Cyber Essentials Certification - User & Admin Accounts
Attackers often get access to systems through weak account management practices, Cyber Essentials deals with this by ensuring that organisations have strong practices to protect user credentials from being compromised easily.
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.
2FA, Access, Apps, Assets, Attack, Attackers, Attack surface, Authentication, Breach, Compromised, Credentials, Identity, Incident, Malware, MFA, Networks, Passwords, Phishing, Ransomware, Risk, Scam, Separation of duties.
Introduction
Research shows that in breaches related to identity and access:
- 66% were as a result of phishing;
- 32% were stolen credentials;
- 27% were through inadequately managed privileges.
The accounts used to access resources are a very important part of an organisation’s security arsenal, and in this next section of our series on Cyber Essentials Certification we are looking at User and Administrator accounts.
Impact of not Managing Accounts Effectively
Let’s start by looking at some of the things which are included in managing accounts:
- what a user can do,
- what an account can do,
- where a user can log in from,
- what they can view and what they can change,
- which applications can be used to access resources or assets,
- when a user or account can be used to access or process information, etc.
This list can be extended much further, but this is a good starting point. If different accounts control access to viewing and processing data and assets, it is in the organisation’s interest to protect and manage these.
Where user and accounts are not managed effectively the organisation may be exposing itself to a range of the following types of incidents:
- A user account can be used to install ransomware or other malware.
- A user account can be used for a data breach.
- A user may be able to view data they are not entitled to (e.g. executive salaries).
- A user may be able to view more data than they should be able to (e.g. sensitive client data).
- A user may be able to adjust or delete data records they shouldn’t have access to.
- A user may be able to erase the logs which record and identify wrong-doing.
Again, we could extend this list, but it does illustrate the sort of things that can go wrong that Cyber Essentials is attempting to help reduce.
There are many examples of Ransomware and malware in the news, so let’s take a look at some examples of User Accounts being used for internal activity they shouldn’t have, which include:
- In 2020 Shopify had a data breach, where two members of the Shopify Support Team abused their access rights by obtaining records of customer transactions. The data contained customers personally identifiable information. – This sort of breach would result in a data protection fine in many countries.
- In 2020, Twitter engineers had been the target of an attack which resulted in their credentials being stolen and used to access the Twitter administrator tool. This was then used to post scam messages to over 130 popular profiles and got $180K from Twitter users before the breach was dealt with.
- In 2020 Tesla reported that it had thwarted an attempt by ransomware criminals to bribe an employee to install malware. The employee had instead reported this and work with the FBI to investigate this. Tesla had previously been the victim of a similar sabotage in 2018.
These examples are all of large multinational corporations, because these are examples that make the news, similar attacks of smaller organisations exist but don’t make the news as they don’t always affect large numbers of people. However, such incidents in small organisations often end up with the organisation folding up or severally limiting their operations.
This is one of the worst-case scenarios that managing user accounts is aimed at affecting.
What Organisations get wrong with Accounts
There are many different impacts to getting users account and access wrong mentioned earlier, but they will all be different for different organisations. However, the underlying reason for things going wrong include some of the following:
- Users are provided access to data, assets or resources which are not relevant or appropriate to their role.
- When a user changes role or leaves, their access to resources they no longer need are not removed.
- Administrator accounts are used to access data, assets or resources that should only be accessed as ordinary users.
- Access to key data, assets or resources are not logged, so that when something goes wrong there is no information to figure out what actually went wrong and why.
- There is too much trust placed with employees with higher level access, which exposes them to blackmail or bribery to sabotage their organisation.
- There is a lack of proper password policy management.
- Two factor or multi-factor authentication is not implemented for important accesses.
- Restrictions based on device, browser, days and times of the week, and other criteria are not used.
- There is a lack of understanding and separation between viewing access and altering and deleting access, thus leaving high level account users able to amend or delete wrong-doing.
- A lack of proper effective management process to manage access for all users.
- A lack of regular reviews of access rights.
- A lack of standards which force good practices – for example, where coders develop applications, they may hard code administrator passwords.
- A lack of management of partner and supplier access to data, assets and resources.
- A lack of policies and processes to keep managing users simple and efficient – the right policy and process will take time to implement, but will reduce overall time and resources to maintain, once they are in place.
Being able to select solutions based on security requirements which reduce your attack surface is one of the most important benefits of understanding your attack surface.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more.
Images from https://www.pixabay.com.