Keeping Excess Out of Access

[ This article was originally published here ]

SSCP_Blog8_Newsletter_Banner_230x150How Much Access is Too Much?

Many security practitioners grapple with the problem of their colleagues demanding too much access to network resources. Sometimes, it is not just people who request excessive access, it could be an application that needs more access than necessary to function, or it could be a process that is demanding too much access. In some cases, an entire system or network can be the access challenge. Whatever the case may be, there are many methods at the fingertips of the security practitioner to control access in a way that enables a business to function without the risk of oversharing.

The Risks of Excessive Access

Unbridled access has been cited in many security incidents. From the Target breach of 2013, up to the more recent breach of Singapore’s SingHealth system, weak or unmonitored access mechanisms had a primary influence on the commission of these crimes. In the Target incident, proper network segmentation would have slowed, if not entirely prevented the attack. In the SingHealth breach, “bad system management” was responsible for the event, resulting in access to an unsecured administrator account.

These incidents are not on the decline, and as their frequency rises, so do the costs in both administrative overhead, and real cash. In one report from 2017, it was estimated that ransomware costs would increase globally by billions of dollars each year. Not only would the global costs rise, but the cost per incident was also showing an increase from $294 US, to $1,077 US, over a two-year period. For a long time, ransomware was simply a costly inconvenience, resulting in tampered data, not stolen data. However, with the emergence of new strains of ransomware that exfiltrate data prior to encrypting it, access control for accounts becomes increasingly important.

Fortunately, there are various methods available to secure access to systems, including authentication methods, as well as controlling the information presented to a subject upon successful login.

The Early Models

Access controls are not a new concept. Many years ago, in the early days of computing, some clever folks developed security models and architectures to address some of the access questions that arose in military environments. A soldier in the field did not need to see the plans of the general, and the Bell-Lapadula model prevented such an event from occurring by limiting a person’s ability to see information at a higher level. The Bell-Lapadula Model focuses on confidentiality, whereas another model, the Biba model, focuses on data integrity. Other models followed along the security spectrum, expanding upon these earlier concepts. While

all of the older models may be regarded by some as ancient history, they are so significant in the principles of access controls that they still exist as testable material on at least two respected security certification exams.

Models Meet Real-World Practice

In modern operating systems, these old models come to life, flowing in an almost intuitive way. Anyone security practitioner who has ever altered the permissions on a directory or file in a Windows operating system has had experience with understanding how to grant, and limit, access on a network. The intuitive nature of setting permissions should not be minimized. As described in an old administrator’s guide, the setting to “replace all child object permission entries with inheritable permission entries from this object” is nothing short of “the dragon’s breath.” Thoughtless application of an access control can have severe, and sometimes embarrassing consequences. A worst case scenario would put an organization’s data at risk. Setting access permissions is best accomplished in the hands of trained security practitioners.

Remembering the Basics

Some of the most notable breaches were the result of a failure to adhere to basic security hygiene. One of the most fundamental doctrines of security is the observance of defense in depth. In hacker parlance, getting an administrator’s credentials is equivalent to gaining the “keys to the kingdom.” However, if a defense in depth approach is used, a successful login by a high-level account should trigger one, if not multiple alerts.

Some of the responsibilities of a security practitioner would include not only include the recommendation of security products, but also the oversight of the security alerting systems.  A well-trained security practitioner has first-hand knowledge and experience with these products and the measures to best implement them.

First, Protect the Data

In the field of bioethics, the phrase primum non nocere is a fundamental principle, which means “first, do no harm.” In security, the phrase “first, protect the data” should carry the same significance. Encryption is the method most often employed for both data at rest, as well as data in transit. While encryption and cryptography are full disciplines on their own, the implementation of encryption for critical data has become part of the standard toolkit of all trained security practitioners. Encryption is so fundamental to proper data protection, that every security certification exam contains questions relating to cryptography concepts and encryption methods. Its importance cannot be understated.

Through the use of established encryption protocols, stolen data is illegible, and useless to an attacker. This protects an organization against data loss through unauthenticated attacks, such as the Bluekeep vulnerability of 2019. However, once a person is successfully authenticated into a system, encryption no longer matters because the access rights grant that person the necessary decryption mechanism to see everything in plaintext. This is why encryption is only part of the overall security formula.

Methods to protect high-level accounts

Monitoring is an excellent protective mechanism, however, it is reactive, and that is only part of a solid security solution. In order to fully protect accounts with elevated privileges, other mechanisms should be in place to thwart unauthorized access. For example, at a minimum, an administrator account should be used only for administrative tasks. An administrator should not be allowed to check e-mail while logged in under administrative credentials. The account should have the strictest password policy in an organization.

Another method that should be an absolute necessity for administrative accounts is the use of one, if not two methods of multifactor authentication. Dual multifactor could include a hardware token as well as a one-time password generator.

In extreme cases, the addition of a split-knowledge setup would be the most secure method. Split-knowledge would be accomplished on an account whereby one person knows only half of a password, and another person knows the other half. This would protect a system from a single person who may “go rogue”. (Of course, this would require at least two accounts set up using four different individuals, which would ensure that the loss of any one person would not put the account in jeopardy of a permanent administrator lockout, as was the case in 2008 when a disgruntled employee attempted to hold a city agency’s data hostage. Understandably, split-knowledge is a mechanism that could only be used in an organization with a very mature security practice, and a robust security team.)

Non-elevated accounts can also benefit from the use of multifactor authentication as well as strong password policies. The security practitioner is responsible for championing all the ways to protect the data of the organization, and identity management is also part of that responsibility.

Implementing and enforcing strong authentication policies can be a challenge for a security practitioner. It is one that does not need highly technical computer skills. Policy acceptance is best accomplished through the relationships that are built with other teams in an organization. The job of a security practitioner is not only one of monitors, consoles, and configurations. It is also a job requiring confidence to execute exceptional “soft” skills of team-building and trust.

To learn more about network access controls and protecting data, read our white paper, How You Can Become a Cybersecurity Hero.

Hw SSCP Certification Helps

The Common Body of Knowledge for a person seeking to earn the Systems Security Certified Practitioner (SSCP) credential from (ISC)2 focuses heavily on the access control mechanisms available to a security practitioner. The study materials dig deeper than mere talk, offering ways for a candidate to try out many of the concepts that would be put to use in a professional setting.

There is no better way to showcase your technical skills and security knowledge than by achieving the SSCP credential. Whether you are an experienced security professional or just starting out into the fascinating world of cybersecurity, the (ISC)2 SSCP credential is ideal to enhance your ability to implement, monitor and administer security procedures and controls that ensure your organization’s confidentiality, integrity and availability.