Scroll Top

CyberSec 101: The Importance of Access Controls

CyberSec 101: The Importance of Access Controls
Access Controls
0 0
By Jeffrey Jones Security Blog September 9, 2024

We all know what is meant by Access Control. Pretty easy to figure out?  There are all kinds of access controls that we can think about in our daily lives. Great example of access is going to the movies. Much like access to a Movie Theater is restricted without a Ticket.

The formal definition says that Information Security Access Control is the selective restriction of access to a place or other resource that contains data. It is defined by a set of Standards issued by the National Institute of Standards and Technologies known as NIST.  Access Controls prevents unauthorized individuals or machines access to information they are not supposed to see. In Cyber Security Vernacular, Access Control boils down to, (Drum Roll) “Who can get to what?”

Key TAKEAWAYS about Access Control
  • Permission to access a resource is called Authorization. Things such as locks and login credentials are two examples of Access Control.
  • Assigning the least amount of access necessary for users to accomplish their task is known as the Principle of Least Privilege. (Need to Know = Principle of Least Privilege)
  • Authorization and Access Control pretty much work hand in hand and the Principle of Least Privilege is the guiding light.
  • The underlying principles of access control systems and how to implement, manage and secure those systems, including internetwork trust architectures, identity management and various access control frameworks.

Types of Access ControlsAccess Control

Administrative Access Controls

These controls mostly consist of the organizations’ Policies. For Access Control, in your organization’s language you need to create a policy that says how you do this.

Good Cyber Security Policies are the foundation a Good Cyber Security Program. Policies must be approved and signed-off by Executive Management to be Effective. Without Written, Approved and Enforced Cyber Security Policy chaos will soon ensue.

Technical Access Controls

Technical Access Controls of “how you do things” and how are we complying with our Current, Cyber Security Policies. These could include Directives, Guides, Operating Procedures, Run Books and more. Needless to say, these also should be written and approved for continuity and to demonstrate compliance. How in depth should they be? My answer would be, as in depth as required. Once again the principle of least but apply it to many things. In other words, Just enough to the get the job done.

My belief is that Cyber Security is a balancing act that is full of nuances and compromises for all. Written Rules provide continuity and assurance to the users and management that Cyber Security Requirements are justified and approved.

Physical Access Controls

Safeguarding access is often accomplished through Physical means. Physical Access Controls include ID Scanner, Biometric Devices, Security Guards, Man Traps, Fences, Video Cameras, Access Logs, amongst many more.

This area is pretty well covered if you are a financial institution or a bank. If you are a healthcare organization Physical Security is much more difficult. To explain it another way “When was last time you saw a Barb-Wired Fence around a Hospital?” Never Right. Healthcare often doesn’t have these access controls available because Hospitals are public places. Because of this Hospitals and Healthcare need to become more creative in physical controls or strengthen their Administrative and Technical Access Controls to compensate.

Where can I find more information?

NIST’s guidance on access control is primarily outlined in a few key standards and publications, which are widely used to ensure the security and proper management of information systems. The main standards that apply to NIST Access Control include:

  1. NIST Special Publication (SP) 800-53, Revision 5:
    • This is a critical standard that provides a catalog of security and privacy controls for federal information systems and organizations. It includes detailed guidelines on implementing access control, including how to manage user permissions, authentication, and authorization.
  2. NIST Special Publication (SP) 800-63, Revision 3:
    • This publication focuses on digital identity guidelines, including how to authenticate users securely. It provides recommendations for different levels of assurance in identity proofing and access control.
  3. Federal Information Processing Standard (FIPS) 200:
    • FIPS 200 sets minimum security requirements for federal information systems, including access control. It works in conjunction with SP 800-53 to ensure systems meet baseline security requirements.
  4. NIST Special Publication (SP) 800-171:
    • This publication provides guidelines for protecting controlled unclassified information (CUI) in non-federal systems and organizations. It includes access control requirements to ensure that only authorized individuals have access to CUI.

Conclusion

There are three types of Access Controls: Administrative, Technical and Physical. Administrative refers to policy. Technical refers to process and Physical is everything outside of the Matrix. Policies must adhere to the Principle of Least Privilege. Written Security Policies must be approved by Executives. Written Rules provide continuity and assurance to the users and management that Cyber Security Requirements are justified and approved.

