Home

Search
Close this search box.
EPISODE 96
SDP 1: Least Privilege

SDP 1: LEAST PRIVILEGE

About this episode

In this episode, we unpack the first of the Security Design Principles, Least Privilege.

If you have never heard of it before, Least Privilege is the act of giving a person the most minimal amount of privilege for them to be able to do their job.

Our Hosts take the time in this short episode to discuss the ups and downs of Least Privilege and why it’s not utilized as widely as it should be.

Then they go over how Least Privilege should be implemented at home and at work and how much it affects your personal and professional Cyber Hygiene.

In the end, Jason discusses how Least Privilege can affect Software Development and the importance of setting different accesses and permissions for different users to improve your security posture.

What you’ll learn

  • What is a CRMAP?
  • What is Least Privilege?
  • What are the costs of using Least Privilege?
  • How does Least Privilege affect you as a user?
  • How can software utilize Least Privilege?

Relevant websites for this episode

Episode Transcript

 

Kip Boyle:
Hey everybody, welcome. This is Your Cyber Path. I’m Kip Boyle, and I’m here with Jason Dion, who’s doing his last minute little systems checks there. Thank you, Jason. I really appreciate it. Previously, e mentioned that there are 10 security design principles that were published in 1975, if you can believe it, in a paper by two authors, Saltzer and Schroeder. And we’re going to start a series where we’re going to unpack each one of them and today we’re going to start with least privilege.

But before we do that, Jason and I are working on something pretty cool and I want to take a couple of moments and talk with Jason about that because we want to share this with you. We think it’s pretty cool. We’ve already shared this idea and we’ve actually put it in motion and we’re getting a lot of great feedback. So it’s a new thing, it’s a new certification program, and we’ve actually gone so far as to create a new company to be the pivot point for all this effort. We call it Akylade with an unusual spelling because as nobody will be surprised, it turns out that domain names are in short supply.

Jason Dion:
It’s not even just a domain name issue to be honest, Kip, it’s actually a legal and copyright issue.

Kip Boyle:
That too.

Jason Dion:
If you ever look at the last 10 years, everybody had this something ify, Shopify or like an ific. And so, they do all these things to have a weird spelling or an I-F-Y or I-F-I-C at the end because that way, it becomes a unique new name that can be copyrighted and trademarked. And that was one of the concerns when we started doing this. If we did something like I’m sure people have seen out there like a claim, well, you can’t copyright the word a claim because everybody has a claim and interested in an English word. And so, that’s one of the reasons why we went with the unique spelling. So it’s Akylade, which is A-K-Y-L-A-D-E.com. And in this new company Akylade, we are focused on providing certifications for people in a very hands-on technical specific way. The first two certifications are actually coming out in May and June of 2023, and they are the Certified Cyber Resilience Foundations and the Certified Cyber Resilience Practitioner Order the CCRF and the CCRP.

Kip Boyle:
It’ll all be like honey dripping from our tongues eventually. Don’t worry. 

Jason Dion:
Yes. Well, I always struggle because I have so many different certifications I teach and some that end with the word essentials, some…

Kip Boyle:
I know. I remember we had that whole conversation about which should it be fundamentals, should it be whatever, there’s all these different choices, but anyway, we’ll get it.

Jason Dion:
Yes. So it is the fundamentals and the practitioner level exams, and the way this works is that the fundamentals are foundational level. It’s going to be a knowledge test. So it’s your typical A, B, C, D type questions, pretty direct. So if I asked you something about the NIST Cybersecurity Framework, I said, which of the five functions does this thing? You’d be able to tell me which of those five functions. And if you can read and study from the NIST Cybersecurity Framework publication or from Fire Doesn’t Innovate, which is Kip’s book covers us pretty well. We have a course on the NIST Cybersecurity Framework at Dion Training that we’ve done previously. Any of those will get you through that exam with no problem. And as long as you know how to use the cybersecurity framework, you’re going to do well on that.

