Access control, a comprehensive set of rules and requirements regulating which persons and systems have authority to access resources within a company's network and computer systems, is critical to all advanced cybersecurity implementations. Once established, many of the components implemented to support access control will remain relatively static for reasonable periods of time. However, one key element is dynamic and requires its own set of rules within an access control strategy. That is the definition and management of the credentials used to identify and authenticate persons and systems attempting to access resources within a company's network.
Generally, network security credentials include usernames and passwords. Still, they may also have other identifying factors such as the identity (IP address, MAC address, etc.) of any device being used to access the network. There are also a variety of alternative technologies that can be used to identify a user. These include key fobs that generate unique passwords periodically, personal id systems similar to facility access cards, a security dongle that must be connected to a computer's port, biometric id systems, etc.
Once assigned, usernames tend to remain unchanged and allow a designated user to access network resources from any number of devices. Usernames must be unique within a network architecture. Additionally, suppose a username is to be changed. In that case, the validation of the user and the system resources that the user can access should be verified as though the user is a new user within the network system.
Methods should be implemented to monitor the frequency that each user accesses a network. Rules should be established defining when a username is considered abandoned or retired. Such usernames and all other components of the associated credentials should be disabled for future network access.
It is common practice to allow temporary network/computer systems access for temporary workers, company guests, and maintenance/service providers. Companies tend to deploy a couple of different strategies for providing credentials on a temporary basis. It is not uncommon to provide a "guest network" that allows a guest to connect to the network with very limited capabilities – typically restricted to internet access. There are security vulnerabilities associated with a "guest network." Once a guest has access inside the network, it is conceivable to misuse this access as an entry point to tunnel deeper into the company's infrastructure – you have unlocked the door through the outer layer of your security architecture. While it is more cumbersome to implement, it is a better alternative that each guest is provided a unique set of credentials which can be independently validated and monitored for activity on the network. All temporary credentials should be automatically disabled after a specified period of time.
Some standard practices that should be implemented when managing credentials include:
Passwords should be required to be updated periodically – monthly, quarterly, etc.
Updated passwords should meet a minimum criterion for length and format. For example, a minimum of N characters, a mixture of upper- and lowercase characters, no strings of characters common with usernames, no repetitive characters, and include symbols.
When passwords are reset, minimum requirements should be defined for the amount of change required from previous passwords – no single character changes, no reuse of older passwords, etc.
Enforce security standards to protect passwords – do not store in a file or email, disallow all written copies of passwords, etc.
Both network credentials and authorization to access specific network resources using those credentials should be categorized based on the frequency upon which each user utilizes those credentials and authorizations. A company should have a standard means of identifying and monitoring the activities of all users on a network. This standard means should be sufficient to monitor users' activities who commonly use specific network resources. However, there are cases where a user may infrequently access the network, or a frequent user may only infrequently need to access specific resources within the network. From a security perspective, it is better to add an extra layer of authentication to address these cases. Multifactor authentication is typically a two-step process to verify that the user requesting access is really the authorized user. In multifactor authentication, a user attempting to log on to the network or in to a specific resource within the network is sent a message (typically either an email or text) that provides additional information required to complete their log-in attempt (commonly a unique code that needs to be entered). The concept is that if a user has access to more than one resource of the authorized user, then they are more than likely the authorized user.
One of the more common security failures comes from the fact that companies frequently do change default credentials for devices connected to a network – usually something like username=USER and password=PASSWORD. This occurs for any device connected to the network but is most commonly found in devices with no direct user interface – printers, cameras, security sensors, monitoring equipment, and many types of production equipment. Each of these represents a security vulnerability. All default credentials should be changed to a secure set of credentials upon installation.
It is important that a company expands the definition of users beyond the traditional human user to include software systems both inside and outside of the company. When software systems interact with each other, the exchange of information should be viewed as though the software system is another user interacting with a company resource. The same rules and definitions for creation, managing, and authenticating user credentials should be applied to these software systems. These interfaces between systems are the second-most common areas for network security breaches, right behind human error. Actors penetrate one system and then use the interfaces between systems to penetrate deeper into a company's network infrastructure.
Properly managing and protecting network credentials is a key element in all advanced cybersecurity implementations. The area within a network where these credentials are stored should have the highest level of security that is possible to implement – this information represents all of the keys needed for an intruder to access all of your business's most critical resources. Additionally, access to this information should be restricted to as few individuals as possible.
For more details on concepts addressing network credentials and authentication, you may want to reference Section 3.5 Identification and Authentication of NIST standard SP 800-171.
For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.
Part 1: Engagement and Reinforcement
Part 2: Interaction Mapping
Part 3: Access Control
Part 4: Electronic Media Protection
Part 5: Identification and Authentication
Part 6: Activity Logging, Auditing, and Traceability
Part 7: Network Resource Configuration Management
Part 8: Communications, Network, and Database Security
Part 9: Personnel and Infrastructure Security
Part 10: Maintenance and Incident Response