CCT 204: Need to Know, Least Privilege, Job Rotation and Other Options in Security Operations (Domain 7.4)

Unlock the secrets to a more secure digital environment as we dissect the potential impact of a TP-Link router ban in the U.S., spurred by security vulnerabilities and foreign influence concerns. How will this affect consumers, businesses, and ISPs reliant on these budget-friendly devices? Tune in to discover the broader implications of a shift towards U.S.-manufactured electronics and what it means for cybersecurity practices nationwide.

Explore the intricate balance of power and security through the principle of least privilege (POLP) and the need-to-know principle. We decode the strategies to implement POLP successfully, reducing attack surfaces while maintaining efficiency, and align these techniques with essential regulatory standards such as GDPR and HIPAA. Discover how the military's compartmentalization tactics can be mirrored in the corporate world to safeguard sensitive information.

Finally, we unravel the complexities of insider threats and privileged account management. From job rotations to mandatory vacations, learn how these innovative strategies can help mitigate fraudulent activities and insider risks. We emphasize the crucial role of Privileged Account Management systems in enhancing security, despite their setup complexities and costs, providing invaluable tools for IT professionals seeking to bolster their cybersecurity measures. Don't miss this comprehensive guide designed to fortify your cybersecurity defenses.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.

Speaker 2: 0:22 

Cybersecurity knowledge All right, let's get started. Hey y'all, Sean Gerber, with CISSP, cyber Training, and hope you all are having an awesomely blessed day. Today. We are on the short final for Christmas. Oh yeah, baby, if you like Christmas, you're almost there.

Speaker 2: 0:38 

And then the new year, and then we're into 2025, and it's just incredible to believe that another year has gone by so stinking fast. It's just crazy. But they just keep on burning by and I keep getting younger and younger every year. Yes, that's what I tell myself, but unfortunately the mirror doesn't lie. But that's okay, because you know what. You aren't here to hear about my beauty secrets, because you're here to learn about CISSP. So that's what we are going to talk about today.

Speaker 2: 1:06 

But before we do right, we have our news article we kind of get into, and this one I actually I anticipated coming a while back and I'm kind of surprised that it's taken this long. We'll see how this plays out because, yeah, tp-link is the article that we're going to be chatting about just a little bit today, and if you all have any sort of router within your home or any sort of networking gear, in many cases you probably have a TP-Link router, and that would also include aspects around some of the smart things like your light switches, little outlet plugs, you name it. All those kind of things are tied to TP-Link, and in many reasons. Why is because the Chinese have flooded the market with cheap electronics, especially as it relates to some of these Wi-Fi gear, and in the past these have been incorporated with some various hacking techniques that have occurred, and we've all known that at some point in time the Chinese government does probably have some level of influence on the Chinese manufacturers of these products. I know we can guarantee or say that for sure, but there's just some level of understanding that that might be the case in this situation. Now, does that mean that the US government isn't doing that to other companies as well? Very possible. Other countries, their products, it's very possible. So you know who knows how this all is playing out. But at the end of this the article is talking about that there might be banning TP-Link routers in the United States.

Speaker 2: 2:29 

Now, one thing that I think for us individually is living in our homes is one thing, but an interesting part is that they've had these various routers shipped out to various ISPs throughout the United States, or actually throughout the world, but at least in the United States there's over 300 ISPs and then two of the top five ZNets best Wi-Fi routerless RTP links. I will say I've used them, I have them in the past and you know what. They work really really well. You plug them and play them and you're in business, obviously, with that. You have to decide what's the risk versus reward. If my home you know what somebody hacked into my home well, whatever, that isn't such a big deal because I really don't have anything for anybody really to pay much attention to. That being said, if it was my company, I don't know if I would have a TP-Link router, and they're just because of some of the issues that they have had in the past, and so that's just something that you need to consider. So, if you have a business and you utilize these TP-Link routers, it may be something that you're going to have to address here in the near future.

