Featured Image

Building an Advanced Cybersecurity Plan: Identification and Authentication

The definition and management of the credentials used to access the resources within a company's network requires their own set of rules within an access control strategy. Here are some important security elements to consider with usernames and passwords.
Aug 08, 2022

Access control, a comprehensive set of rules and requirements regulating which persons and systems have authority to access resources within a company's network and computer systems, is critical to all advanced cybersecurity implementations. Once established, many of the components implemented to support access control will remain relatively static for reasonable periods of time. However, one key element is dynamic and requires its own set of rules within an access control strategy. That is the definition and management of the credentials used to identify and authenticate persons and systems attempting to access resources within a company's network.

Generally, network security credentials include usernames and passwords. Still, they may also have other identifying factors such as the identity (IP address, MAC address, etc.) of any device being used to access the network. There are also a variety of alternative technologies that can be used to identify a user. These include key fobs that generate unique passwords periodically, personal id systems similar to facility access cards, a security dongle that must be connected to a computer's port, biometric id systems, etc.

Once assigned, usernames tend to remain unchanged and allow a designated user to access network resources from any number of devices. Usernames must be unique within a network architecture. Additionally, suppose a username is to be changed. In that case, the validation of the user and the system resources that the user can access should be verified as though the user is a new user within the network system.

Methods should be implemented to monitor the frequency that each user accesses a network. Rules should be established defining when a username is considered abandoned or retired. Such usernames and all other components of the associated credentials should be disabled for future network access.

It is common practice to allow temporary network/computer systems access for temporary workers, company guests, and maintenance/service providers. Companies tend to deploy a couple of different strategies for providing credentials on a temporary basis. It is not uncommon to provide a "guest network" that allows a guest to connect to the network with very limited capabilities – typically restricted to internet access. There are security vulnerabilities associated with a "guest network." Once a guest has access inside the network, it is conceivable to misuse this access as an entry point to tunnel deeper into the company's infrastructure – you have unlocked the door through the outer layer of your security architecture. While it is more cumbersome to implement, it is a better alternative that each guest is provided a unique set of credentials which can be independently validated and monitored for activity on the network. All temporary credentials should be automatically disabled after a specified period of time.

Some standard practices that should be implemented when managing credentials include:

  • Passwords should be required to be updated periodically – monthly, quarterly, etc.

  • Updated passwords should meet a minimum criterion for length and format. For example, a minimum of N characters, a mixture of upper- and lowercase characters, no strings of characters common with usernames, no repetitive characters, and include symbols.

  • When passwords are reset, minimum requirements should be defined for the amount of change required from previous passwords – no single character changes, no reuse of older passwords, etc.

  • Enforce security standards to protect passwords – do not store in a file or email, disallow all written copies of passwords, etc.

Both network credentials and authorization to access specific network resources using those credentials should be categorized based on the frequency upon which each user utilizes those credentials and authorizations. A company should have a standard means of identifying and monitoring the activities of all users on a network. This standard means should be sufficient to monitor users' activities who commonly use specific network resources. However, there are cases where a user may infrequently access the network, or a frequent user may only infrequently need to access specific resources within the network. From a security perspective, it is better to add an extra layer of authentication to address these cases. Multifactor authentication is typically a two-step process to verify that the user requesting access is really the authorized user. In multifactor authentication, a user attempting to log on to the network or in to a specific resource within the network is sent a message (typically either an email or text) that provides additional information required to complete their log-in attempt (commonly a unique code that needs to be entered). The concept is that if a user has access to more than one resource of the authorized user, then they are more than likely the authorized user.

One of the more common security failures comes from the fact that companies frequently do change default credentials for devices connected to a network – usually something like username=USER and password=PASSWORD. This occurs for any device connected to the network but is most commonly found in devices with no direct user interface – printers, cameras, security sensors, monitoring equipment, and many types of production equipment. Each of these represents a security vulnerability. All default credentials should be changed to a secure set of credentials upon installation.

It is important that a company expands the definition of users beyond the traditional human user to include software systems both inside and outside of the company. When software systems interact with each other, the exchange of information should be viewed as though the software system is another user interacting with a company resource. The same rules and definitions for creation, managing, and authenticating user credentials should be applied to these software systems. These interfaces between systems are the second-most common areas for network security breaches, right behind human error. Actors penetrate one system and then use the interfaces between systems to penetrate deeper into a company's network infrastructure.

Properly managing and protecting network credentials is a key element in all advanced cybersecurity implementations. The area within a network where these credentials are stored should have the highest level of security that is possible to implement – this information represents all of the keys needed for an intruder to access all of your business's most critical resources. Additionally, access to this information should be restricted to as few individuals as possible.

For more details on concepts addressing network credentials and authentication, you may want to reference Section 3.5 Identification and Authentication of NIST standard SP 800-171.


For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.

Part 1: Engagement and Reinforcement

Part 2: Interaction Mapping

Part 3: Access Control

Part 4: Electronic Media Protection

Part 5: Identification and Authentication

Part 6: Activity Logging, Auditing, and Traceability

Part 7: Network Resource Configuration Management

PicturePicture
Author
John Turner
Director of Technology for FA Consulting & Technology (FAC&T) and member of the MTConnect Institute.
Recent technology News
Configuration management in cybersecurity provides a uniform environment to deploy security updates, and a standardized platform to monitor network activity to identify potential security breaches. Learn what it is, how to use it, and what to watch for.
Advanced cybersecurity plans should include functionality for logging every attempt to access the network or critical areas on the network to protect business assets or as required for legal or contractual requirements. Read on to learn what that involves.
Any advanced cybersecurity plan should address electronic media in both the IT and the OT networks. Devices like CDs, flash drives, and more are problematic since each is an interface to your company’s network, introducing possible security threats.
The MTConnect Institute announces the release of MTConnect Version 2.0. The 2.0 version of the free, open, model-based standard that supports semantics for discrete manufacturing is a significant advancement from previous versions.
Access control in an advanced cybersecurity plan go well beyond usernames and passwords. It means defining, implementing, and monitoring rules to control which persons and systems may access resources within your company’s network and computer systems.
Similar News
undefined
Technology
By Stephen LaMarca | Oct 03, 2022

Chinese hi-fi showed a strong performance-per-dollar-value prop in the sector of in-ear monitors (IEMs). IEMs are like fancy earbuds, but they work like sound-isolating earplugs with extreme definition sound reproduction.

5 min
undefined
Intelligence
By Gary Vasilash | Sep 29, 2022

Anniversaries are a time of stock taking. And as AMT hits 120 years, it’s bullish about the future.

10 min
undefined
Technology
By Kathy Keyes Webster | Sep 30, 2022

A very successful IMTS 2022 brought a wide range of practical new technologies that make manufacturing more efficient. Here’s a quick look at the biggest takeaways from the show.

4 min