The second one is what I’m really excited about, which is the practitioner level, and that’s where it really gets different. One of the biggest complaints I’ve heard about from people with the NIST Cybersecurity Framework, and I know we’ve talked about this in the podcast before, because we had a whole episode dedicated to the cybersecurity framework last year, is that it’s a framework. And a lot of people struggle with that because frameworks are very high level and they have all these best practices of what you should do, but that doesn’t always necessarily translate into what do you do on the job. And Kip’s company, Cyber Risk Opportunities has been working heavily with the cybersecurity framework for at least 5 to 10 years, and they’ve developed a thing called the CR-MAP process. Kip, do you want to talk a little bit about CR-MAP and how that works? As I catch you with the coffee in your mouth.

Kip Boyle:
Oh, I should have heard you wind up your pitch, that was my problem. So a CR-MAP, that’s an acronym. It stands for a Cyber Risk Management Action Plan. And we created this whole idea of a CR-MAP because we were working with chief financial officers at mid-size companies. So these are companies that are concerned about cyber risk, but they don’t have a chief information security officer. They’re not big enough to have that person in a leadership role. They’re not even often big enough to have a dedicated cybersecurity analyst. So they don’t know what to do. Well, they’re very concerned about cyber risk and they’re taking more of a top down approach rather than a bottom up approach. So I would characterize a bottom up approach as saying, “Hey, I’m going to go get the cyst top 20 and I’m just going to implement that stuff.”

So it’s very low level down in the weeds. But these CFOs that we were working with, they wanted to do something that was top down. They wanted to do something that was more recognizing cyber as a material business risk, and they wanted to include people in process and technology and management. So those were their requirements. Well, we built this to their specification and we based it on this cybersecurity framework because we just felt that, that was a good matchup for what these customers were looking for. They were concerned about cyber resilience, not just risk management, but that they would be resilient in the face of cyber attacks and so forth. So anyway, so we created this thing called the Cyber Risk Management Action Plan. We based it on this CSF, and we’ve been delivering these things now for, as you said, between 5 and 10 years, I’d say somewhere around the 7-year mark.

And I’m not just saying we’ve done this for fun, people have paid us. This is a real business to business service that we perform for lots of people. I can’t give you my customer list, but if I did, you would recognize some of the names on there are very high profile, very well known names around the world. And so, we’ve made some adjustments as we went along. We’ve got to the point now where we are highly confident that this is a great way to make the new cybersecurity framework come alive because boy, we’ve sure heard a lot of people struggling with it like you said. So we’re going to bake this into the certification. It’s already in a book that I published. It’s already in a LinkedIn learning course that I’ve published. It’s already in the Udemy course that we’ve published. So this is a very seasoned approach and we think it makes a great basis for doing our practitioner certification.

Jason Dion:
And that really becomes the difference between the fundamentals or foundation level and the practitioner level is that when you get to the practitioner level, we are going to be testing you on your ability to make decisions like a cybersecurity consultant would using the CR-MAP process. So you’re going to learn this whole process, which is a really easy to use process that you can put into place in your own cybersecurity consulting business. And like Kip said, this is something that his company’s been using for years. And now that we’re working on making this into an open source framework so people can use it, understand it, and use it in their own businesses. And that’s really where the value of this comes in. And the other thing that we’re doing is we’re working a lot with HR managers because Kip and I, our previous HR folks and hiring managers, and we know that when it comes to certifications, if HR is not asking for it, you probably don’t care as somebody who’s going to be spending their own money on it.

And so, we want to make sure that this is something that gets into the common vernacular that people are asking for this, because I’ve heard a lot when I talk to other CIOs, CEOs, COOs, that, “Hey, I have no way to test if somebody knows this in this cybersecurity framework stuff because there is no certification for it yet.” And so, that was why we started there with accolade as the first thing we’re doing. The next one we’re going to be looking at is the risk management framework, which again, focuses more on government contractors, and then we are looking at doing things in the generic risk management world and then into the ITSM or IT service management world. And so, that’s kind of the roadmap as we’re developing this, right? But the first two that are coming out are right now coming out in May and June of 2023, and that is the CRF and CCRP, which is that fundamental foundational level and practitioner level for cyber resiliency, which is all tied back to the NIST Cybersecurity Framework.

