AWS enforces 100% MFA | The 'security theatre' - presenting security metrics
#191 - All AWS root users now have MFA enabled | What cybersecurity presents to the board and what it should!
100% AWS root users now have to use MFA
A lesson for the chasers of the latest AI-enabled, new-fangled security tool. First, get your basics right.
AWS has enforced MFA on 100% of its root users - now. Mind you - root users only.
Something about this piece of news hit hard. My little brain did not register it when I read about Snowflake (a breach caused to users who did not have AWS MFA enabled) last year. This post by The Register caused it register big time (bad pun unintended).
While the post is meant to shower accolades on AWS, what registered for me was -
“Wait… what? Wait… what? They had not yet enforced MFA? Wait… what?”
But I was judging too soon.
The Centre for Internet Security (CIS) has its list of top 18 controls (updated from the top 20) published for more than a decade. The first 2 controls are inventory and control of enterprise assets and inventory and control of software assets.
Most large enterprises fail to achieve 100% of this. If you can achieve it, you could get by with a limited set of security tools.
Enterprise security is achieved by laboriously implementing the basic controls, even when you know that your environment is constantly changing and the goalpost keeps shifting.
The day we celebrate the engineer who achieved 100% up-to-date patching as much as we celebrate the red teamer who could find that one unpatched system, we will have achieved cybersecurity Nirvana
Take Action:
Cybersecurity Professionals 🕵🏼♀️ - Go back to basics and first principles. Whenever you get enamored by the latest shiny AI enabled tool, ask if it helps with the basics.
Cybersecurity Consultants and auditors 👤 - Its a tough job not suggesting new controls every time you assess or consult an organization, but stick to the basics. See what can help achieve all the basic requirements.
And finally, hats off to AWS for enforcing MFA - at least for all root users.
What cybersecurity presents vs. what is the ‘on ground’ situation
Multiple factors lead to cybersecurity presenting a rather upbeat view of their organization.
In keeping with the theme of this post, we continue to sticking with the basics.
This post talks about the ‘security theatre’ - a show put up by cybersecurity to comfort the board that all is well in the cybersecurity world. A must read for all CISOs.
Gary Brickhouse (CISO of Guidepoint security) says -
“There's a big difference between being compliant and being secure, When compliance becomes the end goal, that's when security theater thrives."
I have been through enough security theaters for this to ring true. It seems like cybersecurity (willingly or otherwise) presents a rosier-than-thou picture to the world.
Stick to the basics. Focus on the grunt work.
Take Action:
Cybersecurity Professionals 🕵🏼♀️ - Read this post. It’s about going back to the basics again. Present to the board the risks you are mitigating. Showcase how the risks are being mitigated and what can still go wrong. Do not showcase metrics just because they show a higher level of compliance. (100% of users underwent security training is a common metric that showcases compliance over effectiveness)
Also, remember - compliance and security go hand in hand, but the day you start focusing more on compliance is the day you start losing your grip on security
"Also, remember - compliance and security go hand in hand, but the day you start focusing more on compliance is the day you start losing your grip on security"
Amen to that