CISA Cyber Essentials Toolkits: Your Surroundings

The fourth entry in CISA’s series of Cyber Essentials Toolkits explores the importance of making sure only the right people have access to your “digital surroundings”. Do you have the necessary access controls in place?

As a part of their Cyber Essentials resource, CISA has rolled out an additional six Cyber Essentials Toolkits. The fourth explores best practices for tracking and authorizing who is allowed in your “digital surroundings”, also known as access control.

CISA Cyber Essentials Toolkits: Your Surroundings

Why Is Access Control Important?

Are you sure that only authorized people have access to your business premises?

It’s a legitimate concern. If you’re relying on nothing more than passwords to keep your data secure, then you’re leaving a lot at risk.

That’s why so many businesses have started securing their IT systems with more advanced access control technologies — do you know what they are?

CISA explores the necessary levels of access control in Chapter 4 of the Cyber Essentials Toolkits.

CISA’s Essential Actions For Access Control

  • Determine Who Has Access To Your Network: This is the basis of access control — to start, you need to figure out who has access to your network. Take an inventory of your users, their access rights, and confirm that no one has more advanced access than is necessary.
  • Implement MFA: When you log in to an account that has MFA enabled, in addition to entering your password, you must either enter in an added generated code, or authorize login with a “push” request to a secondary device.  In the event your password is compromised, your account can remain secure as the cybercriminal is unable to authenticate the secondary requirement. There is a range of options for generating the MFA codes:
    • Receiving a text message
    • Using a dedicated authenticator application
    • Possessing a physical device on which you must push a button to verify that you are the authorized user of that account
  • Limit Admin And Advanced Access As Needed: The fact is that misuse of privilege is often one of the most common ways for cybercriminals to penetrate a network. Either by tricking a user with administrative privileges to download and run malware, or by elevating privileges on a compromised non-admin account, hackers regularly make use of this highly common unsafe business practice.

Eliminating this vulnerability can be achieved in three ways:

  • Limiting administrative privileges to those who actually require it: The fact is that the common business user should not require administrative privileges to do their job — whether that’s for installing software, printing, using common programs, etc.
  • Protecting administrative accounts: Once you’ve limited privileges to only a few members of the organization, make sure their accounts have the right protections in place — complex, long passwords, MFA, alerts for unsuccessful log-ins, and make sure to limit administrative actions to devices that are air-gapped from unnecessary aspects of your network.
  • Track And Control User Changes: This is one of the more basic controls on the list, but no less important. It can’t really be automated or outsourced to any technological aids — it’s just about doing the work.

You need to have a carefully implemented process to track the lifecycle of accounts on your network:

  • Follow a careful system for how accounts are created for new members, how their security is maintained and verified through their life, and how they are removed when no longer needed.
    • Implement secure configuration settings (complex passwords, MFA, etc.) for all accounts.
    • Implement controls for login and use, such as lockouts for too many unsuccessful logins, unsuccessful login alerts, and automatic log-off after a period of inactivity
  • Maintain A Strict Password Policy: Weak passwords are a common vulnerability exploited by cybercriminals. That’s why it’s so common that passwords are required to include uppercase letters, lowercase letters, numbers, and special characters. However, recent guidance from NIST advises that password length is much more beneficial than complexity. Consider using a passphrase, which is when you combine multiple words into one long string of characters, instead of a password. The extra length of a passphrase makes it harder to crack.

Kraft Technology Group Will Help You Defend Your Digital “Surroundings”

Implementing one or two of these standards may seem simple, but all five of them? That may be a little difficult for you to handle, and that’s OK.

Kraft Technology Group will help.

Talk to our team to make sure your systems are secure and in line with CISA’s Cyber Essentials Toolkits.