Assets and Access Part II:
Cybersecurity managers spend a lot of time thinking about when, and how, to deny or allow entry to certain systems or resources, from digital access points or physical entryways like IT systems, cloud services, elevators, and even doors. Access control is an essential element of security.
Solid security requires control over access to information that matters; the cybersecurity manager who doesn’t take control is not considering what matters and to whom. Anyone who does not have the need to know should not be allowed to have access. Anyone who does need to know should. That’s only logical, but it’s common to find companies with such strict access control that it prohibits the right users from gaining access, or such lax controls that the risk of data breaches and leaks is increased.
Access control is a way to divide the risk of unauthorised access and data breaches. What people don’t know will limit what they are capable of doing. Keep your passwords secret from hackers, and you won’t be hacked. Keep your business plans secret from the competition, and you have a better chance of winning.
Controlling access to information is a complex topic with multiple technologies available. It’s necessary to include some good practices and principles in the high-level policy that sets the management tone for controlling access to information. The highest level of requirements could be phased out like below:
“Access to company information is given to people who need that information at their work, but not to others. This is the need-to-know principle. When the need-to-know ceases to exist, access to information will be removed. Managers in charge will inform IT department to permit the access to information based on their assessment of need-to-know.”
Obviously, there’s a ton of details that could go into more detailed policies for each important system that the company uses.
Here’s a horror story from real life. Most organisations require some sort of ID, access card, or badge to be used in their facilities. Many companies require that employees identify themselves with a lanyard and ID badge that must be worn at all times.
We’ve worked with some quite unbelievable access control scenarios. In one instance, a school was requiring that all of the parents, teachers, maids, and custodians who drop off or pick up their kids wear a lanyard and a photo ID that identifies their face, name, and which child they can bring or take out. Nobody without that lanyard should have been able to access the premises and take the kids. The IDs were supposed to be used to control access to the school area and provide a means to check who has authority to take a certain kid along with them. Nice idea, in theory, but practice turned out to be different.
One of their problems was that the school had more than one entry point, usually manned by staff who were supposed to—but in practice didn’t always—check the parent’s IDs and lanyards.
Every morning and afternoon, the staff came to the gates and greeted parents. They tried to remind the parents to wear a lanyard, but the parents often forgot them at home. The exception was handled by showing the parents to the school office to apply for a day pass. This of course meant that the person could just say, “Sorry I forgot,” at the gate and be guided to enter the premises. Automatic bypass of access control! At the start of a semester, the staff at the gate was strict about it. Staff asked to see the access lanyards and advised parents to wear them because they’re reminded to. But the lanyards were small, and it was hard to see a tiny picture of a face to verify that the person actually matched the ID card, let alone check which parent was matched with a certain kid when they took the kids out. In fact, while exiting the premises with a child, there was no outbound check at all!
As the semester progressed, and a few weeks passed, the staff barely glanced at the IDs; they were only registering a colourful lanyard. At the same time, they could not cover every entrance and exit on the premises. Parents soon learned that they didn’t need to wear the lanyard or access cards anymore because they could either take a route where there was no staff or just rely on them recognising them by looks. In truth, a parent can just smile and walk past them and say, “Sorry, I forgot my badge. Bit of a hurry,” and nobody cared. That’s called social engineering access. Show a friendly face, get people used to it, and then enjoy the freedom of access.
Access security lapsed completely once inside the school’s perimeter, where the teachers and other staff seldom wore identification. The badges were just for people trying to access. Once they got inside, there was no way to distinguish between internal staff and parents. Nobody could check to see if they were allowed to remain inside because there are too many people wearing lanyards and too many not wearing them. At best, the ID plan gave a false sense of security.
The school example illustrates a host of different security problems: overly complex and failing access control scheme, multiple points of entry, lax attitude toward enforcement, lack of formality and training, and no real enforceability. Too often, it’s the same with IT security policies.
Access control needs to involve user management, making sure that only authorised users are created and that specific users get access to certain resources and not others. To do that, the cybersecurity manager has to know who the users and user groups are and what resources are appropriate for them to access. The cybersecurity manager also needs to know what systems have to be controlled. Only then can they decide what kind of controls to implement. Those are the basic building blocks of access control. Without them, it’s impossible to do access control well. Systems that allow centralised control like Microsoft Active Directory are essential in building the access control scheme.
People usually think about access control in terms of horizontal access—how many systems an employee gets access to. The cybersecurity manager should also consider vertical access and depth of access. Is the user a normal user or an administrator? The more privileged access a person has, the greater their power, and the more likely they are to be a target for cyber criminals, whose goal is to gain broad access rights to internal systems. Do they mention in their LinkedIn profile that they are working for your company as IT administrator? Guess who hackers would prefer as a target?
Most user management today is done with usernames and passwords, and it’s clearly inadequate. If we look at the breaches and cyber exposure happening in the world right now, we can see why that many of them involve insecure access control processes.
In fact, passwords still pose the biggest threat related to unauthorised access to information, even with all of the security technology available. People use passwords that are too short and too simple. They use the same password for everything inside and outside of company, and keep the same one for a long time. Recent studies say that half of people use the same password everywhere.
It’s not hard to see why people don’t use a different password for everything and change it regularly. One individual we met had 300 plus accounts across various internet services. That means 300-plus usernames and passwords. Managing that is, of course, a huge problem. This isn’t just a company problem or an individual problem; it’s a planetwide problem.
