the digital landscape, providing every user with administrator privileges is like handing them a wand without proper training. Just as aspiring wizards are taught and guided by experienced mentors, administrators can effectively manage and maintain enterprise assets, ensuring that power is wielded responsibly.

Administrators, who hold elevated permissions for managing and configuring systems, should use dedicated administrator accounts exclusively for those tasks. On the other hand, general computing activities like internet browsing, email communication, and productivity software usage should occur within standard user accounts.

Administrator accounts are like keys to the kingdom. They have the capability to tweak system settings, access confidential data, and modify user rights. If mismanaged, these privileges can lead to unintentional disruptions, breaches, or malicious exploitation. At its heart, Safeguard 5.4 advocates for clear demarcation: regular activities (like reading emails or browsing) and admin-related tasks should not be mingled on a single account.

To effectively integrate CIS Safeguard 5.4, organizations should establish separate profiles exclusively for administrative tasks, ensuring that these aren't used for everyday activities. Admin privileges should be judiciously granted based on job requirements, with consistent oversight and periodic reviews of these accounts. Heightened security measures, such as integrating multifactor authentication (MFA) for these pivotal accounts, are crucial. Lastly, it's vital to equip individuals with these privileges with the necessary knowledge about their responsibilities, ensuring they are aware of potential risks and the importance of their role.

Here’s a link to an Account and Credential Management Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/account-and-credential-management-policy-template-for-cis-controls-5-and-6

Here’s some details on this specific Control/Safeguard. If you want more detail, DM me.

CIS Control 5 – Account Management

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

Implementation Group 1

CIS Safeguard 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts

Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, nonprivileged account.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.