Center for Internet Security Controls or CISControls for short have become an industry standard to help businesses and organizations of all sizes maintain a best practice standard of Cybersecurity controls.

Safeguard 5.5 is similar to 5.1 where it calls for an inventory of accounts, but 5.5 specifically requires the inventory of your service accounts. At minimum it must contain the department owner, review date, and purpose. You should also perform service account reviews to validate that all active accounts are authorized on a recurring schedule at least quarterly.

We covered this in 5.1 where every account that can successfully login should be inventoried and 5.5 doesn't change that. It does however require you to to store different data as with 5.1 you have to store the person's name, username, start and stop dates, and department - 5.5 requires the department owner, review date, and the purpose of the service account. Which is enough for it to be called out separately.

Safeguard 5.5 is also only required if you are seeking implementation group 2 or 3 status - but let's be honest this is a requirement for everyone. You want to know everyone that has keys to your house, why wouldn't you want to have an inventory of everyone that has access to your data.

Active Directory counts as an inventory tool as it maintains the records and you can add notes or custom attributes to cover the requirements here. This is where having SSO setup can also help you where you are forcing a single sign on inventory platform, so you know all of these systems are using my AD or AAD (EntraID) platform.

You have it done, it's just making sure you check the sub boxes here is where most of us will fall short - and it's great practice to start doing that today. So review your service accounts and document the department owner, today's date (last review date), and the purpose of the account.

Then check off 5.5 and you're already well into your process of hitting IG2 compliant.

Center for Internet Security Controls or CISControls for short have become an industry standard to help businesses and organizations of all sizes maintain a best practice standard of Cyber security controls.

Safeguard 5.4 requires that you RESTRICT administrator privileges to dedicated administrator accounts. Yes! General computing activities such as web browsing, email, Microsoft office suite, gaming, etc should be done as a non-administrator.

One thing that is still common today is IT people love the power, and they don't like having to log off and log back on as their YOURNAME_Admin account to get it. It slows us down, It makes me less productive, I can't do my job without the elevated rights.

Let's get real. You can't be secure if you are not taking the time to even secure your own usage. Out of the 8 hour work day, maybe 30 minutes (on most days) you need to be elevated. Outside of that, it's not needed.

Everyone that should have administrative level rights, including domain admins, enterprise admins, global admins, and admin level rights to your SaaS apps - have two different credentials.

I commonly see the appending 'admin' to the username to designate the difference for the end user. Hackers know this as well. So ensuring MFA or long passwords is a must (remember 5.2).

This one isn't rocket science but it is required for Implementation Groups 1, 2, and 3 so this is something we all have to improve with, and the biggest obstacle in our way is ourselves.

Let's explore Center for Internet Security Controls or CISControls, which have become an industry standard to help businesses and organizations of all sizes maintain a best practice standard of Cybersecurity controls.

Safeguard 5.3 requires the deletion or disabling of any dormant accounts after a period of 45 days of inactivity, where supported.

When you have a user leave the company, you should be disabling, resetting the credentials, or removing the account immediately and with some cloud services a user may be able to reset credentials with multiple verification methods that you may not have control over, so disabling or removing the account should be the preferred practice.

Here you are typically looking at accounts that were setup for a vendor or service account that has been decommissioned and the account was forgotten in the process. So 5.3 while is viable if you're not removing standard user accounts, it's intent is to ensure those other accounts are disabled or deleted timely.

Over the years I have seen "legacy" accounts maintained for access to files, a specific application, or e-mail.

When you decommission a user the files should be migrated to the user replacing them or their manager.

Users should not be logging in with other user accounts to access an application, if you have issues getting the application working for another user account then contacting the application vendor's support team is your best next step.

Finally, I love using e-mail compliance backup tools like Barracuda's E-mail Archiver. I know all of the email is retained and can give another user access to it there and the user account and mailbox can go away. Even if a new e-mail comes in and can't be delivered, archiver will still archive it.

There are products and processes that are readily available that eliminate any argument your users would have on why you can't "remove" access to another user account.

Here I use the service Liongard which monitors most of the services including EntraID and Active Directory for unused or those dormant accounts.

All you need to do here is have the policy that outlines how you identify and handle dormant accounts, be prepared with logs or an auditing tool that shows that you actually follow the policy if you ever need to prove it. The last thing you want is an active dormant account used to breach your network.

Let's explore Center for Internet Security Controls or CISControls, which have become an industry standard to help businesses and organizations of all sizes maintain a bestpractice standard of Cybersecurity controls.

Control 5, is all about Account Management and the use of processes and tools to assign and manage authorization to credentials for user accounts, which includes you guessed it administrative and service accounts for your assets and software.

"You can't protect what you don't know" - Scott Davis

Safeguard 5.2 requires everyone to Use Unique Passwords - I know it's not rocket science but many Service Providers out there are still using default passwords or password patterns for their clients.

Using the same password was standard policy and practice just years ago, but with password managers and documentation tools becoming the standard there is no need that at a minimum a unique password is used.

Safeguard 5.2 requires at a minimum an 8-character password for accounts when using MFA, or a 14-character password used if MFA is not in use.

If it's an administrative level account - then why are you not using MFA is a different question altogether.

So your domain administrative and service accounts, and even your Microsoft Entra ID accounts are the easy ones here to rollout. Update the passwords and document them in a secure password manager so when you need it you can obtain it.

A good practice is to reset those passwords at least once a year if you are meeting those minimum's above.

