You Got Your Best Friend Back  ft. Bryon Singh, RailWorks Corporation

You Got Your Best Friend Back ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in
On October 17, 2023

In Iron Man 2, Ivan Vanko hacks into Lt. Col. James 'Rhodey' Rhodes’ suit (a.k.a. War Machine, Iron Patriot) and programs it against Iron Man. Ivan locks out everyone from Stark Industries and from Hammer Industries, the company that paid him to build the Iron Man-competitive suits. Ivan Vanko ended up building drones instead of suits because “People make problems. Trust me. Drone better”.

This is a great example of an automated process to revoke access to an Enterprise Asset aka War Machine. An even better example is that the access of War Machine from Lt. Col. James Rhodes was revoked, not deleted, so Black Widow could re-enable access and there could be another happy ending to a Marvel Movie.

Every organization I speak to is focused on ensuring the security of its data, resources, and assets. With threats of data breaches, cyberattacks, and insider threats, having a robust process for controlling and monitoring access to enterprise assets has never been more crucial.

Imagine an employee who has recently been terminated but still has access to company data, email, and other sensitive information. Or consider a team member whose role has changed, and their previous high-level access is no longer necessary for their position. In both cases, if the accounts remain active and unchanged, they become potential security loopholes.

Access control is a cornerstone of robust cybersecurity, making CIS Safeguard 6.2 a staunch proponent of instituting an access revoking process, and a focal point for businesses and IT specialists alike. We will explore the noteworthy benefits and possible challenges associated with the adoption of CIS Safeguard 6.2.

Advantages of Instituting an Access Revoking Process

  1. Security Augmentation: The introduction of a systematic access revoking process notably strengthens security protocols. This structured approach promptly nullifies access privileges for individuals who no longer need them, thereby minimizing unauthorized access risks.
  2. Compliance Adherence: Establishing a formalized process for access revocation significantly aids organizations in aligning with pertinent international, federal, and state mandates related to data protection and privacy. This alignment not only fosters regulatory compliance but also mitigates potential legal and financial ramifications.
  3. Streamlined User Access Management: The implementation of a coherent access revocation process enables organizations to manage user access in a more streamlined and effective manner. This efficiency is indispensable, especially as organizations witness expansion in both their operations and user base.
  4. Facilitated Audit Trails: An explicit and well-documented access revoking mechanism simplifies the process of generating audit trails. The resultant transparency is crucial for conducting both internal reviews and external audits, serving as unequivocal evidence of meticulous access control management practices.

While adherence to best practices is imperative, it is equally important to acknowledge and anticipate the challenges, such as:

  1. Maintenance Burden: Such as the continuous need for maintenance and updates inherent to the access revoking process. Perpetual obligations can exert pressure on IT teams, possibly requiring the allocation of additional resources to efficiently handle the workload.
  2. Potential User Disruptions: The implementation of rigorous access controls, while necessary, may inadvertently result in access delays or complications for authorized users. These disruptions can occasionally impede access to essential resources, potentially affecting the overall efficiency of operations.
  3. Adjustment Period: The introduction of new systems and protocols necessitates a period of acclimatization for both employees and IT personnel. During this adjustment phase, there's a possibility of encountering learning-related challenges and making errors, which is a normal part of the transition process.

Here’s a link to the Account and Credential Management Policy Template for CIS Controls 5 and 6 provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/account-and-credential-management-policy-template-for-cis-controls-5-and-6

Here are some details on this specific Control/Safeguard. If you want more detail, DM me.

CIS Control 6 – Access Control Management

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for users, administrators, and service accounts for enterprise assets and software.

Implementation Group 1

CIS Safeguard 6.2 - Establish an Access Revoking Process

Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.