Some companies have offered an apparent solution to password management woes, like using a Google, Facebook, or LinkedIn authentication to log in with a click of a button. Users with many accounts appreciate this because they can just use the same passwords for their company and private services whenever they use the internet. This is very convenient for the users but also places a lot of trust on these authentication services and centralises the risk of compromise. If one of these big ones gets hacked, a lot of other systems and information will be at risk. LinkedIn was hacked, and all usernames and passwords were stolen a few years back. Everyone should know, right? But few people know that many of these stolen passwords still work today.
Unfortunately, when people use their work-related email and password—their user account at work—they inadvertently identify where they work, information about the organisation, and what services that might apply to. Even if those passwords are encrypted or hashed (in tech language, it means they are protected) in third-party services, once a hacker cracks the passwords (defeats the password protection), he potentially gets access to everything, including the user’s work servers that share the same password.
Login credentials are valuable—they’re a sort of currency that can be traded in the underworld economy. Some hackers actually trade login credentials for money or sell access rights to certain companies or types of business systems. Servers and workstations might trade access for some other service. On the dark web, access to a corporate system or to certain servers in a big company can go for fifty-five US dollars.
Companies have tried to create more effective ways to authenticate people—to identify them and make sure they are who they’ve claimed to be when they log in to a system. A company might link the password to another factor, like an SMS message sent to the user’s phone with a PIN to enter at login. Banks use physical number tokens that generate PINS for you based on time and secret keys. A web bank might issue hardware tokens, or PIN tokens, for its users. A commercial business might be using a Virtual Private Network (VPN) for its users, and VPN software for every user who is working for them. Then they could use a password, username, and digital certificate to authenticate the connection and its users.
Layering on additional factors of authentication is usually quite effective; it increases the difficulty of breaching that system. Having said that, there are some instances that the additional complexity of authentication didn’t actually improve security much. Most people are aware of SMS authentication, or the One Time Password (OTP) solution, for instance. With OTP, whenever a user logs into their web bank, they’re required to answer with a PIN number that’s sent to their cell phone in addition to their username and password. A hacker using another phone to try to access the account, even if he knows the username and password, can’t log in without first getting an SMS, reading the number, and using that to log in.
Additional authentication steps like SMS tokens add complexity to the authentication process, and remember, complexity is the worst enemy of security. Even multifactor authentication like SMS tokens aren’t foolproof. Anybody working in the company that provides the cell phone connection could intercept the user’s SMS. Or, if manual processes aren’t strict, a hacker could portray himself as someone else, then manage to open up a clone SIM that receives the same SMS messages. Ironically, that supposedly super secure multifactor authentication scheme that combines SMS token with a good password could be compromised by the same feature that’s meant to protect the user. How many little shops are working for your mobile service provider and are able to issue cloned SIM cards or change the ownership of the mobile connection? Try enforcing an access control policy on them!
Complexity rarely makes security better. That’s not to say that adding a second factor of authentication is a bad thing. It’s good, but there are limitations. There are a lot of different ways to authenticate people. The lesson here is that the more secure the system needs to be—like a bank, for example—the more security is needed in authentication.
Anyone who has a lot of passwords and usernames—say, more than ten—should get a password management tool. They are usually referred to as “password wallets.” There are several available that can run on a laptop and sync with a mobile phone. For a few dollars a year, all of a person’s passwords can be securely stored in one wallet, so they just have to remember one master password for the wallet. Then it helps them log in and authenticate to different solutions, and stores them securely. Having a password wallet makes life easier for users.
At the same time, we have to remind users that wallets also pose a risk, especially online wallets. Passwords are stored in an encrypted file, and in some solutions, that file is sent to a central repository on the internet. If that application or an individual’s computer is hacked, all of those passwords may be compromised in one place. Still, online wallets are an effective solution for people who have a lot of passwords and companies that have a lot of users, even though it has a single point of failure. Anyone choosing an online wallet should choose one that’s been thoroughly tested—by more than one person or one company. It needs to be more than just a convenient solution. It needs to be a secure one.
We couldn’t begin to cover all of the options for access control today. There’s a multitude of authentication and access control technologies, services, and solutions that go under this topic, and all of them would solve bits and pieces of the whole problem. No single solution will cover all of the access control needs of the organisation. This is because no single service can be compatible and integrate with all the various services out there. The cybersecurity manager’s job is to gain understanding of which access control technologies are a good fit for his business and to help IT to design a scheme that is flexible, has good coverage, and is able to secure the business well enough.
Avoiding Security Theatre
For staff to use passwords effectively, they will need to understand what matters in password management. There’s a lot of conflicting information out there. Many government and corporate guidelines, for instance, say that a password has to be eight characters long. It has to contain a mix of letters, numbers, uppercase and lower case, and a special character, and it has to be changed every thirty to ninety days. However, research and practical experience has shown that there’s one property above others that makes passwords strong: the length. Some argue that the complexity of the character set is also significant, but it’s not as effective as sheer length. A long password is a strong password. Researching this subject will reveal a lot of academic papers and calculations pointing to different directions. But hackers think different, they are only interested in defeating the password protection in any means necessary. From attackers’ perspective, only that outcome matters. Not the computational difficulty!