Speaker 2: 3:32 

Now the article talks about is the government going to come out and say you must rip and replace all of these TP-Link routers? The article's basically and I'm kind of going to the lines with that person is the fact that no, you probably will not be doing a rip and replace. That being said, they will probably put mandates and some compliance aspects to this, where no future TP-Link routers can be purchased, and because of that, then you will have a more expensive version that you'll have to put within your network. And we all know this that when you put more expensive equipment within your network, somebody has to pay for it. And how does that work? Well, it affects your bottom line and then therefore, it gets passed on to the customer potentially.

Speaker 2: 4:13 

So it's an area that we knew was coming. I mean, I've seen it coming for years now, just because of the fact that there's been so much concern within the various governments about the electronics being sourced in-country. So the foundries, as it relates to the chips, as it relates to the equipment themselves, all be sourced within the country that they're coming from, and it allows some level of control over that. And you've also seen this here in the United States. There's lots of new chip manufacturers rolling into the United States creating indigenous chips, versus having them outsourced to places like Taiwan, japan and Korea. Now, that still is going to continue, but they are outsourcing. Some of that that's more critical within the United States will be kept here locally.

Speaker 2: 4:54 

Living in Wichita, kansas, I have there's actually two chip manufacturing facilities that are being built just down the road from us. Integra is one. I think there might be the same company under two different locations, but, that being said, this is an area that you're going to be dealing with. So, if you're in the cybersecurity space, get ready, because you may have some senior leaders coming to you and saying what do I do with this TP-Link router? Now it says it's a hacking problem, and then you're going to have to work through this whole risk versus reward aspect and then come up with a compliance strategy on how you want to mitigate this risk long term.

Speaker 2: 5:26 

Again, this is something that you're going to have to address and deal with, and I would. If you are thinking about it and maybe if you are leading your organization through your inventory which we talk about routinely on CISSP, cyber Training is the fact that do you have a good inventory within your network? And if you have a good inventory, maybe now would be a good time to go check out and find out how many of these TP-Link systems you have and maybe, just maybe, get ahead of the bow, wave a little bit on this, a little bit ahead of the curve, and maybe start planning for how you were going to replace these and if they are in critical locations, how would you best do that? Because, again, you're going to have to deal with outage windows, you're going to deal with all kinds of nuances, especially if these systems are in critical positions. Now if the government comes out and says, no, we're not going to ban those, then you know what. Then it's up to you. Is it risk versus reward? Do you want to even just invest in some more different equipment and then understand that at some point this probably will come back up again, or are you just going to ride it and see what happens up again, or are you just going to ride it and see what happens Again?

Speaker 2: 6:25 

Your margins are small and I know your IT budgets can be a bit of a challenge, so you need to really kind of weigh all that out, basically, what's going to happen with you and your company. So just a piece of information, food for thought. Use it as you see fit, okay, so now let's get into what we're going to talk about today and the various aspects around 7.4. We're going to be applying foundational security operations concepts, part of the CISSP, and again, if you have an ISC Square book, I would highly recommend that you have one, also the study guides that go along with it, and this is taking it out of. I think it's chapter 16, if I'm not mistaken, but 7.4 is a big part of the current version of ISE squared. Now I say that it's in chapter 16 today, but when a new version comes out what you guys have all known I get a lot of questions of going does all my products meet the current 2024 guidelines? And they do. The one good thing about the recent changes they've been very, very small, so I was able to make some very minor tweaks to it. But as of right now, as of writing or the making of this training session, it is around a podcast. I should say it's dealing with Chapter 16 of 7.4. Okay, so again, 7.4, applying Foundational Security Operations Concepts.

Speaker 2: 7:43 

Okay, we are going to start off this wonderful adventure with the principle of least privilege. Now, I saw this out there as far as an acronym of POLP, polp, polp. Yeah, not pulp like the tree pulp, but pulp, I can't say it but principle of least privilege. So, if you're dealing with any sort of security aspects, principle of least privilege is an important part of your security program and you really need to consider this as you go forward and you are going to be mandated it depending upon what your regulatory requirements may have. Now, the reason around this is that users and processes and systems they're granted only the permissions necessary to perform their specific task. Again, only what they're supposed to do, nothing more, nothing less. That's the ultimate goal is to keep it very limited, and it restricts the access to minimize damage potentially from an unauthorized use or a breach.

