The access review is the most underrated control in the Information Security Officer’s toolkit.
We hear so much about threat intelligence, vulnerability management, and fancy tools that monitor this and automate that, but I’d wager some of the best risk mitigation lies in maintaining access to the least necessary privilege and executing on this in a timely manner.
Access to data is the holy grail of hackers. Whether they want it to commit fraud for financial gain, steal intellectual property or just cause damage to a system, access is that all important first step. It’s what the phishing emails are about, why password crackers were created, why we need multi-factor authentication on all of our accounts and why, way back before my time, the firewall was erected on network perimeters everywhere. One can see why this is the most listed control in a risk assessment.
In our governance program we recommend multiple access reviews for critical systems, such as the core, wire and ACH, network, remote access, firewall, etc. Yet when access reviews are mentioned, many people sulk like a child who was just asked to eat a green vegetable. I can understand it, any task that is reoccurring can be mundane and just like laundry or dishes not keeping up on it can be overwhelming. Additionally, many access reviews were never really set up correctly in the first place, and because of this the lists have recognizable names but everything else in the report can seem like gibberish.
Here are 5 steps to streamline your system access reviews:
- Find a report that works and stick to it. Ideally, you want names, user ids, last login date, account status (i.e. locked, active), groups/permissions, whether the password is default or the initial, last password change and last login date for starters. Get it in excel to stream line the review and analysis. When you find one that works, have it automatically run and sent to you as a reminder to review. Save this report set up because if you rely on others to run it for you, it can save lots of time and frustration trying to recreate it.
- Put the report from step one above into excel and filter on fields like last login, last password change, administrative privilege and ask yourself if it makes sense. It is incredible the things you will find in this analysis and the adjustments that need to be made. These are potential problems you can get ahead of before they are an issue!
- Look over the account names for obvious individuals who are no longer working for the company. Pay extra discretion on those belonging to third parties- BONUS- send the list to the relationship manager and have them call out any unnecessary accounts. Often, this communication breakdown causes employees of third parties who roll off projects or leave the company altogether to have accounts just lying out there…with remote access to your systems!
- Look at the permissions, sometimes managed in groups, and remove or question those that seem no longer required. Access creep is a timeless problem caused by not removing access when someone changes jobs, is no longer the backup, etc. If someone is leaving temporarily such as parental leave, they are seasonal, etc. disable those accounts until they come back. If you don’t know what a permission or group does, ASK and document your findings. This will make these reviews go so much easier in the future.
- Set up a schedule and follow through. Plan ahead and do what works best for you. Do not set yourself up for failure by waiting until the auditors announce they are coming or trying to slam them into a busy period. If you’re someone who likes to work steadily on a schedule…do that. If you’re someone who likes to knock them all out at once…do that. Just create a defensible schedule, set it up and stick to it.
Don’t forget the most important step: follow through on the adjustments identified in the review. All of this was for naught unless you take action. Note those and follow up to make sure they were done in a timely manner.
If you need help with your reviews or scheduling your program tasks we would love to help! Contact us as support@bedelsecurity.com!
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
5 Key Ransomware Controls
https://www.bedelsecurity.com/blog/5-key-ransomware-controls
Technologies to Consider During Cybersecurity Planning
https://www.bedelsecurity.com/blog/technologies-to-consider-during-cybersecurity-planning