[cabf_netsec] Netsec Digest, Vol 33, Issue 5

Tim Crawford tcrawford at bdo.com
Fri Apr 17 12:25:04 MST 2020

I agree with your assessment. I think the very last point is important, and the reason I wanted to focus on "disable access" rather than "disable account".

I see a variety of situations where a critical element to access is removed and accounts and their privileged association are removed later. This is most frequent in offline environments, where physical access to the environment is removed upon termination of a trusted role and accounts are removed quarterly or annually.

-----Original Message-----
From: Netsec <netsec-bounces at cabforum.org> On Behalf Of netsec-request at cabforum.org
Sent: Thursday, April 16, 2020 2:00 PM
To: netsec at cabforum.org
Subject: Netsec Digest, Vol 33, Issue 5

Attention: This email was sent from someone outside of BDO USA. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.

Send Netsec mailing list submissions to
        netsec at cabforum.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
        netsec-request at cabforum.org

You can reach the person managing the list at
        netsec-owner at cabforum.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of Netsec digest..."

Today's Topics:

   1. Accounts, Access and Credentials (Neil Dunbar)


Message: 1
Date: Thu, 16 Apr 2020 18:08:03 +0100
From: Neil Dunbar <ndunbar at trustcorsystems.com>
To: CABF Network Security List <netsec at cabforum.org>
Subject: [cabf_netsec] Accounts, Access and Credentials
Message-ID: <0c6242ec-e6ae-e3bc-e264-6d49a7e619cd at trustcorsystems.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"


So here's my (current) thinking on the ballot regarding system accounts/user accounts.

It seems that many operations have a centralised list of accounts which represents the maximum _potential_ set of different access identifiers to any given system (example: an enterprise wide LDAP service, and each system is configured to use sssd as its system account database provider). What this means is that I, as a system administrator, could

getent passwd

and get a long list of alice, bob, charlie, dave ... Of whom only bob is actually supposed to be using the system. Now, most of those users will be assigned to groups, or roles, or some sort of privilege assignment.
It's that association of account -> privilege which defines the ability to use the system, not the existence of an account name per se.

So, when I hear the terms "account" and "credential", I tend to think of usernames and passwords, which are not /necessarily /the things that I might want to see controlled. It's the association of privileges that I want to see demonstrably controlled.

So, when we talk about "deactivating" the account, it seems to me that what we want is for the privilege association between the account name and the host to be broken; we remove the username from the group "sensitive_host_users", or we take them out of "two_factor" roles (meaning that their credentials might still work, but are insufficient to access the sensitive host, etc.).

But I wonder if this is what others on the group are thinking?

Looking forward to talking this through,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcabforum.org%2Fpipermail%2Fnetsec%2Fattachments%2F20200416%2F8b0ffc2d%2Fattachment-0001.html&data=02%7C01%7Ctcrawford%40bdo.com%7C35eed7c5345e4167f15a08d7e23860cd%7C6e57fc1a413e405091da7d2dc8543e3c%7C0%7C0%7C637226604082386322&sdata=73M7rjYffYY5Xr3ZsAtASuVebMCkFLnlHPKXK01Q9tQ%3D&reserved=0>


Subject: Digest Footer

Netsec mailing list
Netsec at cabforum.org


End of Netsec Digest, Vol 33, Issue 5

The health and safety of our people and communities is our top priority, as we all do our part to help stop the spread of COVID-19. All BDO USA offices will be closed until further notice. While we will be working from home, our already-flexible work environment enables us to make this transition seamlessly and we have the technology in place to continue to provide the same excellent level of service our clients are accustomed to. We are here if you need us, just as before, and if we can be helpful as you navigate the uncertainty, we stand ready.

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

BDO is the brand name for the BDO network and for each of the BDO Member Firms.


The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.

More information about the Netsec mailing list