Speaker 2: 8:35 

Now, there's some benefits and challenges that are going to roll into this. Just like with anything else, there are pros and cons. Now, the benefit of this is it reduces the overall attack surface. This limits where people can exploit and we talk about the guys living on the land, the bad guys and girls, and then what they're doing, and they try to get and live in the land and they will then migrate throughout your organization. Well, this reduces the ability for them to do that, because if they have a privilege, they have the principle of least privilege. Then they're only allowed what kind of credentials they were able to steal, and if those credentials that they stole were limited, then they have limited them to what they can do within your organization. So it does limit the opportunities for exploitation. It does also minimize the insider threat. So, again, if you have an individual who is an insider risk problem that's decided to go rogue and it's just going to be ornery, then what ends up happening is they try to gain access to different systems, but if you have principle of least privilege in place, they can limit them to what they actually have access to.

Speaker 2: 9:33 

Now this comes down to being a bit of a challenge, though. As you put, people with IT credentials typically have much more access to things, so you need to also watch them very closely. With the principle of least privilege Compliance, again, this aligns with various regulatory standards out there GDPR, hipaa, pci DSS and they keep coming. There's more regulatory requirements on the horizon, so just anticipate and plan for that. Now the challenges are is it over-provisioning due to improper role assessment? What does that mean? Well, say, you assessed Sean to have access to this, to whatever, to Y and now? But Sean, actually you gave Sean access to Y, but he really only needed access to A, so you gave him access to a whole plethora of different things because you weren't really true on his role assessment and so therefore, he has much more access than he should. So that's over-provisioning. Now, also, you got to balance out the security with the operational efficiency.

Speaker 2: 10:32 

One of the big areas you're going to run into is the more you tighten down these credentials for least privilege, then you limit what people can do. It causes more drama with your service desk. It also causes more drama with the business leaders. It just brings drama. And you know what I don't like drama. And so what do people? A lot of people don't like drama, so what do they do? Open it up, baby, just let people have access they need and don't worry about it. So again, it can cause some challenges there. And then also frequent role and permission updates as responsibilities change or the responsibilities change. I can't speak, but what it comes down to is on. That is that now your responsibilities change in your role and you should have more access. Well, there's a whole litany of things you have to go do to get the access you want, and then it causes more drama. So again, it can cause drama. We want to avoid drama, but we need a little bit of drama.

Speaker 2: 11:23 

Implementation strategies you should conduct role-based access control reviews. So RBAC right, we talked about RBAC in a couple of little podcasts ago, but one of the things to consider around RBAC is the fact that you should understand what are the roles that people should have within your organization, and then you should look at those reviews and make sure those match up with what they're supposed to do. The other thing is to automate privilege provisioning. Now, this is an interesting part that you will have and I would highly recommend it. There's lots of different companies out there that will do this. It can be very challenging to implement, but if you do it, then what ends up happening is, as people roll into new roles, move into new roles, they will automatically be provisioned with the right accounts and the right sort of access they're supposed to have.

Speaker 2: 12:05 

This does take someone to manage it. It does take some complexity when you build it. However, when you do build it, it's going to make your life a whole lot easier. So the question is, when you decide to deploy this, understand the program that you set up is going to take a while to do, but once you do it, if you follow through with it, you be very, very happy with it and then use tools for permission, auditing and logging right, so you always want to have the different tools out there so that you can log and audit everything that's happening within your organization need to know. Okay.

Speaker 2: 12:36 

So the need to know principle does restrict the information or the resources based on the individuals, that they need to be required or actually what they have to do to perform their job. So when I was in the military, you had they need to be required or actually what they have to do to perform their job. So when I was in the military, you had a need to know certain criteria. So if you had a clearance that gave you top secret clearance, just because you had a top secret clearance doesn't necessarily mean you had the need to know that information. So it's one more level of compartmentalization around the data and it does help a lot. Now, is it always followed? No, but it is a really good principle to follow as much as you possibly can, and it emphasizes the limiting on the dissemination of sensitive or classified data. You'll see a lot of need to know within the US government, within the militaries I suggest not just US right the Chinese, russians, everybody pretty much has this need to know thought process, but you want to limit that to just the roles and justify the access.