Find out more at https://topgallant-partners.com/cyber-security/access-controls/

0
Jeffrey Jones / About Author
Jeff Jones is a Cyber Security Architect and Ethical Hacker for Topgallant Partners. He has been in Data Communications for over 35 years. He responsible for all day-to-day operations, technical consulting, and security design for Topgallant.

His expertise is in Security Program Design, Security Risk Analysis and Assessment and Cyber Security Testing to include Penetration Testing, Vulnerability Testing, Social Engineering, Phishing, Wi-Fi Exploitations, Password Cracking, Man-in-the Middle Attacks and Web Application Hacking.

He has a M.A. in Computer Resources Management from Webster University and a B.A. in Journalism from Purdue University. He is also a terrible golfer.
More posts by Jeffrey Jones

Related Posts

ransom-ware
Major US Hospital Chain Hacked By What May Be Ransomeware

Major US Hospital Chain Hacked By What May Be Ransomeware    A computer outage at a major hospital chain thrust…

1
1
29 Sep 2020
Understanding Ransomware: How User Credentials and File Encryption Play a Role

Introduction: Ransomware has become a prevalent and damaging threat in the world of cybersecurity. This malicious software aims to encrypt…

1
1
27 Jun 2023
Over 2.9 Billion Recently Hacked PII Records Found on Darknet

According to a recent filing and class action lawsuit in the Southern Florida US District Court. An information Services Company,…

0
0
08 Aug 2024
WPA3 vs. WPA2 why make the switch

In the ever-evolving landscape of wireless networking, security is a paramount concern. With the increasing prevalence of smart devices, IoT…

1
1
30 Oct 2023
cybersecurity
Consulting Companies to Pay $11.3 million for Failing to Comply with Cybersecurity Requirements

In a recent development, Guidehouse Inc., based in McLean, Virginia, and Nan McKay and Associates (Nan McKay), headquartered in El…

1
1
17 Jul 2024
May 2023 News
May Newsletter

May 2023 Newsletter Tim Cook Said Recently “In The World of Cybersecurity The Last Thing You Want Is To Have…

0
0
20 Apr 2023
Darknet
Six Russian GRU Agents Indicted for Multiple Cyber Attacks

The United States Deparment of Justice (DOJ) announced on Oct. 15, 2020, that a federal grand jury in Pittsburgh returned…

0
0
19 Oct 2020
Change Management
The Importance of Change Management Today

We cannot forget about Change Management in today’s crazy, dangerous and very much evolving digital frontier. I think all the…

0
0
15 Aug 2024
Critical Security Flaw: ConfusedFunction Vulnerability in Google Cloud Platform Exposed

In the constantly evolving landscape of cloud computing, ensuring robust security measures is paramount. Recently, cybersecurity researchers have identified a…

0
0
26 Jul 2024
mount washington
New Hampshire Hacker Pleads Guilty to Passport and Wire Fraud

CONCORD – A Derry man pleaded guilty in federal court in Concord to passport fraud and wire fraud in connection…

0
0
30 Nov 2023
Everyday Programs Abused by Hackers for Evil Deeds

Seemingly Benign Programs used for Hacking Hackers use seemingly benign programs for Nefarious Purposes. Hackers manipulate and repurpose software and…

1
1
07 Sep 2023
HHS OCR HIPAA Audit Finds Less Than Lackluster Results

Majority were non-compliant for Access, Security Risk Management and Analysis In 2016 and 2017, the Office for Civil Rights (OCR)…

0
0
18 Aug 2021
Facebook et al Now Back Up; Change Management the Issue

Issue Acknowledged by All Via Twitter Facebook and associated Websites are down. Issue is unknown right now. Facebook was featured…

0
0
04 Oct 2021
encryption
Salted Hashes Explained in 60 Seconds

Have you ever wondered what a Salted Hash was? Well, here is the Cliff Notes’ Version Hashing is a function…

0
0
04 Dec 2020
NIST CSF Core: Roadmap to Cybersecurity Success

The NIST Cybersecurity Framework (CSF), developed by the National Institute of Standards and Technology, plays a pivotal role in bolstering…

1
1
06 Nov 2023

Leave a comment

Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required