SMB Cybersecurity Series: Making and Standardizing Unique IDs

What’s in a Name?

In a previous blog, I touched on the importance of Cyber Hygiene for small and medium size businesses (SMB), and I’ve been writing a number of blogs on this theme. Now, I’d like to delve deeper into making unique IDs for your employees, systems, and processes.

Be Able to Identify your Users!

Being able to identify properties associated with the user will help you understand what and how big the risks are. I would suggest you come up with a convention for user names that indicates some of the following:

  • User First Name and Last Name,
  • If the account is for a service, make sure the service is identifiable in the name,
  • If the user is a third party, make sure you indicate this – use a code like ‘con’, or ‘vdr’ to indicate contractor or vendors,
  • The business unit to which the user is assigned,
  • A code for location if you have multiple offices, it will help identify a user in each office, and
  • A code for nationality, if you are working with contractors, or citizens of other nations, it may not be desirable, against regulations, or illegal to transfer certain data to them – add a country code to the mix.

You may want to include more of these fields in your user IDs if the access with which it is associated is of higher risk.

Machines are People Too!

It’s not just your human users that need access to your systems. In many cases, machines also have interactions with one another. Just like humans, it’s important you can identify your systems or their processes by their ID.  Typically, you will have known systems or processes that exercise the same accesses over and over again, but in the few cases when a process kicks off, and no one knows what it is or what it’s doing, things can get kind of scary. Developing standardized user IDs for your systems and their processes can alleviate fear, uncertainty, and doubt when reviewing access logs or receiving access alerts. In many cases, you will not be able to rename processes or reconfigure the method and ID under which they execute, however, in cases where you can, I suggest you follow the following guidelines when creating IDs:

  • Make your processes IDs meaningful, machine names should be as understandable as human names,
  • Make sure you include the function of the process in the ID so you know what it’s doing in your ecosystem,
  • Give it a location, boundaries may be logical particularly in the world of virtualization and cloud, and
  • Make sure you can also tell what type of thing it is (i.e software, virtual machine, database).

Even for instances where you can’t label a machine or process, it is probably a good idea to track this information in a separate table. In dynamic environments, where machines and services may be ephemeral, spinning up and down and living for only the time it takes to do their job, it is advisable to maintain familiarity with the logically assigned naming conventions of the services and hosts. It can be tough to ensure that machines and services follow a naming convention when spinning up.

Standardize it All!

Make sure you standardize as best you can where each segment of data goes in a user ID. For instance, a user ID standard of Firstname.Lastname.BusinessUnit.OfficeLoactions may look something like Jill.Smith.Infosec.DesMoines.

In many directory services, user IDs are truncated, in which case you may consider coming up with 2 digit codes to make IDs shorter like Jill.Smith.IS.DM.

In general, I like to follow these guidelines when setting up an ID standard:

  • Try not to use special characters,
  • Try not to use products or vendor names in your naming conventions, as some products and vendors can change,
  • Have requirements for uniqueness, and add a field or convention so you can identify similar functions, services, machines, or names from one another, and
  • If you make a change in your standard, make a complete change to all IDs. Be consistent!

I strongly believe that having accounts that you can identify makes life easier, particularly in the event of an incident. Following some of these guidelines should put you in a good position to identify threats easier, identify what your users are up to, and help streamline system engineering and design efforts.

In future blogs, I will elaborate on how to secure the accounts that go along with these IDs so stay tuned.

 

KEVIN FORD

CISO OF CYBERGRX

 

 

Leave a Reply