Ask for this first, when you join as a CISO
As a CISO, ensure that you ask for this thing, as soon as you join an organisation. This will increase your chances of securing the organisation.
No, it is not bigger team, corner office, or that new tool promising to remove all your infosec worries.
Get read-only access on all network devices in the company (switches, routers, firewall, etc.).
Not for yourself, but for your team.
Do I hear a ‘why’? glad you asked.
Network is the nerve centre of a company. Access to the networking devices (switch, router, network firewall) will help the security team understand, among other things,
- Segmentation (how is the network divided? Do we have a DMZ? Is it empty? Are all servers in one part of the network or sprinkled across town?, etc.)
- VPN configurations (is the VPN configuration same across all firewalls? Are there any users who are present on all firewalls? Do all VPN users have mac binding, MFA, integration with NAC? are any VPN users exempted? etc.)
- Access control (TACACS, Radius, local accounts, password policies - or lack thereof, etc.)
- Traffic flow (allowed/ denied) - which part of network can talk to every other part? Which part of network is isolated?
- Network pathways associated with critical assets,
- End of sale, end of services, etc.
The access will also help you answer some crucial questions
- Whether any new asset added to the network?
- What are the network pathways open to your critical assets?
- Which ports are allowed on your critical assets?
- Whether 2FA is configured with VPN?
- Whether 1 user ID is duplicated on multiple firewalls with same configuration (e.g., 2FA)?, etc.
As a CISO, you must ask for this access.
Use all your goodwill, charm, and pull to have this access. It will pay good dividend.
However, a tool is only as good as the person wielding it. You will get administrators for the tool, but you will need someone who could identify security risks while going through the data provided by the tool.
At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.
Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r