So all that being said, we’re really excited about it. It’s been an incredibly interesting process as we’ve gone through to build out this certification company. And another thing I would tell you is one of the things that is in Derek, me and Kip’s heart is we don’t like that a lot of certification companies have been a for-profit business and they kind of take advantage of that and take advantage of their learners. I’ve seen a lot of companies that have gone from very inexpensive to very expensive over the years. For instance, when I took my first CEH, it was like $300. Nowadays, I think it’s a 1,000 to $1,200, and it’s only been about 10 years since then. Nothing should go up four times as much in 10 years, that just is crazy to me. I teach things like IDLE and they’ve gone from 150 a and $75 up to almost $700 for a foundational level certification.

And to me, I don’t think that’s fair to students who are trying to break into the industry because now it becomes cost prohibit. And Kip and I have been working for years to try to lower the bar and get people past those hiring gates. We didn’t want to become another hiring gate by saying, okay, you have to get the certification now, and by the way, it’s a $1,000. Well, the prices that we’re looking at, we’re talking a $100 to $200 depending on if you’re the foundational to the practitioner level. So it’s very affordable, very reasonable, and everybody can get into this. And unfortunately, we do have to charge for it because we have to write the questions, we have to pay the expert too who wrote the exams and create the domains and the objectives and the key task areas and all that kind of stuff.

And going through that process of bringing in 50 experts from around the world takes time, takes money. And so, our goal is to do this as a very low margin to no margin business to be able to help as many people as possible get into this world and learn valuable skills and not just be a paper certificate person. We want you to actually be able to go out and do the job. And so, that’s why we put the CR-MAP process with the practitioner in place. So we’re excited about it. We think you are going to be too. And if you want to learn more, you can go check out akylade.com to learn more about the new certification brand and which certifications are currently available and which ones are coming soon. And we’ll keep that updated there as well and keep you guys informed on the podcast. So that’s kind of my intro on Akylade.

Kip Boyle:
That’s great. Thanks, Jason. And I just want to give a quick shout out to the subscribers to my inflection point. Now, for those of you who listen to this podcast, I write a mentor note to subscribers, goes out every other week. Well, what you may or may not know is that I have a completely different email list and I write a completely separate note that goes out every other week, and it’s called Inflection Point. And it’s meant for people who are already practicing cybersecurity and they’re like well-established in their careers, and that’s who that’s meant for.

Well, I put out a call for help on that list for people to come and help write questions for the first certification exam. And my goodness, we got a tremendous response and we had allocated two weeks to write the questions and we were done in eight days. I mean, people just came and crushed it. And I want to just thank them for that. So let’s get on with the content of the show here. We are here to talk about the first of what will ultimately be a series of 10 episodes on something called the Security Design Principles that were first published by Saltzer and Schroeder. Today, we’re going to talk about least privilege. And Jason, you teach this all the time. All right, as a concept, what is least privilege to you?

Jason Dion:
Yeah, so least privilege, it’s one of those things that I love the definition because it’s so much just tied to the name. The concept of least privilege is giving somebody the minimal things they need to do their job. So for example, if I was going to say, “Kip, I want to come work at Dion Training as an instructor.” I’m going to have to give you access to our share drive. I’m going to have to give you access to email, but I don’t necessarily have to give you access to every file on my share drive. Instead, I would just give you access to the instructor folder and keep you out of my financial folder. Or if in the case of Akylade, we were writing a bunch of exams. And so, one of the things we have to do is once somebody submits a question, they should never be able to see that question again, and they shouldn’t be able to export it from the system either because. We don’t want those questions making their way onto the open internet because that invalidates the quality of the exam.