Speaker 2: 13:24 

Now some objectives to consider is it minimizes the risk for potential data breaches, incidents and so forth. And it does limit your overexposure. It doesn't overexpose you. It limits your overexposure of the data Talking too fast gets you into trouble. Enhanced confidentiality. Obviously, it protects your data to ensure it's only shared with those that are essential to the task, and then it helps you meet the regulatory requirements that we talked about earlier that continue to grow with the various aspects around it.

Speaker 2: 13:53 

Now some implementation strategies around this would be information classification. To make this happen really well is you do need to have a good information classification or data classification strategy in place. You do need to have a good information classification or data classification strategy in place. Now this includes public, internal, confidential, top secret, secret, that kind of thing right. So if you have something like that in place and ready to go and you follow it and you have the guidelines that are set up and you also have someone to help manage it, your need-to-know process will work very well or has the potential to work very well. Now, it does apply restrictions based on the classification level. Like I mentioned earlier, secret to top secret but realistically, you need to have a good data classification strategy in place.

Speaker 2: 14:35 

You also have to have access control mechanisms. We talked about RBAC, and then another one that we've mentioned here on the podcast is the attribute-based access controls, or ABAC, and these are when they get contextual factors such as location and time of access can be added to it. So this is another part that you can have. Again, if Sean has a need to know, but Sean is, his identity is logging in from Seoul, korea and Sean lives in Wichita, kansas, yeah, there's a problem, maybe. Maybe Sean's in a trip to Seoul Korea, but if it's showing up in my daughter's hometown of Kampala, uganda, yeah, probably not. Don't go there very often. So something to consider there. Now, some other areas you need to consider as far on the implementation strategies is a granular access permissions. This assures that all access is assigned to the smallest possible scope. This includes micro segmentation and it can restrict access within these various networks.

Speaker 2: 15:29 

Another piece is data masking. I've done this multiple times with various tools, and the tools may have it inherent within them, or you may have to invest in another third-party tool to do the data masking for you. Now, it presents only the necessary portions of the data to the authorized users. One of the examples in the United States is social security numbers. It could be identification number of some kind and you know what? To me it shows my ID, but if it was my wife logging in, it would only show maybe the last four of my social security. So those are different pieces of around data masking. It also goes into the zero trust principle where it verifies access and requests dynamically to ensure no unnecessary privileges are allowed. Again, it works really well with need to know.

Speaker 2: 16:13 

Now again we talked about benefits. Security posture is awesome. Enhanced focus Again it works really well with need to know. Now again we talked about benefits Security posture is awesome. Enhanced focus Again, employees are not distracted by irrelevant information or the fun juicy facts like going from secret to top secret. I get to know all the details. Yeah, you keep that to a minimum. And the cool part is on this is it does help. If you teach your people this, you have a good program. Then you have your individuals becoming the watchers for you. I've had multiple times where I've been into a classified briefing and somebody just shows up and we're like who are you? What are you doing here? Why do you have a need to know? And we would ask them and challenge them and then boot them out of the room and that's the whole purpose, right? So just because Billy Bob has a clearance doesn't mean Billy Bob needs to come in and watch what's going on, because it's not relevant to them. And this is the part where you teach your people so that they learn that if somebody shows up, that is not part of the overall organization or not part of even that specific in our case mission. They're gone. Adios, muchacho or muchacha, whatever you want to choose. So that works really well. And then it also helps support for audit and accountability. It limits access, ensures only authorized individuals are able to gain access to it and it's responsible for the specific actions. So, again, need to know.

