How to Prevent Broken Access Control Issues

To all vendors, contractors and IT staff... this basic #cybersecurity stuff applies to ALL of us. The recent #Powerschool mayhem is a reminder of the damage a compromised contractor IT user/device can do. IT users (and IT contractors) accounts and devices often have exceptional rights and access across your organization (or multiple organizations), and could do great harm if compromised. If the device is compromised, even MFA may not be enough to stop the potential harm. PLEASE - a) IT folks and contractors need to stop browsing the web, playing games, and reading email using an account that has local administrator rights on those support devices. b) Make SURE any device you authorize for VPN access has appropriate controls on it, for example, it should be impossible to disable the antivirus/XDR controls, even with admin rights (we call that tamper protection). Consider prohibiting personal use devices for VPN support activities. c) Make sure IT and contractor support devices are setup on an aggressive patching schedule. Patch within 14 days, for both operating system and applications. If you are a developer, make sure the update hash matches the download, and PLEASE don't randomly search the web for a missing driver. d) Stop reusing credentials across clients, AND stop reusing administrator passwords on systems and machines. If one ring can rule them all, and the ring gets stolen, it's game over. e) Minimize the access to least priv for all roles. I suspect a LOT of attacker intel can be gathered from your helpdesk ticketing system. Does EVERYONE need rights to ALL the tickets? Do developers need access to ALL the databases or just a few? Do they need admin rights on all ALL the servers or just run-as admin rights for certain tools. Yes it's more work, but the consequences of NOT limiting access have gotten a lot worse. I have a template signature document I have vendors and contractors sign when they request our zero-trust VPN. I will be modifying that template to include these explicit callouts (and probably a few more).

Having control over what people can do and their access to your network, data and emails is key to protecting your business from attacks. It helps to ensure only the right people have access to sensitive information. So how can your business manage these email controls effectively? Here are 4 steps: 1. 𝐀𝐬𝐬𝐢𝐠𝐧𝐢𝐧𝐠 𝐫𝐨𝐥𝐞𝐬: Each member of your organization should have a specific role that defines their access level. For instance, an HR manager might need access to personnel files, while a sales rep might only need access to client communication. 2. 𝐆𝐫𝐚𝐧𝐭𝐢𝐧𝐠 𝐚𝐜𝐜𝐞𝐬𝐬 𝐛𝐚𝐬𝐞𝐝 𝐨𝐧 𝐧𝐞𝐞𝐝𝐬: The principle of least privilege (PoLP) is a computer security concept in which a user is given the minimum levels of access necessary to complete their job functions. This means you only grant access to information that employees need to do their jobs. It’s like giving someone a key to a specific room rather than the master key to the entire building. 3. 𝐑𝐞𝐠𝐮𝐥𝐚𝐫 𝐚𝐮𝐝𝐢𝐭𝐬: Conduct regular audits of who has access to what. This helps you keep track of any changes in roles or job functions that might require a change in access levels. 4. 𝐑𝐞𝐯𝐨𝐤𝐢𝐧𝐠 𝐚𝐜𝐜𝐞𝐬𝐬: When an employee leaves the company or changes roles, it’s crucial to revoke their access rights. This prevents unauthorized access and potential data breaches. It’s like taking back the key when someone moves out of the house. Managing network and email access and permissions is not a one-time task but an ongoing process. You have to strike the right balance between accessibility for employees and the protection of sensitive data. Your data + your action = your safety.

How Access Governance manages user access and permissions within IT systems ⬇️ ➡ Policy-Based Identity Lifecycle Management handles user identities and their associated access and permissions to your organization's IT systems based on predefined policies and rules. It involves the entire lifecycle of your user's identity, from onboarding to changes in roles or responsibilities and, finally, offboarding. ➡ Policy-Based Access Control is a key component of access governance, allowing your organization to assign permissions based on your organization's access policies. This prevents entitlement creep by ensuring users access only the resources necessary for their job. ➡ Organizations with complex enterprise systems require Identity Life Cycle Management solutions to control access for onboarding employees, contractors, and third parties. Any change to work assignments or departures from the organization requires immediate updates to security privileges in compliance with access policies to ensure your users only have access to what they need while removing access they don't need. ➡ Periodic access reviews are conducted based on policy-defined schedules. These reviews involve managers and data owners validating that users still require their assigned access. Any deviations or discrepancies can trigger actions based on your established policies. This process helps identify and rectify any instances of entitlement creep or ghost accounts. ➡ Automated provisioning and de-provisioning of user accounts simplify user access management, reducing the risk of ghost accounts lingering after employees depart. ➡ Periodic access certification campaigns involve managers and data owners verifying that users have appropriate access. This process helps prevent unauthorized access and ensures accountability. ➡ Access governance tools often include audit trails and monitoring capabilities that allow your organization to track and investigate suspicious activity, such as unwanted guests trying to access systems. #riskandcompliance #accesscontrols #accessgovernance #cybersecurity #acesscontrols