And so we put permissions in place so that there are very few people, in fact, there’s only two people who can look at the entire question bank. And those two people can only look at it if they’re together and they both log in because we have a dual control aspect to this as well. But the idea is with least privilege, you could submit things but you couldn’t read those. Or you could read somebody else’s question, but you couldn’t read everybody else’s questions, only the ones assign to you. And so, when I think about least privilege, it’s always about giving somebody just enough to do what they need to do and know more. And the biggest flaw to least privilege I always see is people just go, “Oh, here’s an admin account,” or “Here’s the permissions the last guy had.” And you just took over Kip’s job, everything Kip had we gave to you.

Well, that works great for probably 80%, but there’s probably things you were doing that I’m not doing. For instance, we tried to mimic every instructor at Dion Training after Jason. They would have way too many permissions because Jason is also the CEO and is dealing with financials and hiring and firing and HR stuff and all the other stuff in the company. So I have access to everything, but an instructor only needs instructor stuff.

Kip Boyle:
Exactly.

Jason Dion:
And so, that’s the long answer to a short question, but when we talk about least privilege, it’s the least amount of something to do your job.

Kip Boyle:
Absolutely. And we see least privilege all over the place, not just in computers. So I don’t know if anybody’s ever experienced having a valet key. Well, I drove a lot of cars over my life. I actually don’t even own a car right now, which is a crazy new experience for me. Ever since I was 15 and a half years old, 16 years old, I owned a car. But listen, I don’t know how often this comes around these days, but used to be that when you bought a car, you got a separate key, what’s called the valet key. And all it could do was it could let somebody park your car, that’s it. So it wouldn’t let you open up a trunk. It wouldn’t let you… Let’s see, what else could it do? It does, maybe the gas cap was behind a key or something like that.

And so, the valet key had a reduced set of privileges of capabilities. And so, if I was going to go to a restaurant and let somebody park my car, if I handed them the valet key, then I know anything in the glove box, anything in the trunk, they can’t get to it because it’s locked and that key doesn’t open it. But I have a master key and that master key opens up everything. And same thing with a building, so we’ve got cards that let us into rooms we need to be in, and there’s somebody out there, locksmith, building manager or something, and they have a key and they can go anywhere that they want. And we don’t want to give everybody master master keys. Anyway, even in the real world, we still see least privilege.

Jason Dion:
Yeah, I think it’s interesting you brought the valet key because on a lot of the newer cars, because they have computers in them, they actually take this a step further. So you’ve been in my car before, Kip. I have a Tesla, I drive a Tesla Model Y, and it has a valet mode. And so if I’m dropping off my car to a ballet, I can hit the button and it’ll actually lock the car down so the car can’t go faster than, I think it’s 25 miles an hour. They can go around the parking lot, but they can’t go on a joyride. It locks down things like the trunk in the glove box, so they can’t access it. It locks down my history of my navigation so they can’t go, “Oh, what’s your home address? So I can go there.”

Kip Boyle:
Wow.

Jason Dion:
Because my car has my garage door opener already built into it. And so, if they just took my car to my house, it’ll open my garage. They could steal everything from my house.

Kip Boyle:
That’s perfect.

Jason Dion:
They’ve locked all this stuff down with this valet mode. And so, it’s an electronic mechanism of the old key that you used to have for the valet key.

Kip Boyle:
That’s perfect.

Jason Dion:
There’s a lot of new cars that do that kind of stuff too. So it gives that same idea of least privilege. What does a valet need to do? They need to drive slowly and go to a parking spot. They don’t need to go 50 miles an hour down the highway. And so, this prevents that type of capability too.

Kip Boyle:
Somebody must have watched Ferris Bueller’s Day Off over at the Tesla factory. Do you remember?

Jason Dion:
Yes.

Kip Boyle:
The scene where they parked the Ferrari in a garage and these two guys take it on a joyride. And that’s just not possible with valet mode on a Tesla, is it?

Jason Dion:
Nope. Exactly. They can go as fast as they want up to 25 miles an hour.

