- Securing Things Newsletter
- Posts
- Chronicles of Cybersecurity Consulting - 1st in series - The Bleeding Password
Chronicles of Cybersecurity Consulting - 1st in series - The Bleeding Password
[Securing Things by M. Yousuf Faisal]
Disclaimer: All views presented here, in this newsletter, are my own.
Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.
Table of Contents
Hi Securing Things Community,
In this newsletter edition, am starting Chronicles of Cybersecurity Consulting from the field (1st in series - more to come in future, so stay tuned) - a slightly different write-up/style, compared to previous editions (hope you’ll enjoy), plus my recent most viewed social media posts from May 2024 and my asks.
Special Message:
Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks! Note: remember to validate your email address to ensure that you don’t miss any future newsletter editions.
1. Chronicles of Cybersecurity Consulting
I’ve been in the working in the technology and cybersecurity industry for more than two decades and while doing consulting/advisory and performing reviews, assessments, gap analysis or audits, had some fun and interesting moments. I’ll be sharing some, as part of chronicles of cybersecurity consulting.
Here’s one below and stay tuned for more in future posts.
Chronicle # 1 - The “Bleeding Password” for All Crown Jewels!
I was engaged by a global financial institution’s regional HQ, as part of their APAC wide cybersecurity review. As part of the review process, I interviewed an administrator, who was managing 3x100+ systems running databases, and had the highest level of admin / database (DBs) privileges.
Initial interaction suggested that I needed to simplify my asks, as exercise was restricted to a paper, interview and console based review only. So, before the interview, I started drawing out a simple mapping table on the whiteboard that was focused on top 5 critical assets (crown jewels), to map out and understand the admins’ current practices. For each of the top 5 assets, identified the basic inventory, network architecture/zone, access controls, hardening etc..
As we progressed, there were some fun and not so fun discoveries and the CISO’s (project owner, accompanying me) jaw dropping moment.
The fun bit - here’s a couple of questions and answers:
Me: you manage lots of critical assets, what’s your approach to secure them?
Admin: “we have a network firewall and DBs are not accessible from internet” and it’s…
source: tenor
Me: For privileged access & DBs, how do you generate strong passwords?
Admin: “I generate long and random passwords”.
Me: On my follow-up question, as to how?
Admin: “I randomly type on the keyboard to generate long & complex passwords”.
source: tenor
Yes, there were similar hand gestures as above - 😆 - no kidding.
On further inquiry - there comes the jaw dropping moment for the CISO (btw, did I mention, CISO told me before the interview confidently, that he already knew all the gaps, but will see what I’ll discover. It turned out to be somewhat a shocker for him):
source: tenor
To our surprise, he was using that (not so) randomly generated password for 3x100+ dbs - YES! - the same single password for so many critical database systems. The master password was saved on his machine in multiple text based files (scripts and batch processes on those hundreds of databases) in clear text.
source: tenor
From previous reviews (internal/external), it was recommended that …
source: tenor
to secure that master password and use TrueCrypt to encrypt that folder where all such scripts (with clear text password) were stored on sys/db. admin machine.
The problem was that TrueCrypt encrypted folder remained in mounted state, as he has to continually perform some manual tasks, run stored procedures, during the day. Also it didn’t solve the problem of that password passing the network in clear text - i bet their network team knew the password, as they had been using Wireshark and other tools to diagnose network issues. but hey, they were part of same IT team. I was given assurances😁 as well.
source: tenor
Some immediate recommendations for people in the room where necessary…
source: tenor
This has been the case for ages, now with the suspicions that the DBs’ and network was seeing random abnormal loads besides the peak times lately. This suggested that it needed immediate action and requires further investigation. My recommendation was assume a compromised state and take certain short and long term remediation actions with suggested controls.
source: giphy
People = Add skilled resource(s), initiate Security Awareness Program and more technical security trainings for IT folks.
Processes = Privilege Access Management, configuration hardening standards and other related processes.
Technology = local password manager, PAM, DAM, EDR solutions, all sending logs to central SIEM.
Admin’s response - All works fine now. Why & who the heck is going to hack us? and all what you are recommending is complicated - it will not work for us.
source: tenor
After a bit of back and forth, few remediation recommendations were accepted and few parked as progressive future improvements.
source tenor
How would you help the DB/system admin? what best practices in terms of people, process and technology controls were missing? what you’ll recommend them in addition, as short, medium-to-long term remediations? and why? Comment below.
2. My Recent Most Viewed Posts:
In case you’ve missed - here are my recently most viewed social posts.
Securing Things Academy Promo released or download below.
|
Getting started in IT & OT Cybersecurity - a blueprint / framework to 2x / 5x / 10x your cybersecurity career.
👉 Do share, comment and add your experience and insights - as this may help someone bring some clarity and make right choices in their career decisions and or progression. Our world needs more cybersecurity professionals.
👉 I hope to make a difference & help at-least 100/> people in 2024 (ideally 1K/>) (am not making a bold claim of million or something) to give back to the community.
Whenever you are ready - I can help you/your organization with IT & OT Cybersecurity Advisory/Consulting services, training and solutions - reach out at info[at]securingthings[dot].com.
3. My Asks
Do provide your valuable input to help me decide on few things:
Are the courses / topics ideas above resonates with you?
which one you’d prefer? (or if you an expert, do they align with market needs)?
Course / certification name suggestions or cert name suggestion, per above list.
Or rather prefer Mini courses on similar topics?
Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a course giveaway.
I invite #SecuringThings community to share their feedback, and wish list for the year on:
any industry specific pain points & potential resolutions of keen interest?
what did you like about this and or previous editions?
what could be improved?
what you’d like to see in future editions?
Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer digital future. Thank you for your trust and continued support.
Thanks for reading - until next edition!
It’s a Great Day to Start Securing Things for a Smart & Safer Society.
Take care and Best Regards,
M. Yousuf Faisal.
Follow: #securingthings on linkedin | @securingthings on X/Twitter & Youtube.
Instantly calculate the time you can save by automating compliance
Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.
Instantly calculate how much time you can save with Vanta.
The Newsletter Platform Built for Growth
When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.
Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.
The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.
Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.
If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.
Reply