Speaker 2: 17:27 

Now we're getting into separation of duties and the responsibilities. Now, separation of duties this is critical around dividing up multiple individuals to prevent conflicts of interest right and reduce the fraud or errors. Now, when you're dealing with separation of duties, I've had this multiple times dealing with sending money. Money is a really good example of this, where you have individuals that have the ability to wire funds to a certain location, wire funds to a certain location, but what you want to have set up is the separation of duties that, if Sean has the ability to say yes, send $1 million to Sean's bank account, then there has to be a second person to say, yeah, no, I don't think so, because that's not good, that doesn't help our company. So you, I've got caught so many times not me getting caught because I wasn't a fraudster, but caught people trying to defraud our company in the fact that what they would do is they would send an email Basically it's called a business email, compromise is what it is and they act as our CEO, saying I want you to send money to X. And they send it to the right person who has control. And this right person goes oh, okay, this is the CEO, this is out of the ordinary. But okay, sure, I'll send them a million dollars to X. And then the second person who is in that chain of command that deals with the overall separation duties goes ah, no, no, he did not say that. This is not him. Why are you doing that? So there's that second person, right?

Speaker 2: 18:50 

It works really really well when you're dealing with the finance side of the house. It also works really well within IT, and this is separating system administration from security monitoring. Again, you don't want the security monitoring folks to have access to all of the system administration, and I've seen this happen where, because of lack of people, they will do this, and I understand the reasoning, but if you're going to have the watchers of your network have full access within your network, then you need to have a level of oversight on that. You need to be some level of overwatch. You need to have Sauron, the big eyeball, watching everything that's going on, because you never know, people can do stupid things or their accounts can do stupid things, and so it's important for you to keep tabs on that.

Speaker 2: 19:35 

Now the implementation you need to define the processes and identify the points of potential compromise. Again, understanding your processes is an important part of all of this. If you don't have your processes defined and written down, this will fall apart. So you need to make sure you have that done. You need to review and adjust your duties to reflect these changes, and then you need to use technology as much as you possibly can to help you deal with these, enforce these SOD policies. Done that where we had. They didn't have it in place. We helped them put in a good automation step and it was as simple as emails, but it was a very specific email that went to a very specific person with big, red, flashy letters and it forced them to go. Oh wait, this isn't right. So, again, it's a really important part in your overall separation of duties, responsibilities, tasks, two-person control Okay, this is where you launch nuclear weapons to annihilate the other user?

Speaker 2: 20:25 

Yeah, no, but it could happen that way. This is where you have two individuals who either approve or execute critical tasks. So what that basically means is like in the case of when I was in the military if you were going to drop a weapon in anger, I had the ability to do that on my own, but you had a certain level of sequences that you had to state before you did drop that weapon in anger, and so you would go. Am I clear to proceed? You are clear to proceed? Okay, we're clear in proceeding. We're engaging the target Target's engaged. We're flipping the switch. Flipping the switch you have people that are responding to you as you are doing these various tasks, and so therefore, they are consenting. They may not have their finger on the switch to push at the same time as you, which the nuclear codes do, but they are consenting by their verbal accountability. Now, if they didn't come back, you would question wait a minute, am I cleared to proceed? Am I cleared to proceed? If you decided, hey, I'm going to drop this thing in anger, no matter what anyway, well then, yeah, you could do that, but there's consequences for that as well. So again, that's.

Speaker 2: 21:24 

The whole point is that you have to have an approve or execute the critical tasks. You need to have two people, at least two people, to agree. Then again, we talked about nuclear launch codes. Access to sensitive data, physical or logical systems may require dual authentication. So if you're going into, maybe, a data center and it's a restricted data center and you want to get into it, well, you have to take a buddy with you and your swim buddy comes in and you go in and your swim buddy lets you in. So now you also have dual authentication. Financial transactions we kind of talked about that as well a little bit earlier.

Speaker 2: 21:56 

Again, it helps mitigate some of the insider risks required by having multiple individuals involved. And if you have to have multiple individuals colluding to really make things go sideways, and if they collude, what ends up happening is, if there's more people involved, better chances people are going to get caught. So it works really well. But the downside is is yeah, it can slow operations down substantially. Right, if you're going, hey, can I flip this switch? Let me go check with Bob, okay? Bob says maybe, okay, what about Bill? Bill says yes, okay, I'm going to go flip the switch. I can flip the switch now. Yes, you can flip the switch. That took like way too long, right? So if you have to do a lot of these flipping switches, it could really interact and cause problems with your operations. And then it adds more people, right, the more we got to add another person to get approval you now have to pay that person and put them on the payroll.

