SANS Control 4—”Controlled Use of Administrative Privileges”
The Core Principle
This core principle can be summed up by the famous Reagan Cold War quote: trust but verify. Transcendent CISOs trust their people with privileged access, but are simultaneously very stringent about authenticating them.
This approach is akin to Postel’s Law, which was the core principle surrounding the implementation of TCP/IP:
Be liberal in what you accept, and conservative in what you send.
Postel’s Law
This control is so often misunderstood. It does not mean that you should be stingy about who gets administrative access, or that you need to religiously pare down your admin lists.
Role-based access, Least Privilege, etc. are all helpful concepts when applied to systems, but fail when they’re applied to humans.1Let’s talk a moment about trust, because it underpins this principle. Trust is the currency of security. Healthy organizations and teams are high trust. The more you can trust your people, the more “magic” they can do, and the more value they can create. As a CISO, you can leverage and build your systems around this trust, or you can spend your time figuring out ways to “never trust anything.” Spoiler: you won’t get very much done that way!
The core principle behind this control is really about trusting your people, but making hella sure your privileged accounts don’t get compromised.
Transcending the Control
There are some pretty easy checkbox items to tick off here, when it comes to making sure your privileged accounts don’t get compromised. Very few of them involve sexy tech or products (big surprise):
- Turn on multi-factor authentication everywhere, and wherever possible, require it, rather than enabling it. SMS no longer counts. 6-digit codes barely still count, but I understand the struggle here to move to FIDO U2F hardware. If you can’t get everyone on a hardware token, at least get your Engineers and Finance on there. It’s crazy how effective U2F is: Google rolled it out and not a single phishing attempt was successful at Google for 18 months (85,000+ employees). Think about that for a second.
- Lock down G Suite and O365 hard. Basically all business email accounts should be considered privileged and highly sensitive. Again, it’s not as sexy as rolling out osquery on your fleet or becoming a k8 security ninja, but someone on your security team needs to become an absolute pro at G Suite or O365 security. Learn all those weird settings and get familiar with the APIs they offer so you can automate your checks.
- When it comes to privileged access to infrastructure, the hardest part is figuring out where to start – there’s so much privileged access happening everywhere. My recommendation: start on the databases. It’s the biggest bang for your buck. No one cares if one of your random DMZ’ed web servers gets popped or that some people are still SSHing into everything with a password instead of a SSH key (the horror!). What your leadership will care about is the fact that the 6-character admin credentials for your practically fossilized MSSQL database from the early 1990s that has hundreds of thousands of social security numbers on it are still floating around various servers in plaintext.
The next article will talk about the fifth core principle: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers