What is this theme about?
This theme covers the cyber security principles that can be applied to help protect against unauthorised access to your organisations data and services.
Staff should have just enough access to do their job
In order to carry out your organisation’s day to day business on your IT systems, your staff will need to have user accounts. An important security principle is that they have just enough access to carry out their duties, but no more. The more access a compromised user account has, the wider and more impactful a resulting data breach will be.
Administrator or admin accounts are used by people in charge of the settings and controls of the computer or IT system. These accounts have extra permissions to access files, install software and manage other user accounts. Protecting and controlling access to administrator accounts is very important for preventing unauthorised access and system changes.
No shared accounts
Individual members of staff will each need their own unique account with a user name and a password ( more about passwords below). Staff must not share accounts.
Disable unused accounts
Accounts that haven’t been used for some time are considered ‘dormant’ after a period of 30 days and should be removed from devices and services.
Account separation
This leads on to the second principle of using separate accounts for different tasks. Everyone should use standard user accounts for day- to- day activities, such as reading and writing emails, creating documents and browsing the internet. The administrator account should only be used when a task absolutely has to be done that a standard user account is prohibited from doing. During normal use it is always best to log in to a regular user account – if your account is compromised while working in this mode, the attacker will have far less access to the company systems and the breach will be more contained. For example, if the user accidently opens a malicious attachment or clicks on a link, the malware will have the same privileges as the account they are logged in as and a user account does not have the privilege to download new software.
It is important your organisation understands the user and administrator accounts that are in use within your organisation. Having an inventory of accounts will help to keep track when accounts are no longer used or required. It is important this inventory is regularly reviewed, at least every 6 months.
IASME can provide an administrator privilege tracker template that can be adapted for most organisations.
Password Management
Your organisation must have a password policy in place with guidance about password creation and what to do in the event of a suspected password compromise.
All passwords should be set to a minimum of 12 characters and be hard to guess.
Avoid ‘guessable’ information such as pet and children’s names, favourite football teams, home address and date of birth which can sometimes be discovered from the internet or social media posts.
As the usage of cloud service has increased in recent years, it is important to protect your user and admin accounts with multi-factor authentication (MFA).
You may want to consider allowing your staff to use password management applications. which will help them to generate and store hard to guess passwords.
It is also recommended that additional protections are put in place to reduce the risk of password guessing or misuse. These could include:
-
Throttling of attempts. This is where the user has to wait longer between each failed attempt to log in and the account locks after 10 failed login attempts.
-
Limiting the number of attempts to 10 failed logins and then the account locks.
-
Blocking commonly used passwords (such as password123 QWERTY etc) and not allowing the user to reuse their last 5 passwords
It is recommended that you take these steps:
-
You must have a record of all accounts that are used for carrying out day-by-day business activities
-
You must have a record of all accounts that have administrator privileges
-
Ensure that people only have access to your data if they need it.
-
All users must have a unique username and password to access your devices and services
-
You must have a clear process for granting individuals access to your organisation’s data and services
-
Restrict the provision of administrator privileges to dedicated accounts. Accounts with administrator privileges must be used for administrator tasks only
-
Disable dormant accounts and delete accounts that are not needed
-
Account access, including administrator access, must be reviewed at least annually
-
It is important to be aware of and track all the accounts used to access your organisation’s information. Review the administrator accounts at least every six months.
-
In addition to username and password, multi-factor authentication must be used where available.
-
It is also recommended that additional protections are put in place to reduce the risk of password guessing or misuse such as throttling attempts, locking accounts after failed logins and blocking certain passwords.