Speaker 2: 22:45 

Job rotation what is job rotation? That means I'm tired of my job, I'm quitting and moving on. Now, well, that's a job rotation is right. But this job rotation is one within a company where you decide you know what. We're going to have Bill, who's been in charge of finance, now going to go work the loading dock and the loading dock person is going to go work finance. You hope the loading dock guy understands finance because, yeah, that could really be bad for your company. But if not, let's say he does or she does. Then you want them to go do that.

Speaker 2: 23:15 

The ultimate goal of this is that your employees will periodically rotate through different roles in your organization. It reduces fraud, because what happens is it reduces that one person for having long-term control over a single process. That person's been with the company for 35 million years and they know everything about it, where all the dead bodies are, and they know how to move money around. And oh, by the way, they can move money around pretty quickly without anybody knowing. And guess what? Oh, gina's up for a new promotion and she doesn't get it. And now Gina wants to retire, so she's just going to take a little bit of cash for her own well-being. Yes, that's when it happens. So you have employees that are then rotating in and they can see well, hey, gina's been funneling off some cash a little bit here and there to her birthday party and, by the way, it's now up to about $20 million in her birthday party. Wow, that's going to be a heck of a big birthday party, right? Nothing like Jeff Bezos, but it's going to be good.

Speaker 2: 24:09 

So identify the potential insider threats through diverse oversight, insider threats through diverse oversight, and again, it comes down to understanding the different roles. Now, again, like we mentioned, the truck driver or the warehouse loader needs to have the same skills as the person in finance, and vice versa, Because if you're just putting people in different roles, you're going to add a lot of drama, and we all hate drama within your company. You implement this through rotation schedules to ensure knowledge transfer. You avoid rotation during critical phases, obviously, if you're going to have a turnaround or if you're going to have a shutdown or anything like that. You don't do this. Use logs and monitoring to ensure that there's operational continuity. It stays good. Right, you have operational contingency set up. Yeah, that's a big word. I can't say that one All right.

Speaker 2: 24:57 

Mandatory vacations this is where you are forced people to leave and hopefully they come back, but you're telling them oh, by the way, bob, you never take any vacation. You are now taking two weeks, have a nice day, and the purpose of that is that others can handle their job in their absence and then, just like we did before with job rotation, they find out potential fraudulent activities and, again, this is a big part. It also helps reduce burnout and improve the employee well-being. Again, though, I say that this is something that's in the book. It talks about that, and I've heard people say that, but change is hard for people. People do not like change.

Speaker 2: 25:31 

You need to make sure that if you are going to force job rotation and mandatory vacations with people they know that coming in, because they will not be happy campers if they say, by the way, you're taking a two-week vacation and they don't want to take a two-week vacation. Now the other problem with the vacation is that you sometimes will force them to take the vacations when you want them to take it, not when they want to take it. So that's an important part. That it's if they need to know that coming in, that hey, I'm going to set up a two week mandatory vacation in and I'm not going to tell you about it. You're just going to say you've got to take it. So you better sweeten the pot a little bit if you're going to do that, because you're going to irritate some people by just saying, ok, I'm going to have you take it off in January 15th through the 1st of February. Ok, what am I going to do then? Yeah, that would be a bad time. So you just want to make sure that you put these policies together. That is also beneficial to the employee. Otherwise you'll be rolling through employees because when he comes back off a vacation, he or she. They won't come back because they're gone. So consider that Okay. Pam Privileged Account Management.

Speaker 2: 26:31 

We've talked about PAMs through various parts of the CISSP, and what they are is it controls and monitors access to privileged accounts. This is an aspect we talked about. Cyberark. There's some other ones Identity One, I think, is another one and what they do is they will monitor and record privileged user activities. They're super cool.

Speaker 2: 26:48 

So if you want to go check out a password, you have to go through the PAM, check it out, and It'll do storage. It does all these things. It'll connect to your servers, it'll connect to your workstations. All of that it's awesome. Problem, though, is is it's quite expensive very expensive, by the way and it takes a lot of maintenance to get it set up and running. Once it's up and running, oh yeah, baby, it's like nectar from the gods, but before then it is painful, very painful, like just super bad painful. So you need to consider how you want to deploy this within your organization.

