This line from “The Fugitive” portrays Dr. Richard Kimble (played by Harrison Ford), a vascular surgeon who was wrongly convicted of his wife's murder. After escaping custody, he set out to prove his innocence while being pursued by Deputy Marshall, Samuel Gerard (played by Tommy Lee Jones). In a face-to-face standoff, Richard says, “I didn’t kill my wife.” Deputy Gerard responds with, “I don’t care.” One of the best responses to that line, in my humble opinion. But that’s not what we’re here to talk about.
Dr. Richard Kimble successfully enters a secure hospital area by creating a fake access badge. This moment highlights a key vulnerability: single-factor authentication. The hospital relied solely on a physical access badge to grant entry, offering clever intruders like Kimble an opportunity to exploit the system.
By requiring at least two factors for access, the odds of an unauthorized individual gaining access are dramatically reduced. Even if Dr. Kimble had a faked badge (something he had), he would face significant challenges if the hospital had also required a unique PIN or biometric data for entry.
Now, granted, this would’ve completely ruined the movie for all of us as well as potentially not saving that little boy’s life by reviewing his chest x-rays, but a security challenge nonetheless.
As we navigate the intricate web of cybersecurity, certain mandates stand out for their sheer relevance and potency. One such directive, which has garnered attention lately, is CIS Safeguard 6.5. Its message is crystal clear: Multi-Factor Authentication (MFA) is no longer a luxury, it's a necessity, especially for administrative access.
This safeguard accentuates the importance of enforcing MFA for every administrative access account. Whether the assets are managed in-house or via a third-party, the rule remains unchanged: double down on authentication layers for those with the keys to the kingdom.
Why This Matters?
Administrative accounts are goldmines for malicious actors. A breach here can potentially offer unrestricted access, making MFA for these accounts a critical line of defense.
For those in the cybersecurity realm, staying compliant and bolstering defenses is an ongoing journey. By adopting practices like the one highlighted in CIS Safeguard 6.5, we not only fortify our defenses but also set industry standards for a more secure digital future. Embrace MFA for administrative access it's a gamechanger.
Here’s a link to the Account and Credential Management Policy Template for CIS Controls 5 and 6 provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/account-and-credential-management-policy-template-for-cis-controls-5-and-6
Here’s some detail on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 6 – Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for users, administrators, and service accounts for enterprise assets and software.
Implementation Group 1
CIS Safeguard 6.5 - Require MFA for Administrative Access
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.