Featured

Why Account Lifecycle Management is Important!

It is increasingly important that organisation start taking account lifecycle management more seriously.

Ask yourself these questions: Do any of your departed users have access to your systems still? One more time. Do you know, for sure, if any of your departed user have access to your systems still?

My experience has taught me that most organisations have a fairly generic staff offboarding procedure. The procedures are usually very loosely adhered to. They ensure that appropriate knowledge is transferred. They collect company assets, and illicit feedback with an exit interview. The staff member leaves among a flurry of “we will miss you” and other well wishes and they are on their way.

What is the problem? Well, the two main motives for data breaches are financial and espionage. With the current pandemic, most organisations and individuals are feeling the financial pinch at the moment.

For a business, any impact to operations or cashflow can be devastating – possibly causing the business to collapse. For individuals, anyone with the right motivation and a decent skillset can take advantage of weak security practices.

What does this mean for businesses? Many things. My topic of choice today is ensuring healthy and secure processes are in place to remove access to networks and systems. This is something that organisation just aren’t very good at. Research by Onelogin from 2017 shows that nearly half of ex-employees still had access to systems after departing!

Failing to handle the employee offboarding process can lead to serious information security risks. According to the 2020 Data Breach Investigations Report by Verizon, internal actors account for around 30% of all attacks. This figure is up from 20% just 5 years ago.

Also remember that it isn’t just the user that has departed you need to worry about. What if someone else knows the password? They now have an account they can use and they potentially have someone to blame any wrongdoing on!

Organisations need to put some serious effort into this space to ensure the safety and security of the organisation and its stakeholders.

The mitigations for this risk fall into 2 categories: Administrative Controls and Technical Controls. Administrative controls focus on the security policies and procedures surrounding user account lifecycle. While Technical controls consist of the tools (hardware and software) that are implemented to manage the user account lifecycle.

Administrative Controls

You need to make sure you have well defined user account management policies

How long is an account inactive before it is disabled?
How long after the user has left before the account is disabled?
How long are disabled accounts kept before being deleted?
What if the account cannot be deleted? How do you secure it?
How are temporary of contract staff accounts managed?
What about accounts for staff on leave?

All these, and many more, scenarios need to be considered when developing your account management policies.

Technical Controls

Wherever possible the account lifecycle management should be automated. This removes most of the human factor when it comes to making sure things are done in a timely manner. Of course, you need to have a good understanding of your user account types and how each of these are managed.

Understanding the account types should be made much simpler once you have defined your account management policies. This should allow you to configure (or create) the appropriate tools you need to get things automated.

There are plenty of off the shelf tools available, a simple duckduckgo search will give you hundreds of results. Finding the right one for your environment and budget is crucial. You need to make sure it is flexible enough to support your requirements. You also need to make sure it is well supported by the vendor. Speaking of the vendor, you also need to make sure that you are purchasing the tools from a reputable organisation. After all, you are putting a lot of trust into their service!

There are many different ways to approach this problem. I would suggest the adoption of a formalised Cybersecurity Framework. You need to find the framework that suits your organisation and your requirements.

There are many frameworks available, including:

NIST
ISO IEC 27001/ISO 27002
COBIT
SOC2

What is the takeaway for this? Make sure you disable user accounts that are inactive, disabled account of staff that have left the organisation or on extended leave!

Managing a Data Breach: Insights from FinTechSec Solutions Inc.’s Experience

January 11, 2024January 11, 2024Glenn Mitchell Leave a comment

Introduction

In the digital age, data breaches are an inevitable reality. Understanding how to navigate these turbulent waters is essential for any organisation. This blog post offers a detailed case study of FinTechSec Solutions Inc., a hypothetical yet relatable fintech company, as they encounter and address a data breach. This guide aims to provide a thorough understanding of the processes and reasoning behind each step in the data breach response protocol.

Setting the Scene

FinTechSec Solutions Inc., a bustling fintech firm, faces an unforeseen challenge one Friday evening. Their IT team detects unusual network activities and multiple failed login attempts – classic symptoms of a potential data breach. Early recognition of these signs is crucial for prompt and effective action.

Immediate Response Actions

Containment: The team acts swiftly to isolate affected servers, crucial to limit further unauthorised access and potential damage. Suspect accounts are frozen to halt the perpetrators’ activities.
Assessment: An emergency IT meeting assesses the breach’s scope and impact. A third-party forensic team provides an unbiased analysis, identifying that customer financial records might be at risk.