Speaker 2: 27:22 

Now, the benefits are it reduces the risk of privilege escalation, right? So I can't just go in and steal something, steal a password, because if it's stored in the PAM vault, then now I got to go in and check it out, I got to then use it. Or if they rotate the passwords the one password that I have doesn't work. Again, it's really really good. The passwords the one password that I have doesn't work Again, it's really really good. It also records you. So if you go into your PAM and you start getting access to a password, it will record that you did that. So then if you say I didn't do that, that was not me, and it goes looky, looky, this is you. And then you go, oh no. So the point of it is is it will monitor all that. It ensures compliance with regulatory requirements. It's sometimes they get called up as a mandatory requirement that you do have a PAM and it does enhance the visibility into privileged account usages. So again, this works really well for IT folks.

Speaker 2: 28:11 

I highly recommend a PAM within your organization. If, at a minimum, you only use, like your domain admin type folks, the ones that have the ability to just nuke your company, put those in a PAM of some kind. It doesn't have to be the super Gucci, expensive kind, that would be nice, but I would at least use some level of a PAM solution to monitor and manage your passwords. So again, you got to balance the security with user convenience. That will be a challenge. So if you force all of your people to go use this, then you could get a lot of revolts. You have pitchforks and torches. But if you just use your IT folks, who are used to being able to manage their passwords in a much more secure manner, then that would be good for adoption.

Speaker 2: 28:53 

If you want to roll it out to all of your companies, start with your IT folks and then slowly, gradually, baby crawling kind of steps to go get that done. And it does ensure legacy systems will integrate with the PAM. That's one thing. You need to make sure they don't all do that very well. And so if you buy this whole, this beautiful PAM and you've got like circa 1990s equipment, you might've just spent a bunch of money for not much of anything. So you want to make sure that whatever you purchase will meet your equipment that you have. And again we go back to, yes, the inventory list, how important it is.

Speaker 2: 29:26 

Now the various PAM solutions there are. We have CyberArk, beyondtrust, thycotic I have never heard of that one and then HashiCorp, vault. I've heard of CyberArk, beyondtrust and HashiCorp. I've worked with two of the three of those, so each of those will provide some level of PAM solution. Now, again, the Thycotic. That's really kind of a scary name, thycotic. It's most for small to medium-sized organizations, so it depends on the size of your company. Cyberark works really well for an enterprise, again, though it is very expensive I'm not joking, it's super expensive and it's considered one of the critical applications on any security tool that you have is CyberArk. It's got the DR strategy, where when you're dealing with disaster recovery, it's critical. So it's tier one kind of stuff. It features the evaluate and the PAM solution. It's credential management, password vaulting and rotation, session monitoring and recording, task automation, all kinds of different things it can do. So, again, pams are awesome, and if your name is Pam, you are awesome. So again, that's the PAM.

Speaker 2: 30:28 

Service level agreements, slas Okay, so if you've all dealt with SLAs, what are they? Well, they're just basically agreement between a service provider and a customer defining expected performance standards. So these are the standards in which you have to follow to meet their needs right. So you have for dealing with scope of services, that's, clearly defined deliverables and exclusions. When you're dealing with an SLA, you may have metrics and you may have penalties and remediation aspects for these different things. So if I have an agreement with a company and I have an SLA with them, I'm giving them specific services and it's called out If they want specific metrics, I have to provide them those metrics and then they define is there's penalties if, for some reason, I don't meet my end of the bargain or they don't meet their end of the bargain, then there's consequences for failing to meet the SLA. So an example of this would be AWS. Right, they guarantee 99.999999 times upgrade on their SLA. That being said, they've had some recent outages where they're not 9999, it's like 13, nines or something crazy stupid. They're down to like nine nines. So it isn't quite as good as what they had said, and so they have a breach in their SLA. So when they breach their SLA, somebody has to pay, and that's kind of how that plays out.