Local accounts get a little harder, and I've promoted Microsoft LAPS or the Windows Local Administrator Password Solution before that can automatically randomize and rotate your credentials for all those local workstations. LAPS is supported on Windows 10 and newer, and Windows Server 2019 and newer. Ohhh and it's FREE! Learn more about LAPS at https://lnkd.in/ebxGchxZ

It's Account Management Time as we review Center for Internet Security Controls or CISControls, which are an industry standard to help businesses and organizations of all sizes maintain the bestpractice standards of Cybersecurity controls.

Control 5, is all about Account Management and the use of processes and tools to assign and manage authorization to credentials for user accounts, which includes you guessed it administrative and service accounts for your assets and software.

"You can't protect what you don't know" - Scott Davis

That quote holds true as we explore Safeguard 5.1 which is the establishing and maintenance of an inventory of accounts. At minimum your inventory should contain the person's name, username, start and stop dates, and department. You need to validate that all active accounts are authorized, on a recurring scheduled basis at a minimum once a quarter but more frequently may be needed pending your Add, Moves, and Changes.

Safeguard 5.1 is required for compliance across all three implementation groups and really should be required for every organization.

Before you think how will you ever manage that, remember Active Directory or Azure Active Directory is an inventory of your users, admins, and service accounts. Keeping this clean and updated is what we should be doing regardless because you don't want old employees accessing data.

Where Active Directory is going to fall short is your local user and server accounts. I recommend using Microsoft LAPS or the Windows Local Administrator Password Solution, which is a Windows feature that automatically manages and backs up the password of a local administrator account to your EntraID (Azure Active Directory) or Active Directory. It can also manage and backup the Directory Services Restore Mode (DSRM) account to your local domain controller, which an authorized administrator can retrieve.

LAPS is supported on Windows 10 and newer, and Windows Server 2019 and newer. Ohhh and it's FREE! Learn more about LAPS at https://lnkd.in/ebxGchxZ

From an auditing perspective I also love ❤️ the Liongard service here as it can audit Microsoft Windows Server, Workstations, and Active Directory, your Apple Mac Computers, and Linux systems user accounts.

Let's explore Center for Internet Security Controls or CISControls, which have become an industry standard to help businesses and organizations of all sizes maintain a best practice standard of Cybersecurity controls.

Safeguard 4.12 wraps up our journey through Control 4, which covers securing your configuration of enterprise assets and software. Safeguard 4.12 specifically calls for a separate enterprise workspace on mobile end-user devices.

This is where a virtual "work profile" is created on a mobile device that keeps the end users personal apps separate from your work apps and data. While both Apple configuration profile and Android Work Profile work out of the box, VMware's Workspace One is one of numerous Mobile Device Management Platforms that can help you check this box off.

For the majority of businesses and organizations this is overkill unless you are working with lots of confidential or top secret data. Eve the Safeguard 4.12 is only required if you are looking to achieve Implementation Group 3 Status.

If you can check off 4.1 through 4.11 then you are in a very good state, even without meeting 4.12.

Safeguard 4.12 is also related to NIST 800-53 Revision 5 in AC-19(5) on Full Device or Container-based encryption ad SC-39 on Process Isolation. You can also find it in NIST 800-171 Revision 2 in 3.1.19 on Encrypting CUI on mobile devices and mobile computing platforms.

If you're in the CMMC conversation then look for it in under Access Control (AC) level 2.

The Center for Internet Security Controls or hashtag#CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of hashtag#Cybersecurity controls.

Today we explore CIS Control Safeguard 4.11 which just like 4.10 is one that everyone should consider applying but is only required in Implementation Groups 2 and 3. Safeguard 4.11 is the enforcement of remote wipe capability on portable end-user devices.

Yes, the ability to remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as a lost or stolen device, or when an individual no longer supports the enterprise.

This isn't new, in fact Exchange I remember at least back to Exchange Server 2010 where if E-Mail was connected to the device we had the capability of remote wipe. With Exchange ActiveSync v16.1 you have the Wipe Data or the Account Only Remote Wipe Device which is important. With Native iOS or Android device the Wipe Data wipes all data on the device including photos, personal files, and so on. The Account Only Remote Wipe Device command will only wipe the native mail app's exchange ActiveSync mail, calendar, and account data.

And yes, if you have Microsoft 365, Exchange Server, and even Google Workspace has functionality to remote wipe portable end-user devices. So if you're using one of those services, pull out your CIS Checklist and mark it off 4.11 as compliant!

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 4.10 is a no brainer today, especially as more and more of us are working remotely. 4.10 requires enforcement of automatic device lockout on portable end-user devices. So for example for laptops, do not allow more than 20 failed authentication attempts, tablets and smartphones the requirement is no more than 10 failed attempts.

If you're working with Apple Configuration Manager it's maxFailedAttempts or Microsoft Intune it's called Device Lock. Every Mobile Device Manager MDM provider has this functionality.

If you're not striving for Implementation Group 2 or 3 compliance, simply documenting these requirements in your Mobile Device or Remote Work policy gets you started in the right direction.

This requirement is more than just requiring a password on a device when using Outlook but that is a critical component that you should have as well.

So why is this critical?

First let's be honest users are not the best at Locking their computers when they are away (CIS Control 4.3). I've seen unlocked and unaccompanied devices at conferences, hotels, airports, and everywhere in between. If it's locked or unlocked setting up device lockout can limit the damage by your users.

Here the goal is to prevent brute force login attempts on a device that has been stolen, without the added automatic device lockout feature you're enabling the thief an unlimited amount of attempts to guess your password - that is probably just under the keyboard or inside the battery compartment (yes I have found them there).