Cybersecurity Foundations – Access Control
OR Knock, Knock. Who’s There?
Access Control is more than permissions. Once you have completed a Risk Assessment and understand your Intellectual Property and its value, you must protect it. Like everything in business, proper Access Control begins with a written policy that explains who, what, when, where, how, and why individuals, contractors, or devices need certain levels of access. Here are the best practices required to keep your Intellectual Property secure.
Who? – Bob in Accounting needs access to sensitive financial data, but Terry in HR doesn’t. Creating groups based on job functions is a basic way to ensure only the necessary users can access data. But, not every asset, system, or file can be limited to departments. For instance, Dave needs financial information only for his department. Creating a complete, written matrix of permissions will ensure only the necessary permissions are given, regardless of the access control model you chose.
What? – The Risk Assessment is a great place to start to understand what data, systems, and processes will require access. Far too often, companies simply look at digital files and computers, assign groups and users, and assume it’s all good. But what about the Human Resources that have institutional knowledge? Protecting IT is great, but individuals also require protection. Cyclical cybersecurity training reminds employees, contractors, and vendors that your information must be protected at all times and gives them the tools to recognize and avoid social engineering attempts.
When? – Working from home doesn’t always follow office hours. However, not everyone needs access to files before 8 AM or after 5 PM. Did you know that most data breaches occur after hours? Time permissions limit opportunities when threat actors can access data. This practice can also prevent compromised accounts from accessing data when the affected user is not expected online. Monitoring access during non-business hours is an excellent way to identify breach attempts.
The Three A’s – The fundamentals of Who, What, and When are the primary aspects of Access Control. By using the three A’s of Authentication, Authorization, and Accounting, access is granted, users are validated, and all attempts are logged. Authentication confirms the user is who they say they are. Authorization then confirms the user has the necessary access rights requested, and Accounting logs the attempts, both failed and granted.
Where? – The security monitoring system asks if you tried to log into your email from Malaysia, but you are sitting in Atlanta. Nearly all Cloud-based systems include the ability to geolocate where a login attempt comes from. Many can geofence users who, in the normal course of their day, never leave a certain area. If attempts come in from Maine and you’re in Arizona, many systems can automatically block the attempt.
Multi-Factor Authentication (MFA) – Adding a layer of additional authentication can foil most password hack attempts. Even if your password is “password,” multi-factor authentication (MFA) will require another verification of your identity. This is most commonly done using an authentication app on your mobile device, sending a one-time password through email or text or a phone call to a predefined address or number. All legitimate Cloud providers and local authentication systems include MFA. If you haven’t enabled it, DO IT NOW! Or wait until you finish the article.
How? – How you go about implementing Access Control is determined by the importance of your Intellectual Property (from your Risk Assessment) and the systems currently in use. Yes, you can implement a centralized security server that will prevent unauthorized devices from physically connecting to the network. You can implement biometrics and advanced key cards. You can require a physical person to recognize you before access is granted. But all of these involve costs. You can’t spend $10 Million to protect $1 Million in assets. Use the controls natively available in your operating systems and Cloud applications first. Reach out to a vendor-neutral consultant or two for recommendations. Don’t do nothing. Nothing is negligence and is frowned upon by the legal system in the event of a breach.
Why? – I never think I need to answer this one until some middle manager makes a comment that protection is cost prohibitive or restrictive to productivity. If you have the letters “IT” in your title and you say something like that, please leave. Go become a real estate agent or sell used cars. It’s apparent in this day and age that if your data and other Intellectual Property are no longer confidential, your business will likely cease to exist. Even a company that carves figurines from soap will suffer if private information such as soap composition, carving strategies, vendors, suppliers, and customers are made public. If nothing else, you lose the trust it took years or decades to build.
Always Watching – Monitor everything! Failed attempts. Successful attempts. Who, what, when, where, and how. See what I did there? And why? Because you will never know you have a problem if you don’t monitor. Yes, you can have millions of events, but that’s what a Security Event and Incident Management (SEIM) system are for. Yes, it is worth it, especially if it prevents a single breach. You simply can’t rely on endpoint security and firewalls. You MUST remain vigilant!
Know Thyself – Beyond simple heuristic and signature-based scanning, you must understand your network through baselining. Baselining involves monitoring systems and users to understand normal activity and average usage. When normal activity is determined, abnormalities stand out, like a database server transferring terabytes of data after midnight or the custodian logging into the CEO’s computer. Sounds obvious, but most companies have no clue what is normal in their networks.
Bonus Round – Everyone has a firewall that blocks inbound traffic from the outside. But the most common intrusion these days is drive-by downloads. When you point your browser where it doesn’t belong, you might get something you didn’t expect. Drive-by downloads automatically install on computers through improperly secured web browsers and can contain malware, ransomware, or remote access for a threat actor. Any website not used for a legitimate business purpose or whitelisted should be blocked, especially from management. Geo-blocking, or preventing access to sites from certain countries, is also highly recommended. Finally, outbound uploads of data should be capped and rate-limited to limit a compromised host from sending data outside the company.
Access Control starts and ends with understanding your network. Policy ensures companies are legally covered. Software and firewalls can only protect you so much. You can lock down every single file and asset on your system, but if you aren’t properly and continuously monitoring, you’ll never know you are under attack or that you’ve lost data until the ransomware message locks your computers.