Communications Protocol

Internal Notification: Management is informed, and a crisis management team, including IT, legal, PR, and executives, ensures a coordinated response. Staff are briefed on maintaining confidentiality.
External Communication: Customers and stakeholders are informed transparently yet concisely, adhering to legal obligations while explaining the incident, its potential impacts, and Tech-CyberSec’s remedial actions.

Understanding Notifiable Data Breaches

Notifiable Data Breaches in Australia

Australia’s Notifiable Data Breach (NDB) scheme requires organisations to notify affected individuals and the OAIC about eligible data breaches. An eligible breach is one that likely results in serious harm and where remedial action cannot mitigate this risk. Prompt assessment of suspected breaches is mandated.

Data Breach Regulations in the USA, Canada, and Europe

United States: Varying state laws govern data breach notifications, lacking a federal equivalent to Australia’s NDB.
Canada: Under PIPEDA, breaches posing a real risk of significant harm necessitate notifying individuals and the Privacy Commissioner of Canada.
Europe: GDPR requires notification to the relevant authority within 72 hours of detecting a data breach, with affected individuals informed in high-risk situations.

Investigation and Analysis

The investigation reveals vulnerabilities due to outdated software, which were exploited through phishing emails. System logs show the entry points and movements of the intruders within the network.

Remediation Measures

Immediate actions include software patching, organisation-wide password resets, and enhancing email filters and monitoring tools, reinforcing digital defenses.

Recovery Plan

Operations resume in phases, starting with critical systems. New security verification layers are implemented for system access, coupled with ongoing monitoring for suspicious activities.

Lessons Learned and Future Prevention

The breach highlights the need for regular security audits, enhanced employee cybersecurity training, and the deployment of advanced threat detection systems, fostering a culture of security awareness.

Conclusion

FinTechSec Solutions Inc.’s fictional journey through a data breach offers valuable insights into breach management complexities. Preparation and understanding of each phase, from detection to recovery, are pivotal in developing robust strategies for handling data breaches effectively and strengthening resilience against future threats.

Example Cybersecurity Incident Response Plan (CIRP)

The below example is a framework that will get you started with a basic Cybersecurity Incident Response Plan (CIRP). While they can be much more complex, starting with something is better than nothing! I have used the Cybersecurity Incident Response Plan Guide from the Australian Cyber Security Center as a guide when putting this simple framework together.

Title: Cybersecurity Incident Response Plan (CIRP) for [Organisation Name]

Document Control

Document owner, version number, change history, distribution list, and approval records.

Purpose

Explain the purpose of the CIRP to prepare for, respond to, and recover from cybersecurity incidents.

Scope

Define the types of incidents covered by the plan (e.g., data breaches, malware attacks).

Plan Objectives

List the objectives such as minimising impact, restoring services quickly, and improving future defenses.

Incident Response Team Composition

Roles and responsibilities of team members including contact information.

Activation Criteria

Describe when the CIRP should be activated based on certain thresholds or indicators of compromise.

Incident Classification

Define categories or severity levels of incidents to prioritise response efforts accordingly.

Preparation Measures

Training: Outline regular training schedules for staff.

Tools & Resources: List tools required for detecting and responding to incidents.

Communication Channels: Establish secure communication protocols internally and externally.

Detection & Analysis

Alert System: Describe how alerts will be generated and monitored.

Initial Assessment: Provide steps on assessing validity and severity of an incident.

Documentation Process: Methods for documenting evidence from start to finish.

Containment Strategy

Short-term Containment: Immediate steps like isolating networks or devices.

System Backup: Procedures for backing up data as part of containment strategy.

Long-term Containment: Steps for more permanent solutions post initial containment.

Eradication Process

Identify Root Cause: Detail how to identify vulnerabilities or threats that caused the incident.

Removal & Cleanup: Steps to remove malware or unauthorised access points from systems.

Recovery Plans

Restoration Procedure: Guide on safely restoring services and operations.

Validation Checks: Ensuring all systems are clean before going back online.

Monitoring Post-Recovery: Intensive monitoring period after recovery actions are taken.

Post-Incident Activity

Debriefing Session: Conducting a meeting with all stakeholders involved in managing the incident.

Lessons Learned Report: Compiling insights gained during incident handling into a report.

Update CIRP Accordingly: Revising the response plan based on lessons learned.

Appendices

Appendix A: Contact Lists - Including internal teams, external agencies, law enforcement contacts if necessary

Appendix B: Incident Log Templates - For consistent documentation across all incidents

Appendix C: Checklists & Flowcharts - Visual aids that provide quick reference during an active response

The Essential Guide to Role-Based Access Control

December 10, 2022December 12, 2022Glenn Mitchell Leave a comment

Are you looking to improve the security and efficiency of your organisation’s access control system? Then you might want to consider implementing Role-Based Access Control (RBAC).

