Overview of Control 4

00:00

Hi, everyone. Welcome back to the core. So in the last video, we wrapped up our discussion on control number three continuous vulnerability management. So again, we just map that to the NIST cybersecurity framework. We mapped the sub controls

00:12

and this body were to talk through control number four, which is controlled use of administrative privileges.

00:18

So we're gonna learn about CIA's control number four as well as we're gonna briefly talk about the sub controls as well.

00:24

So control over for as I mentioned is controlled use of administrative privileges. So think of this as the way that an attacker sort of pivots throughout the network. Right? So they there's generally speaking to kind of main types of attacks where they perform this. So one might be an attack where

00:41

you've got, like, local admin or even full administrative privileges.

00:45

And then the attacker send you a phishing email, you click a link in the email or something similar. It takes over your credentials, and then they can move laterally through the network.

00:55

The other option or the other most common way they do it is a privilege escalation. So they may be brute, forcing your admin credentials So really, this is all about how do we control that? So the Attackers can't do that's do those types of attacks as easily.

01:14

So talking through self control 4.1 here,

01:17

talking about maintaining an inventory of our admin accounts. And I've actually worked with organizations that they had no clue how many people were administrators. And I was actually shocked when I went into active directory and noticed that all sorts of people, like accountants and stuff like that, were actually given administrator access because the

01:34

individuals prior didn't know what they were doing right. So

01:38

always make sure you maintain an inventory of who actually has that administrative access. The other thing I would mention is make sure that you segment out that access right and what kind of talk about that a little bit.

01:49

So this is primarily focused on groups two and three. However, if you are a smaller and two T so small business small, medium enterprise, I would say that you also want to know who has administrative access to your accounts, and that's not just accounts like active directory or email accounts. I'm also talking about social media accounts who can actually post

02:07

and people think it's your company posting, right? So

02:10

you need to think through all of those things that are applicable to your organization.

02:16

Some control. 4.2

02:19

This is actually a huge issue in the industry. People not changing default passwords, right? So leaving the default credentials in place. You'll see this all across the board, especially in the critical infrastructure space. So even like railroad systems

02:32

always change the default password. If you're familiar showdown, which is commonly called a lot of times, the hacker search engine you can go on showed and I Oh, and you could take a look and see all sorts of devices out there across the world that still have deep, full credentials in place. So short and a good place to go Look that stuff up. There's some other places you can go as well.

02:51

It is. Always make sure you're changing the default passwords.

02:53

You notice that this goes across all the groups, right? Every single type of entity should be changing default passwords.

03:02

Some control 4.3, making sure that we have dedicated administrative accounts, right? So don't just give me administrative access, and then I go use that to check my Facebook and everything else. Make sure it's dedicated admin account and that I can only access it through doing various checks and balances.

03:19

So this is really applicable across groups 12 and three. Now, if you're a small business out there and you're saying, Well, I don't want to create a bunch of accounts,

03:27

the reality is you should write. So I shouldn't use my personal Facebook and link that with my business one. I should create a separate account with my name that I can then link to my business account. So just take those steps there. Yes, there kind of a pain in the you know what, But it's really just best practice to help you

03:45

mitigates some of these issues you may have. If Attackers decide to go after your small business,

03:51

some control 4.4 using unique passwords. So what I mean by that is don't use the same password across all sorts of different things, right? So don't use the same password on your email, your Facebook, your business accounts, your banking accounts. So use unique passwords across the board and make sure that their unique enough from each other that someone could not easily guess them.

04:10

So, as an example of what issues? A bad password for our example.

04:14

So don't have password. 1234 and then for your banking password. Have password. 12345 for your Facebook. Have password. 123456 Right. Like, don't use things that are so easy and don't use similar ones across the board.

04:28

And I know this is listed in CS Controls as groups two and three, but really ah, Group one entity needs to understand that as well.

04:36

Some control 4.5 setting multi factor authentication for all administrative access and really, you should be setting a multi factor authentication for everything across the board.

04:46

So control 4.6 using dedicated workstations for all administrative tax. And what I would also say here is

04:54

set specific machines, even as a small entity or even in your personal life. Right? So let's give an example there.

05:02

If we're gonna be doing banking on your home computer, for example, like a desktop or laptop, I would actually encourage you to get a secondary device that you then use for like all your social media and all that other stuff that you do with what I consider a little riskier behavior. Right? So you should have a machine dedicated that you you really hardened quite a bit

05:21

that you only use

05:24

when it's time to go do banking or something like that. And then have another machine where you do like the common used type of stuff

05:31

some control. 47 Limiting access. A scripting tools. This is primarily gonna be focused on group two and three because you've got dedicated I T. Or cyber security personnel.

05:43

Some control 4.8 logging and alerting any changes to membership for the admin group. Right? So if we get some change to the local administrator group, for example, we want to get an alert about that. So we know to go take a look and see if it's actually a legitimate change

05:59

and even be doing this with primarily groups two and three. Usually your smaller business doesn't have these types of resource is in place.

06:06

And then finally, some control. 4.9 logging alert on unsuccessful admin account logs in Loggins. Similar thing here. Right groups two and three are primarily going to be having something in place to track this type of stuff.

06:18

Now, that being said, you could also set up alerts. If you're a small business owner out there on your website social media etcetera to

06:26

send you an alert if someone's trying to log into your website. But generally speaking, this is gonna be mostly in the Group two and three area.

06:34

So this video we just talked about CIA's control number four