Maksim Kabakou - Fotolia

Security Think Tank: Access control is key to protecting against cyber attacks

In the modern business environment, what are the most common access control mistakes and how can these best be corrected?

Risks of cyber attack abound in a modern business environment, whether from speculative scammers or targeted malicious strikes.

With data forming an increasingly important part of business and personal life, and the uses for such data growing as ever more sophisticated analytical tools develop, organisations that previously might have considered themselves a relatively low-level target are now receiving unwanted attention from people wanting to cause havoc in their network or steal information.

But if there is no access available to these threat actors, then the risk of damage or theft is significantly reduced.

Recognising the importance of access control and management is a key step in protecting an organisation, and can be looked at, and acted upon, in a number of areas:

Social engineering of user accounts

Social engineering of end-user accounts is a process whereby people obtain user account information and passwords of individuals in a firm. This can happen in both physical and virtual environments.

For instance, we all know how loose lips at a bar can reveal too much information, but now the proliferation of Twitter, LinkedIn, Facebook and other social media has opened up a new world to those who socially engineer.

They can quickly identify unique information and use it to access systems. Education is required to communicate effective social etiquette and hygiene to employees to ensure information is not shared inappropriately, as well as investing in tools to monitor these environments.

Employee exit account deletion

Every administrator knows they must remove employee accounts when they are no longer needed. In an age of distributed administration, some organisations will still have manual processes in place that can lead to tasks like this slipping through cracks in the system.

The easiest way to resolve this is automated processes to delete accounts once an employee’s status changes in the HR system. This is even more critical for admin accounts, which should have extensive logging and auditing by default.

Third-party access to internal systems

In this era of outsourcing and complex supplier relationships, access to systems from remote organisations that form part of the supply chain in now a given. Access to these accounts must be closely managed to ensure only appropriate resources are accessed. Monitoring should be implemented, with automated alerts if use exceeds expectations.

Relevant certifications (ISO 27001, ISO 27018, PCI DSS, and so on) of internal systems for third parties should be leveraged, with consideration given to techniques such as software-defined networks to segment supplier access.

Single level of access for all users

Information and its use is critical, but with the flood of data, not all of it can continue to be treated as equal. Any attempt to put strict controls on all information often detracts attention from data that is more sensitive in nature and demands more care.

In today’s tiered access, level of access is no longer good enough. Organisations should implement a data classification scheme with role-based access control that links the requirements for information access to the employee’s role. 

Also, firms should leverage multi-factor authentication for any questionable access requests, with these limits set and automatically engaged using intelligent access management solutions.

Access anywhere, any time

The transition to mobility has led to an explosion in devices or endpoints that can access data. There is minimal value in banning the use of such devices, so organisations must establish, and ensure conformance to, a company policy on portable machines (mobiles, laptops, and so on). The investment should be in tools and process to ensure that if a loss or breach does happen, access through that access point can be shut down quickly and effectively and the device wiped of any organisational data.

Shadow IT

Many enterprises possess the skills and abilities for IT-powered business services to be developed and maintained within business units. Some people call this shadow IT. The prevalence of shadow IT will probably continue and can take many forms, ranging from a purchased SaaS application to a complete solution built on a cloud.

Rather than work against these developments, effective security services should be available to support the organisation’s requirements to protect sensitive information and access, in line with enterprise standards.

Rob Stroud is a past international president of ISACA and principal analyst at Forrester Research. .............................................................

Content Continues Below

Read more on Identity and access management products