Analecta Cyber Company Blog: Who are Your Users? Personnel and Asset Authentication to Reduce Cyber Risk

2019-05-07

Who are Your Users? Personnel and Asset Authentication to Reduce Cyber Risk

Eyes scanning - user and asset authentication User and asset authentication to reduce cyber risk - Analecta Cyber banner Each and every user and asset in your organization needs to be considered a unique identity in order to manage organizational risk appropriately. Employees perform different roles and may have differing levels of access based on these roles. Authentication ensures that employees only have access to the data and devices that are required to perform their jobs.

Authentic identification, AKA authentication...


The concept of authentication and access control is such a core component to cybersecurity that the NIST Cybersecurity Framework dedicates an entire subcategory to the topic. NIST defines authentication as “verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources.”

Know your risks


Cybersecurity measures aim to help your organization reduce the risk of attack or compromise. If your organization is implementing the Principle of Least Privilege (PoLP), only permitting users have access to assets based on job role. Authentication is the first step required to identify the user as having specific levels of access. The level of authentication may differ based on individuals’ security and privacy risks or any other organizational defined risks.

Consider this example scenario: a medium-sized manufacturing business employees individuals across four major categories: shop staff, office staff, executive staff and the IT department. Each group should have different permissions based on the type of work they do.
  1. Shop staff may have the least amount of risk; they may use inventory systems on closed networks or something similar that would require physical access to compromise. 
  2. Office staff may have more risk and access financial data, human resources data, and other information that hackers may be able to steal and sell.
  3. Executive staff may have access to data pertaining to strategic business decisions, but they probably do not need access to the inventory systems or certain HR data. 
  4. IT professionals access ALL of the organization’s data, but only on a need-to-know basis. Using appropriate authentication will keep your employees from accessing the data they should not access but ensure they have full access to the data they need to perform their jobs. 
Eyes scanning - user and asset authentication
Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources. - NIST CSF

A way forward


From a cybersecurity standpoint, there a multitude of best practices to secure your company assets, network and data. Here are a few of the controls regarding authentication and access that should be put in place:
  • Enforce a limit of consecutive invalid logon attempts by a user during a specified time period. 
  • Automatically lock the account/node for a specified time period or lock the account/node until released by an administrator when the maximum number of unsuccessful attempts is exceeded. 
  • Purge or wipe information from company mobile devices after a specified number of consecutive, unsuccessful device logon attempts. 
  • Upon successful logon, notify the user of the date and time of their last logon
  • Initiate a session lock after a specified time period of inactivity or upon receiving a request from a user; and retain the session lock until the user reestablishes access using identification and authentication procedures. 
  • Have employees log out of their systems at the end of the work day. Session locks are not an acceptable substitute for logging out of information systems. 
  • Consider forcing a session termination based on conditions set by your organization’s security personnel. 
  • Document the exact conditions and security rationale where a user would be given access without pre-established identification or authentication. Obviously, it is preferable to have individuals authenticate, but there may be unique situations where that would not be possible. 

Further information


NIST has a series of publications dedicated to managing digital identities and applying appropriate authentication. Explore these publications for more information and additional guidance.

Analecta Cyber brings decades of expertise implementing secure information systems based on the NIST Cybersecurity Framework guidelines. Reach out to us to learn about a robust, more complete cybersecurity program for your company. Contact us at info@analecta-llc.com or visit our Cybersecurity website.

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives. 

No comments :

Post a Comment