Kip Boyle:
A slow speed cop chase, that’d be kind of funny. Well, so let’s take a moment and explore, if least privilege is such a cool thing, then why doesn’t everybody do it? And I think the answer to that is because it can be a hassle. It’s going to cost you a little bit more to figure out what exactly does Kip need and not need. It’s way faster and easier just to say, “Hey, Kip’s a new guy, let’s just give him an account that’s the same as Jason.” Because we know Jason can get to everything that Kip needs to get to. And we just sort of rationalize in our head, oh, Kip’s a good guy. He won’t go and look in the HR files. He won’t go look at the financial forecast, he’ll stay in his lane and everything will be great.

Jason Dion:
I don’t feel skip for that. Nope, not going to happen.

Kip Boyle:
So I actually worked in an insurance company. I was the chief information security officer there for seven years. One of the things that I found out as I was learning how we did business is that there was such a customer service orientation that everybody who had a business justification to be in the core processing system, which is to say the computer that ran all the policies, if you were able to get in there at all, you had access to everything. And that even included like glass shops where you had technicians who weren’t even employees of our company, but they could get into our database and see everything. And I remember asking the director of customer service, I’m like, “This really is making me tweak here.” I’m like, “I’m getting tweaky just sitting here thinking about it. Why do you do this?”

And they said, “Well, we know it’s a little bit of a risk, but we want to make sure that if any customer ever walks up to anybody that represents our company, if they want help, we want to make sure they can get it. We never want them to have the experience of, I’m sorry, sir, I’m sorry, ma’am, I can’t help you because I just worked on glass claims and you’re asking me a question about something that doesn’t have anything to do with glass. I’m sorry, here’s the phone number.” And they just never wanted anybody to experience that kind of friction. It was just built into the business model. And ultimately, I had to be okay with that. I had to realize that, that was just the way that this company did business. They knew it was risky, but they were going to accept that risk because they knew over the years of experience that the upside was that people loved them and people wouldn’t take advantage of them.

And there was more revenue to be earned by having that approach than there was losses to absorb by having that approach. So even though least privilege is a great idea, and in no way are we suggesting that it’s the only way you should do things, that you can’t do things any other way, that there’s never a good reason to do it. If you’re going to work in cybersecurity, you’ve got to be sappy enough to see multiple shades of gray. If you walk around with one bit of color, everything’s black or it’s white, I don’t think you’re going to do really well.

Jason Dion:
This is one of the things I always go into in my security courses and I just put a new course called Security Essentials recently, and we talked about this in there too, but it’s operations versus security. And always this challenge where the more security you add, most of the time you get less or lower operations. So as you said, if I say, “Hey, you can only look at glass claims, you can’t look at body damage claims,” more security. But that means now I have to have two people, one that can do body claims and one that can do glass claims, and that’s worse for my customer experience. And so, it’s lower operations. Conversely, there’s a lot of other things we can do where we say, “Okay, we’re going to give more operations by not using least privilege, but now we have much lower security. And so, there’s this change that happens and it is a seesaw effect that we lot of times they are inversely proportional to each other. There are some things that do work both, but in most cases they don’t. And we just see this tension between security and operations.

And I could tell you, having been an IT and security guy for 20, 25 years, when I was working in a very operational environment, the operators hated it because they were like, “Wait, you want to take away our ability to do this, this, and this?” I’m like, “Yeah, because those things are really dangerous.” And there’s some things we had to figure out. What were the workarounds and what would we allow you to do that made sense for operations and come to a compromise? And like Kip said, if you’re just black and white, it’s all security or all operations. You’re never going to find a place that works for your company. And so, you have to figure out where on that sliding scale can you bend on security to get more operations? And where can you give us some operations to get better security and where that trade off has to happen?

Kip Boyle:
What I’d loved about least privilege in that context, that scenario that I told you about, was that it gave me a vocabulary. It allowed me to even have the conversation about, “Hey, shouldn’t these people have least privilege.” “Well, what’s that mumbo jumbo, Kip?” “Oh, well, let me tell you what least privilege means. So let me tell you why it’s a good thing.” And then they said, “Oh, okay, now we understand what you’re saying. Okay, well, here’s why we don’t do it that way.” So we were able to have a very productive conversation, and there’s some tension, but I would call it a healthy tension rather than a destructive tension because you can have either one.

