Segments for Protection

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715889

    Comments posted to this topic are about the item Segments for Protection

  • Robert Sterbal

    SSChampion

    Points: 10967

    For logins I'd like to see tools for the users to see if their account has been logged in recently and the locations of their logins.

     

     

    412-977-3526 call/text

  • Eric M Russell

    SSC Guru

    Points: 125020

    If your organization uses Azure Active Directory, then maybe it's visible to you somewhere in the portal. For personal Microsoft Live accounts, there is a Recent Activity feature where you can see device ID / location / datetime from where your login was used. These two types of account use the same platform but I think work differently, at least by default. Maybe ask your system administrator.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Robert Sterbal

    SSChampion

    Points: 10967

    My concern is more for the hundreds of accounts I rarely log into but have been created so I can access a feature or a benefit of an account.

    I'd also like to have read only credentials that I could use to access my accounts when I don't need to do transactions, i.e. look up a credit card balance or charge.

    412-977-3526 call/text

  • Eric M Russell

    SSC Guru

    Points: 125020

    In most places where I've worked, to access some of the more important production database servers, even as a sysadmin, it is required to login to a MFA protected VPN and then RDP into a gateway server or VM. I never considered it an inconvenience. But it's good not only for security, it's also good from a disaster recovery perspective, because if I lose for forget my laptop, I can always login via VPN to the secure production gateway from any PC and have all the tools and connectivity required to get essential tasks done.

    Our work laptops, the surface area where all of our web browsing, email, and development occurs, we should considered these things as un-trusted thin clients.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Robert Sterbal

    SSChampion

    Points: 10967

    MFA = Multi Factor Authentication?

     

    412-977-3526 call/text

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715889

    MFA - Multi factor.

    Having read only access is good, but having a read only account is hard. Then I have doubled my attack area, as well as increased the demand on software developers to ensure features are checking for read access. I don't know that we'll get existing software enhanced unless a system is of high enough use that we worry about scale out. In that case, having a read intent specified in every action makes sense.

    That doesn't help security, as we often can still have access for read/write. In the case where accounts get compromised, having a second account, with perhaps a related password or the one compromised, means we still have issues. The bigger point is that most of the time we allow too much direct access to systems.

     

  • Robert Sterbal

    SSChampion

    Points: 10967

    It would also be nice if they could tell me when I create an account how long it will remain active.

    Should I be able to force a renewal annually?

    412-977-3526 call/text

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715889

    Robert Sterbal wrote:

    It would also be nice if they could tell me when I create an account how long it will remain active. Should I be able to force a renewal annually?

     

    That is interesting. An expiration date. Really, what I'd like is a lock if some account isn't used in a long time. Let's say 200 days. If there is a login, then renew the account automatically. If it's in use, I wouldn't want any expiration.

    If it expires, just lock it. Never remove it.

  • This was removed by the editor as SPAM

  • This was removed by the editor as SPAM

  • Robert Sterbal-482516

    SSCrazy

    Points: 2785

    I have over 250 logins I track.

    I posted the list of sites here: https://sterbalssundrystudies.miraheze.org/wiki/Logins_I_track (the list was considered spam as part of my comment)

     

  • Eric M Russell

    SSC Guru

    Points: 125020

    It's probably not a good idea to post a list of all the websites where you have a login.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell

    SSC Guru

    Points: 125020

    Robert Sterbal wrote:

    It would also be nice if they could tell me when I create an account how long it will remain active. Should I be able to force a renewal annually?

    If a website leverages a 3rd party login provider like Microsoft or Google, then you get multi-factor authentication, centralized ID management, login history, etc. Maybe that's what you're asking for.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic. Login to reply