Speaker 2: 31:45 

Managed service providers, mssps they're committing to an incident response within a specific timeframe. So if they, if an MSP, says I've got your back, you get pwned, I'm coming to bail you out, like Bruce Willis coming in there, I don't know, die hard, whatever he's coming in right, guns a-blazin'. Well, they're committed to telling you that they will do it within X amount of time, within a day, within a couple hours, within whatever. If they don't meet that, then they are in breach of their SLA. And if they're in breach of their SLA, there's penalties that go along with breaching your SLA. Money, free services, all those kind of things right, ferraris, you name it. They have it all called out in their SLA. You get it. It becomes Christmas again, but then you're dealing with a breach and yeah, that's no fun. So that's your SLA.

Speaker 2: 32:33 

Another thing to consider around this when you're dealing with SLAs is data ownership. Who owns the data stored in these systems? This is a big factor. So, just because you work with a third party and they have your data, you need to really have defined in the SLA who actually owns it, who's responsible for it. Get that very clearly understood. If the legal wording does not match with what they've told you, make sure it does, because at the end of the day, once you sign that piece of paper, boom baby, you both are on the hook. Regulatory requirements make sure to meet your different needs from GDPR, hipaa and so forth.

Speaker 2: 33:10 

Audit rights Again, this is something I brought up a lot and I would bring up to these different companies is going. I want the right to be able to audit you. Now I could either do one of three things. I could bring in a third-party auditor, I can have them do a self-assessment, so it's like an audit slash assessment. Or three, I could do an assessment of them, but I wanted to build that into my SLAs that we have the right to do that, especially as it relates to data that is critical to your organization. So if you have intellectual property, big thing, put it in there. Okay, big nugget clanging a big old hammer right now on a bell ding ding, ding, ding. Yeah, doing that.

Speaker 2: 33:41 

You want to make sure you have that in place if somebody else is storing your most important data. So some best practices again regularly review the SLA performance reports, align your SLA terms and business continuity and disaster recovery plans. Again, that comes back to your data knowledge. Where is your data stored? And then make sure you involve legal, technical and operational teams when you're doing this. I never go anywhere without my legal team. They don't like me. Well, I say I don't have them anymore. But I did. They didn't, they were, they were. They took a lot of back and forth drama to make this happen. You know we hate drama, but it took a lot of that back and forth to make this happen. So you just need to make sure you have a good lawyer on staff or you got a third party that you can reach out to outside council. It's an important part. Again. Operational teams they also need to be aligned, because you may sign something saying, oh yeah, this is what we're going to do, and the ops teams go what the heck are you thinking right? This isn't going to work. You need to make sure everybody's aligned.

Speaker 2: 34:34 

Doing the drinking duck. We talk about the drinking duck. It's that little bird. You know that drinks probably are all way too young for this, but the little bird that goes up and down, you know, hits his nose in the water and goes back up. That's what we call the drinking duck. Everybody needs to be nodding their head in the same direction, that they're in alignment with this.

Speaker 2: 34:51 

Okay, that is all I have for today. I hope, I hope, I hope, I hope. You all have a wonderful Merry Christmas. And the reason for the season is amazing and I hope that you guys have a great new year. As we go into this next new year, 2025, is going to be amazing, I know. I know it is and we're excited about where the world is. Well, the world's kind of scary right now, but we're excited where it's going and I'm sure it's going to go to a great place. But anyway, I hope you all have a Merry Christmas. This podcast there'll be one coming out on Thursday, but this will be the last podcast for before Christmas. So have a wonderful day. I hope you're listening to this while you're drinking your eggnog.

Speaker 2: 35:27 

Go to CISSP Cyber Training. Check out all the stuff I have there Amazing stuff. I got to put a plug in for me. I almost forgot. Got to put a plug in CISSP Cyber Training. Go there, lots of great stuff. Also, go to ReduceCyberRiskcom. Reduce Cyber Risk is my consulting spot. Again, that's just still being built up, but if you need cybersecurity consulting expertise, I got it for you. If I can't help you, I got a whole team of people that will be able to help and get you what you need. So again, go to CISSP Cyber Training and ReduceCyberRiskcom and check everything out and have a merry, merry Christmas. We'll talk to you all.