I Don't Care ft. Bryon Singh, RailWorks Corporation

I Don't Care ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On November 07, 2023

This line from “The Fugitive” portrays Dr. Richard Kimble (played by Harrison Ford), a vascular surgeon who was wrongly convicted of his wife's murder. After escaping custody, he set out to prove his innocence while being pursued by Deputy Marshall, Samuel Gerard (played by Tommy Lee Jones). In a face-to-face standoff, Richard says, “I didn’t kill my wife.” Deputy Gerard responds with, “I don’t care.” One of the best responses to that line, in my humble opinion. But that’s not what we’re here to talk about.

Dr. Richard Kimble successfully enters a secure hospital area by creating a fake access badge. This moment highlights a key vulnerability: single-factor authentication. The hospital relied solely on a physical access badge to grant entry, offering clever intruders like Kimble an opportunity to exploit the system.

By requiring at least two factors for access, the odds of an unauthorized individual gaining access are dramatically reduced. Even if Dr. Kimble had a faked badge (something he had), he would face significant challenges if the hospital had also required a unique PIN or biometric data for entry.

Now, granted, this would’ve completely ruined the movie for all of us as well as potentially not saving that little boy’s life by reviewing his chest x-rays, but a security challenge nonetheless.

As we navigate the intricate web of cybersecurity, certain mandates stand out for their sheer relevance and potency. One such directive, which has garnered attention lately, is CIS Safeguard 6.5. Its message is crystal clear: Multi-Factor Authentication (MFA) is no longer a luxury, it's a necessity, especially for administrative access.

This safeguard accentuates the importance of enforcing MFA for every administrative access account. Whether the assets are managed in-house or via a third-party, the rule remains unchanged: double down on authentication layers for those with the keys to the kingdom.

Why This Matters?

Administrative accounts are goldmines for malicious actors. A breach here can potentially offer unrestricted access, making MFA for these accounts a critical line of defense.

Key Takeaway:

For those in the cybersecurity realm, staying compliant and bolstering defenses is an ongoing journey. By adopting practices like the one highlighted in CIS Safeguard 6.5, we not only fortify our defenses but also set industry standards for a more secure digital future. Embrace MFA for administrative access it's a gamechanger.

Here’s a link to the Account and Credential Management Policy Template for CIS Controls 5 and 6 provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/account-and-credential-management-policy-template-for-cis-controls-5-and-6

Here’s some detail on this specific Control/Safeguard. If you want more detail, DM me.

CIS Control 6 – Access Control Management

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for users, administrators, and service accounts for enterprise assets and software.

Implementation Group 1

CIS Safeguard 6.5 - Require MFA for Administrative Access

Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.