Thursday, July 23, 2020

Question Zero - Who can reset the CISO's password?


Today, I'm going to ask possibly the most simple and fundamental question one could possibly ask in all of cyber security.

Who can reset the CISO's password today?

From the Fortune 100 to every government agency in every country in the world, and at 85% of organizations worldwide that operate on Active Directory today, this is the #1 question that investors, customers and employees should be asking.

Here's why - Today cyber security undoubtedly plays a paramount role in corporate and national security, and even though organizations are collectively spending billions of dollars on cyber security, the truth is that most organizations still don't even have answers to the simplest and most fundamental of cyber security questions, and remain vastly vulnerable.

Just think - If $ Billion organizations don't even know who can reset the password of their CISO, how could they possibly know who can reset the passwords of the accounts of thousands of their employees, contractors and privileged users?

Oh, and if you don't know just how powerful a password reset is, just look at what happened in the massive Twitter breach.

You may get this response - "We don't worry about password resets because we have multi-factor authentication (MFA)."

No problem. Just ask - "Wonderful, do you know who can disable the use of MFA on your Active Directory account(s)?"
After all, all it takes is the flip of a bit on the user account, after which authentication falls back to being password based.

I ain't kidding you - Today, most CISOs most likely will NOT be able to tell you EXACTLY who can reset their passwords, or disable the use of multi-factor authentication on their accounts, or for that matter, on any of their internal user accounts, or for that matter exactly who can create, delete and manage domain accounts, computers, groups etc. in their organization.

Let me repeat that - Today, the CISO's of most organizations in the world cannot answer this question with exactness.

Here's proof - Let alone their production foundational Active Directory deployments, here is a simple lab Active Directory deployment of a fictional organization with a 1000 accounts, a 100 IT personnel, an executive team, and a CISO account.

All you have to do is ask them if their IT teams even possess the capability to correctly determine and tell you exactly how many users can reset the password of the CISO in this lab Active Directory. If they can, great, insist that they determine and tell you so, but if they can't, be very concerned, because know you too now just how little these organizations know.

Finally, ask yourself - would you invest in or trust an organization whose CISO cannot even answer such a basic question?

We're all in this together.

Best wishes,

Chairman and CEO,
Paramount Defenses

[Also a customer of and an investor in some of the world's largest financial institutions,
cloud computing companies, cyber security companies, airlines and other companies.]

PS: If you want to know the answer to that question, feel free to ask. i.e. feel free to first follow and then DM me on Twitter.

PS2: If you don't think exactness matters, ask yourself this - would you board a plane if I told you that the metal detector at the security checkpoint was not entirely accurate, so there's a good chance that someone onboard may have an explosive.

No comments:

Post a Comment

Paramount Defenses Logo

© 2006 - 2024 Paramount Defenses.
All Rights Reserved.

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.