Good Cyber Hygiene: Everyone is a Privileged User

Yesterday,

ICIT published the first in a series of research reports as part of an identity management and cyber hygiene initiative, entitled, “ICIT Analysis: Identity and Access Management Solutions: Automating Cybersecurity While Embedding Pervasive and Ubiquitous Cyber-Hygiene-by-Design.

screen-shot-2016-12-13-at-2-46-48-pm

Wow, what a title. But worthy of the topic.

ICIT Sr. Fellow James Scott and Researcher Drew Spaniel did a thorough job identifying the various pitfalls of cybersecurity and ensuring everyone in the organization cares about cyber hygiene and is on top of their game. They offered several good ideas to meet the needs of today’s environment,  such as use a digital representation of the one and only identity a user has in order to limit points of entry for the adversaries. Additionally, their point that ALL users are subject to adhere and practice cyber hygiene and best practices is one that seems to escape many organizations. This mind-set that only some of the organization’s users are “privileged users” leaves the organization partially protected and still vulnerable to the regular users leaving the door open or partners and vendors exposing the “keys to kingdom.”

Scott and Spaniel are spot on when they advocate the use of automating cyber hygiene by automatically limiting access to resources based each user role or responsibility. This will ensure behavior of insider threats or uninformed user activity is not possible and prevented by their user role.  Coupled with the ability to review through actual audit of user sessions help the cyber-team understand whether they need to pursue an investigation or send someone back to a cyber hygiene class. Either way, the breach does not happen and policy is automatically re-enforced.

The five main takeaways of this paper are:

  1. Use digital access technologies that limit the one and only access point users have to reach resources
  2. Get rid of passwords and employ multi-factor authentication (MFA) everywhere.
  3. Provide user roles that details each person’s access and privilege they have in that role and what time of day, week or month is that role available
  4. Audit user sessions on critical resources at a minimum
  5. Cover your entire risk surface by remembering ALL users in an organization are privileged users and need to provide least access to users based on their role to enforce good cyber hygiene and meet compliance requirements

Register for the 2017 ICIT Winter Summit here