You can have tension where you’re fighting and you’re ruining your working relationships with people, or you can have a healthy tension where you come together and you sort of challenge each other, but you’re on the same team. So we’re working on the same problem here. We’re just taking different perspectives to it. And I have found that I get a lot more respect from the operations people when I approach these issues with curiosity and an ability to actually talk about them using ordinary business language. That’s another great thing about these security design principles.

Jason Dion:
Yeah, definitely. And the other thing that I think about when I think about least privilege is how does this affect us as daily users? So if you’re sitting at home and you’re using your own personal laptop or your own personal desktop, how are you logging in each day? Are you logging as an administrator or a root user, or are you logging in as Jason? And I can tell you on my system, I have two accounts. I have Jason and jason.admin or something like that. And so on this basis, I’m logging in as Jason, but if I need to install a program, configure a printer or something like that, then I’ll switch over to the admin account or run as admin and then do those functions. And by doing that, I’m still implementing least privilege.

I see a lot of people where they just create one account and it’s an admin account, and that’s all they do, and they use it completely. But the problem with that is if you click on malware, well, you just installed it as an admin. If you fall for a phishing scam or a keylogger, now they’re getting your admin password and they take over your entire machine. Whereas if you’re doing a least privilege and you’re using a Jason regular user account, in that case, we can just go into our admin account and delete that old account block in admin block. So I’m always a big fan of use a regular user account and then elevate when you need to and operate as much as you can at the user level and only go to admin when you need admin rights.

And this is the thing I’ve seen in industry and in my organizations that have always just, it’s one of the biggest things I yell at my technicians about, and I’m not a big yeller, but it’s one of the things I’m always like, “Hey guys, you really need to do this.” Because they’ll have an admin account, a regular account, and they’ll go and use their domain admin to log into their workstation to go edit a Word document or go online. I’m like, “No, don’t do that. Go use your regular account and then elevate when we need to do admin permissions.”

Kip Boyle:
Yeah, exactly. So this whole idea of least privilege is not just something you do at work, it’s something that’s going to keep you safe at home. And if you have significant others or kids or anybody in your family, a roommate, whatever, and they’re using a computer, you really need to help them with this because I don’t think you probably want to scrub viruses off computers at night after you come home from work. So keep them in a good place and help them realize that this idea of least privilege is actually a very personal thing, is actually going to help them stay clean on their computer. I talk about cyber hygiene all the time, about having good cyber hygiene and what it means and how you want to keep those digital cooties off your computer.

And so, Jason, thank you for bringing that up because I think that is a wonderful example of having good cyber hygiene and just as much as doing things to protect yourselves, washing hands right after you’ve used the restroom or whatever. And it’s not just for you, but it’s for other people too. You want to keep other people from getting germs and getting sick. Anyway, so that’s least privilege, and I don’t think I have anything else I want to say about it right now, but what do you think? Anything else?

Jason Dion:
Yeah. There’s one other area I want to talk about real quick with least privilege. And a lot of the examples we gave were talking about a user doing something, right? Logging in as a local user versus an admin, getting somebody a valet key versus a regular key, that kind of stuff. But it’s not just users, it’s programs too. So we do a lot of software development for internal systems here at Dion Training. And one of the things that we impress upon our developers all the time is that your functions should only do a minimal amount of things with the lease permission. So what I mean by that is we talked about crud functions, which is our create, re-update and delete functions into a database. If I am giving a student access to my exam database system, they should only be able to read things. They should not be able to write or update or delete things.