In this blog post, I will explain what RBAC is, how it works, and why it is an effective method for managing access rights. I will also discuss some of the challenges associated with implementing RBAC and provide tips for success.

What is Role-Based Access Control?

RBAC is a type of access control system that is based on the concept of roles. In an RBAC system, users are assigned to specific roles, and each role is associated with a set of permissions that determine what the user is allowed to do within the system. For example, a user who is assigned the role of “admin” might have permission to create, modify, and delete files, while a user who is assigned the role of “guest” might only have permission to view files.

How does Role-Based Access Control work?

RBAC systems typically use a hierarchical model to manage access rights. At the top of the hierarchy are the roles, which are defined by the system administrator. Beneath the roles are the permissions, which specify the specific actions that users in a given role are allowed to perform. Users are then assigned to one or more roles, based on their job responsibilities and needs.

When a user attempts to access a particular resource or perform a specific action within the system, the RBAC system checks the user’s role assignments and permissions to determine whether they are allowed to do so. If the user’s roles and permissions match the requirements for the requested action, the system grants access; if not, the system denies access.

What are the benefits of using Role-Based Access Control?

There are several benefits to using RBAC. One of the key advantages is that it allows for a more fine-grained control of access rights, compared to other access control systems. Because permissions are assigned to roles rather than to individual users, it is easier to manage and modify access rights for groups of users, without having to make changes to individual user accounts.

Additionally, RBAC can help to improve security by reducing the risk of unauthorised access. Because users are only granted the permissions that are necessary for their roles, it is less likely that they will be able to access resources or perform actions that they are not supposed to. This can help to prevent accidental or malicious breaches of security.

RBAC can also make it easier to comply with regulatory requirements, such as data privacy laws, by providing a clear and consistent framework for managing access rights. And because RBAC systems are typically based on standardised protocols and models, they can be easily integrated into other security systems and tools.

How is Role-Based Access Control different from other types of access control systems?

RBAC is different from other access control systems in several key ways. One of the main differences is the way in which access rights are managed. In Discretionary Access Control (DAC) systems, access rights are assigned directly to individual users, and users are able to grant or revoke access rights to other users. In Mandatory Access Control (MAC) systems, access rights are determined by a set of security labels that are assigned to users and resources, and access is granted or denied based on the relationship between the labels.

Another key difference is the focus of the access control mechanism. In RBAC, the emphasis is on the roles that users are assigned to, and the permissions that are associated with those roles. In DAC and MAC systems, the focus is on the users and resources themselves, and the access rights are determined based on the specific identities of the users and resources involved.

What are some of the challenges with implementing RBAC?

There are some challenges associated with implementing Role-Based Access Control (RBAC). One of the main challenges is the need for careful planning and design of the RBAC system. Because RBAC relies on the concept of roles, it is important to carefully define and organise the roles in a way that makes sense for your organisation and its needs. This can require a significant amount of time and effort, especially in large and complex organisations.

Another challenge is the potential for role explosion, which occurs when there are too many roles defined in the system. This can make the RBAC system difficult to manage and maintain, and can also lead to conflicts and inconsistencies in the permissions that are assigned to different roles. To avoid role explosion, it is important to carefully review and consolidate the roles in your RBAC system on a regular basis.

In addition, implementing RBAC can require changes to existing processes and policies, and may require training and support for users who are not familiar with the system. This can be a challenge, especially in organisations that are resistant to change or have a large number of users.

Overall, while implementing RBAC can provide many benefits, it is important to carefully consider the potential challenges and plan accordingly to ensure a successful implementation.

Should I use Chocolatey or Winget?

December 4, 2022Glenn Mitchell Leave a comment

I have been asked a few times now about the differences between Chocolatey and Winget. So, I thought I would lay out a few things that hopefully answer that question.

Image showing the winget and chocolatey package manager logos side by side with VS in between them.

Firstly, Chocolatey and Winget are both package managers for Windows that can be used to install and manage software applications. Chocolatey and Winget use the command line to install and manage packages, and both allow users to install multiple apps at once using a list of package names.

Now, to talk about the differences between Chocolatey and Winget. Chocolatey has been around for since 2011 and has a large community and ecosystem of packages and tools, so it has more packages available and more features and capabilities. Winget was released into preview in mid-2020 and had a 1.0 release in May, 2021. It is designed to be more integrated with the Windows operating system and to provide a more user-friendly experience.

