March 6, 2019
In the mid-1850s, at the Palace of Khorsabad in Iraq, archaeologists found a simple lock and key system which dated back to 4000 B.C.E. The lock used pins of different lengths to secure the door, and the owner would then use a key which pushed the pins of the lock, allowing entry. In this way, you could protect valuables without constant monitoring. From our earliest beginnings, humans have been trying to protect valuables from theft and destruction. In our modern age, as data itself became valuable, and then became digitized, the methods for guarding these valuables have changed, but the concepts have stayed the same.
The most basic and necessary rule in information security is called the “principle of least privilege,” which requires that each user have access to only the data and resources which are necessary to complete his or her job duties. In other words, don’t give a master key to a person who only needs access to one room. In information technology (IT), this principle is one aspect of the concept of “access control.” Access control is a physical or logical constraint placed on an entry point to data, prohibiting or deterring accessibility, like that of a lock and key. Some examples of physical access controls are dead man doors, video cameras, alarm systems, and electronic doors. Examples of logical access controls include password policies, time-of-day restrictions, two-factor authentication, and user permissions to a database.
At the University of Kentucky (UK), linkblue accounts are created for every employee, student, and external learner (persons affiliated with UK who may need some access to University systems). Once this account is created, it can be used to control access by setting up groups, database roles and account authentication for an application, with privileges broadening as the employee is assigned new tasks. As UK Internal Audit conducts IT audits at the University, it is common to come across deficits in these access controls, specifically logical access control in user account management.
When employees leave the University or transfer jobs within the University, they likely would no longer need the access they had in their old position, but access may not be properly modified when they leave, which can lead to privilege misuse. In the 2018 Verizon Data Breach Investigations Report, it was found that 12 percent of breaches involved privilege misuse.1 For example, an employee may use their access to review personnel or patient information which is out of the scope of their job.
When a user leaves the University, their account should be disabled. If they change jobs within the University, management should review their access and make the necessary changes. Additionally, it is important to note that access to some systems, including cloud services or local applications, may be managed with a local account, not the linkblue account. Local accounts should have a local password policy, or criterion, in place to make sure they meet complexity standards so that hackers cannot guess passwords. The 2017 Verizon Data Breach Investigations Report stated that data breaches involving stolen or weak passwords accounted for approximately 80 percent of the hacking-related violations.2 Local accounts need to be manually modified or disabled when a user changes jobs or leaves the University.
Another best practice for access control is to prohibit or restrict the use of shared accounts. Shared accounts preclude the identification of a specific user which reduce the usefulness of logins. If you can’t track what a user is doing, there is more potential for misuse. Automatic de-provisioning, disabling application guest and default accounts, along with monitoring administrative account activity are other access control strategies which should be employed.
Policy and Procedure
One of the most effective ways to manage access control is through effective governance. Policies and procedures should be established and approved by management to ensure the implementation of adequate access controls, and practices should be monitored to make sure employees follow the policies and procedures. An access control policy and procedure should clearly outline the rules for access authorization, establishment, modification, and termination. It should describe deprovisioning steps during staff terminations and contain specifics relating to standard and high-risk terminations. It should include access criteria such as separation of duties, regular, guest and shared accounts, and document the resources to which staff can be assigned and the various access levels permitted. Once management approves the policy and procedures, it should then be communicated to the users, so they understand the importance of gaining access to only what they need to complete their job.
User account management is an essential aspect of logical access control. IT professionals across campus should be diligent in their efforts to manage users’ access through established best practices and effective policies, thus ensuring a more secure IT and University environment.
For more information about cybersecurity, or to schedule an IT consultation review in your unit, please contact UKIA at 859.257.3126.
If you would like to receive news and information about current risks, fraud concerns and more, please subscribe to UKIA’s listserv by sending an e-mail to LISTSERV@lsv.uky.edu with the following text in the message body: subscribe INTERNALAUDIT-L.
Photo by: Yuri Samoilov
1 2018 Data Breach Investigations Report. enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf.
2 2017 Data Breach Investigations Report. www.knowbe4.com/hubfs/rp_DBIR_2017_Report_execsummary_en_xg.pdf.