But if I give it to one of my authors, then they can create things and they can update things, but they can’t delete things. And then if I give it to somebody who’s an instructor, they can do everything. And so, depending on the person’s permission and the system in its function, so if it’s in a testing mode, there is no updating or deleting or creating, there’s only reading. If you are in an editor mode, then you’re doing those editing functions. And so, those programs can operate differently based on the functions you’re doing. And so, it’s not necessarily tied just to your role as an instructor, student, person, whatever, but it’s also the function of what you’re trying to accomplish. And so, keep those things as in mind because allowing those predefined operations with reading and writing or updating and deleting, all those things are important. And you have to know who can do it and at what point.

For instance, we go to my website, diontraining.com or yourcyberpath.com, you as a listener of this podcast, can read from that site, but you can’t edit it, you can’t modify it, you can’t delete it. Now if Kip and I log in, we can go there and change anything we want because we have access to the front page and we can change it from Your Cyber Path to Your Cyber Path 2 if we wanted to, but you can’t as a reader. And so, that’s a different level of permission as well. And keeping those things in mind as you’re working with these permissions is really important too.

Kip Boyle:
Yeah, thank you for mentioning that. I just realized as you were talking, I’m like, oh yeah, we didn’t talk about that. And there’s one thing in particular that I now realize I do need to share before we wrap up this episode, which is I’ve been doing a lot of work helping companies get cyber insurance lately. And the applications to get a cyber insurance policy are getting longer and stranger and more crazy as time goes on. But one of the things that has come up recently is this idea of service accounts in Windows Active Directory and the fact that the insurance companies are saying, “Hey, we don’t want any service accounts in the domain admin group at all, not even one.”

And so, they’re telling people, you either need to get rid of that because those accounts are over permissioned, or we’re either not going to write a policy for you or we’re going to double your premium. And I’m not kidding, I worked with a company recently where they had about a dozen service accounts in their domain admin group, and the insurance company said, “If you leave them in, we’re going to charge you $800,000 for this policy. If you take them out, we’ll only charge you $400,000 for this policy.” And the IT people were like, “Okay, we’ll take them out.”

Jason Dion:
And that just goes to show you that as us as penetration testers or cybersecurity analysts, we need to be aware of those service accounts because as a pen tester, we’re going to take advantage of them. It’s one of the most common ways to get it. And as an analyst, we need to go, oh, I want to get rid of those. Boy, I want to highly monitor those because I know attackers are going for this.

Kip Boyle:
And that’s exactly what the insurance companies figured out. They looked at all the things for past few years. I know, because I called the underwriter up and I said, “Why are you hassling them over service accounts in the domain admin group?” And he said, “Because that’s how almost every ransomware is deployed, is through the exploitation of a privileged account, and they’re almost always these service accounts that nobody knows anything’s going on with them.” So it ended up being a really material thing and hey, least privilege to the rescue.

Jason Dion:
Yep, exactly. So with that being said, I want to thank everybody again for listening to another episode of Your Cyber Path. Join us again next time. As we’ve been saying, we’ve going through the series. We’re doing an episode of the Software Development Principles, and then we are going back to a regular episode, so next week will be a regular episode. Then we’ll come back to lesson number two in this series the next time we do that. That being said, I do recommend you go over to yourcyberpath.com. From there, you can check out show notes for every episode. This one is episode 96, so if you go to yourcyberpath.com/96, you’ll see links to everything we talked about today as well as some show notes and quick summary of the episode.

In addition to that, on the front page of Your Cyber Path, you can sign up for Kip’s Mentor notes. This will light you to get an email from Kip at least twice a month with great information about all sorts of things around the cyber industry, whether that’s about hiring, firing negotiations, resumes, interviews, etc, or about some kind of cool topic like Google bar that just came out or ChatGPT or how AI is taking over and how that’s going to affect you as a cybersecurity analyst. All those kinds of things are things we talk about in the mentor notes, so you can set up for those at yourcyberpath.com. Other than that, I want to thank you again for being here, and we’ll see you next time.

Kip Boyle:
See you next time everybody.

Headshot of Kip BoyleYOUR HOST:

    Kip Boyle
      Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

    Jason Dion
      Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.

Wait,

before you go…

Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!