Securing your access – not just passwords

When most of us think secure access, we might think of a password or a pin, a passphrase or even a set of numbers and letters. We use these to log on to our computer or phone, email, online banking and even cloud storage. But, are these methods of access to systems that contain our sensitive information, secure? Enterprises are now using more services that are directly connected to the Internet, to enable collaboration, to make remote working easier, or to benefit from shared services. Authentication then becomes the first line of defence for a user or would-be attacker to gain access to a service.

In cybersecurity access control, the first step of access control is Identification, so saying who you are for example, by entering your name or username. These usually don’t change. In order to prove you are who you say you are, an access control system will ask you to provide some form of Authentication (The password, pin, passphrase etc) Identification and Authentication is always used together as a single two-step process, as neither part alone is useful in securing access. Authentication, however, can come in three different forms. These are defined as;

  • Something you know (A password, pin, passphrase)
  • Something you have (A smart card, a timed-one-time-password generator or SMS)
    • SMS is no longer considered secure, as text messages are vulnerable to interception
  • Something you are (A fingerprint, a facial scan or another biometric method)

You have probably heard by now, that using at least two of these methods is recommended. It’s known as Two-factor authentication or 2FA. We use these particularly for access to systems that can be accessed online, or to systems containing sensitive data such as banking or health information. This ‘double checking’ ensures that the ‘something you know’ hasn’t been compromised. As passwords can be stolen by a number of ways including Shoulder Surfing (someone observing you type it in over your shoulder) Social Engineering (Using social media to obtain data to guess a password Eg: DOB, Wifes name etc) or other methods of password cracking, it is recommended to use at least two of the above authentication forms. Let’s be honest, as long as passwords are used for authentication, there will always be a chance that users and administrators will choose machine-guessable passwords and be susceptible to social engineering.

You can learn how to implement 2FA (In most cases at no cost) for common online systems, by following these step-by-step instructions for many of the popular platforms – TURN-IT-ON

Once a user has passed the Identification and Authentication process successfully, it doesn’t automatically allow uncontrolled access to a system. A user must then be authorised. An authorisation is the process by which the user is granted access according to the privileges defined in the Group Policy, Access Control List or other security policy. It is possible for a user to be logged on to a network (That has passed Identification and Authorisation) but does not have access to files or printing, in the case of guest access for example. To assign access for authorisation we apply the Principle of Least Privilege which is a concept and practice of restricting access rights to users to items that are required to complete their defined job, task or role. This principle can also be applied to applications, devices and systems in that each should only have permissions required for the authorised activity. This ensures that the least amount of risk is exposed by empowering only senior and responsible users with elevated access.

Percentage of breaches per threat actor category within insider and privilege misuse: Partners 3%, Collusion 8%, External Attacks 11%, Privileged Insiders 77%

Privileged Insiders 77% !? – Hackers will look for accounts with privileged access. Once obtained, this provides express access to critical systems and potentially sensitive data. With these credentials, a hacker essentially becomes an “insider”, as they are perceived to be part of your organisation. I won’t go in to further detail here, but one robust method of containing privileged access is to implement an enterprise password management platform such as Thycotic so that passwords are encrypted, rotated automatically, and access is logged.

In life, we are accountable for all of our actions in some way. In the cybersecurity world, it is no different. You can only maintain security if subjects are held accountable. This process of Accountability is preceded by the Auditing process by which a subject’s actions are logged and recorded. System activity needs to be logged and monitored so that logs and events can be analysed or be used for forensic purposes in the event of a breach. With millions of these logs being created every day, it is good security practice to review and correlate these logs using a centralised service, on a regular basis. To enable real-time analysis of these events, security information and event management (SIEM) products should be implemented. The SIEM can correlate these events in real time to provide the analyst with actionable events, categorise them by severity, and provide them with up to date threat intelligence. The SIEM ensures Accountability, and the evidence captured here can provide authorities with the proof that you have taken reasonable steps to protect your data.

The goal of a good security policy is to ensure that you avoid a breach and to ensure that good practices are in place for the organisation. Evidence of such practices is now even more important with the Notifiable Data Breaches scheme in place. This means your organisation needs to be legally defensible. Your security platform must have strong multi-factor authentication, authorisation techniques that we discussed above, solid auditing systems and appropriate security staff or a managed security service provider managing your environment. In addition, you must be able to show that you have complied with applicable privacy laws, and any breach notifications are made to the OAIC.

For many organisations, this can become overwhelming and expensive to fulfil these requirements on your own. Fortunately, we have cybersecurity professionals to assist with advice around creating your security policy and in the event of a cyber attack, offer remediation techniques. It is important that any hardware or software solution that is implemented in any organisation is secure by design and not an afterthought.

Author: Adam Basedow, Cybersecurity Architect – Vectra

Date: 14th July 2020