Both Chocolatey and Winget are open source:

In terms of performance and reliability, both Chocolatey and Winget are generally considered to be stable and reliable package managers. However, since Chocolatey has been around for longer and has a larger community, it may have more up-to-date packages and more support for troubleshooting issues.

Overall, the choice between Chocolatey and Winget will depend on your specific needs and preferences. If you prefer a more established and community-driven package manager with a larger ecosystem of tools and packages, then Chocolatey may be the better option for you. On the other hand, if you want a more integrated and user-friendly experience, then Winget may be a better choice.

What are the benefits of using a package manager?

Installing multiple applications at once: allows users to install multiple applications at once using a list of package names, making it easy to set up a new computer or to quickly install a group of applications that are commonly used together
Automating the installation of applications: can be used in scripts and automation tools, allowing users to automate the installation of applications on multiple computers. This can be useful for deploying applications in a large organization or for standardizing the software environment on a group of computers
Centralizing the management of applications: allows users to manage all of the installed applications from a central location, making it easy to keep track of which applications are installed on a computer and to update them when needed

Overall, package managers for Windows like Chocolatey and Winget can be a useful tool for managing and installing software applications, and it can be particularly useful for automating the installation of applications.

Adding users to AD Security Groups with PowerShell

December 2, 2022December 2, 2022Glenn Mitchell Leave a comment

Adding a user to many security groups in Active Directory using PowerShell is simple. You can use the Add-ADPrincipalGroupMembership cmdlet. This cmdlet allows you to add a user to one or more security groups.

Here’s an example of how you might use this cmdlet (this is an OK solution):

# Define the user you want to add to the security groups
$user = Get-ADUser -Identity "Jeffrey"

# Define the security groups you want to add the user to
$groups = @("DelegatedDomainJoiner", "App1_RO", "App2_Admin")

# We now use a foreach loop to add the user to each group
foreach ($group in $groups)
{
    Add-ADPrincipalGroupMembership -Identity $user -MemberOf $group
}

The Add-ADPrincipalGroupMembership cmdlet, is used inside a foreach loop. The user stored in the $user variable to each security group stored in the $groups array. But this method requires you to loop through all the groups and add the user to each one. This is OK, but we can do it a bit better from code readability standpoint.

We can use the -Members parameter of the Add-ADGroupMember cmdlet instead. To add the user to many security groups at once, take a look at the example below (this is a BETTER solution):

# Define the user you want to add to the security groups
$user = Get-ADUser -Identity "Jeffrey"

# Define the security groups you want to add the user to
$groups = @("DelegatedDomainJoiner", "App1_RO", "App2_Admin")

# This command will add the user to all the groups at once
Add-ADGroupMember -Identity $groups -Members $user

Here, we are using the Add-ADGroupMember cmdlet. The user stored in the $user variable to all the security in a single command. I find this method to be much more concise.

Note: Of course, you will need the correct permissions in Active Directory and the Active Directory PowerShell module.

Getting security group memberships for the currently logged in user – with PowerShell

August 10, 2021Glenn Mitchell Leave a comment

If you need to check if a security group membership has been applied to a current user, you can run the following PowerShell command to get the group memberships from the current Kerberos Token:

(([System.Security.Principal.WindowsIdentity]::GetCurrent()).Groups) | %{Write-Host (($_).Translate([System.Security.Principal.NTAccount]))}

Studying for CISSP

August 13, 2020Glenn Mitchell Leave a comment

I can’t remember the last time I had this much fun studying for a certification! Really digging the content.

My current study materials for CISSP exam. Really recommend these books!

glenn@tcs:~$ whoami

August 7, 2020Glenn Mitchell Leave a comment

Hello. Hallo. Bonjour. Guten Tag. Kónnichi wa. Olá. Jambo.

I’m Glenn. I am a proud father, Husband and a geek at heart. I love tech and always want to keep learning. I have been in the tech industry for around 20 years now. I have learnt a lot of lessons along the way.

Despite the years behind me, I am not going to claim to be an expert. Far from it. There is always opportunity to learn more about any topic. Especially in tech.

Why am I creating this blog? Simple. To share my experiences and knowledge in tech. I have a special interest in cybersecurity. A lot of my career has been in designing secure infrastructure deployments and design and implementation of identity and access management systems.

I am not going to promise a consistent stream of posts. Most of the posts will be ramblings. Some posts *may* contain actual advice!

Anyway, feel free to reach out to me on twitter @GlennMitchellAU and @TechCyberSec, find me on LinkedIn or send me an email from the contact form.

Bye for now!

Psst. My first post will be coming out soon – all about user account lifecycle management!

Tech & Cyber Security

Technology, Cybersecurity, Software Development and Personal Blog!