The Cost of Inadequate Controls

Why Access Control is important

 With the company growing and expanding, LOTR will start to look interesting to cybercriminals. Because of LOTR’s lack of security and its proper use of access controls, it may very well fall victim to a data breach resulting in massive downtime, loss of revenue, and hurting the company’s image. The purpose of access control is to help keep LOTR safe and secure, and cutting the IT budget is not the way of doing it. Looking at cybercrime reports on other companies on average, shows that a company may suffers as many as one hundred and thirty breaches per year; the report indicated a 27.4 percent increase from 2009 – 2016 (Security, 2017).  Think about what can happen without proper access control, not even thinking about outside attacks but inside attack by employees. Employees would have access to secure data, for example our payroll and client information all because we lack the foresight to implement the proper access management in places to prevent such security breaches (Wiech, 2015). Below is shown the costs breakdown of the annual cost of cybercrime and how it affects business.

Figure 1

To help breakdown the effectiveness of proper technologies to help protect the business below is a graph that shows the value in terms of cost savings to the business.

Figure 2

The importance of access control is so vital for a business in this growing age of technology LOTR needs to stay with the times and prevent such breaches with proper security in placement. There is no reason to wait for a major breach to happen and then react to it when we can take the time before hand and implement proper access control security which will in turn help protect our business. The best strategies for access control is to know what type of controls should the LOTR utilize. There are three types of access control that can be implemented. First, Discretionary Access Control (DAC) which is a type of access control that holds the business owner responsible for deciding which people are allowed in a specific location, physically or digitally (Davis, 2018). A good example and guide for our team for DAC is provided at https://fas.org/irp/nsa/rainbow/tg003.htm. Second, Mandatory Access Control (MAC) is a way to limit access to sensitive information and authorization of the user to that information. This is done by labeling the information into classification and assigning the user a label to grant them access to the only things that are in that classification (IBM, 2014).  At https://www.cs.cornell.edu/fbs/publications/chptr.MAC.pdf is a good reference and provides information about MAC and how it can be set up. The third, is Role-Based Access Control (RBAC) this type of control restricts network access based on a person’s role within LOTR. I believe this would be the best method for our LOTR; it can limit access with several methods that would benefit our teams. With the ability to limit access by authority, responsibility, and job competency, we can limit assigned tasks with only the ability to view, create, or modify a file (Zhang, 2019). Implementing this is not something that will happen overnight, planning and setting up proper policy and roles will require some time before implementing this feature to be sure all areas are covered.  To further familiarize yourselves on RBAC and provide a guideline on how we could use it, please go to this provide link https://digitalguardian.com/blog/what-role-based-access-control-rbac-examples-benefits-and-more.

Critical Areas for Access Control

 Currently, our network is comprised of six servers and eight computers plus switches and routers. From the current layout, all employees have access to all servers and their shared drives. This is a major security concern from my standpoint as anyone could access sensitive information that is stored on a drive and modify or take it. After reviewing the LOTR network diagrams and building layout, it is certain that there are three critical areas that need to be addressed.

Identity management

 With no roles or permissions set up currently everyone has administrator rights which will be corrected with RBAC. When implemented, everyone will have assigned roles and permissions. This can be a many-to-many relationship where users can belong to many groups with various privileges outlined for each group (SearchSecurity, 2007). This allows the user only to have access to what they are authorized and provide more control access to sensitive data.

Physical Security

Currently, the building is only using locks on doors for its protection, and there is no one to stop anyone from entering secured areas. It is recommended that the server have an electronic lock that requires a smartcard to enter and will log all entries. A Mantrap door, which is a set of interlocking doors, could be placed in the main office that would benefit our company to help protect against internal security. Another feature that we do not have is a proper CCTV system in place to monitor the floors and sever rooms.

BYODs

 With the current plan, we have employees bringing in their laptops and electronic devices connecting to the network and performing work. Currently, there isn’t any policy to securely connect to the network. Also, their should be requirements that must be met before connecting to the network. To be given the correct permissions and roles, we need to have in place policies to make sure external devices meet security standards before they are connected. Personal devices will be limited to certain location and may not enter in secure areas that are defined in the security policy.

Database Security Specialist

 The latest budget shows IT being cut by 30%, which will only hurt our department ability to secure our network. With this type of reduction in the budget, we will not be able to afford procurement for new equipment nor the ability to hire the needed database security specialist. Our databases are the backbone of the LOTR; they are not just something that stores data; its transactions, customers and employee info, financial data for both LOTR and its customers (Vonnegut, 2016). IT is important to have someone who is trained in this area and not just a database administrator who doesn’t know the complexity of database security. There are attacks such as SQL injections where a user can take advantage of vulnerabilities in frontend web applications that will send unauthorized database queries which could get access to the database (Schulman, 2006). Malware attacks are common among databases, and without someone who is a properly trained specialist, we are at risk. Other vulnerabilities and threats can be excessive privileges, privilege abuse, unauthorized privilege elevation, platform vulnerabilities, weak audit, denial of service, and weak authentication (Schulman, 2006). These are all internal and external threats that can be reduced if possible, by incorporating a dedicated database security specialist that is trained to maintain and has a wiliness to stay current with new threats and attack trends.

Implementation of RBAC 

 The implementation will be difficult at first, but when up and running our business model will benefit from it immediately. We need to define the resources and services that we will provide to all users and assign their roles. First, everyone on the team will need to understand what RBAC is and understand some of the basic concepts to familiarize with it. Second, go over the security policy to make sure it’s updated and should detail the potential threats to our systems. Third, reviewing all employees and determining what roles and privileges they will need per their level of trust and responsibilities (Oracle, 2010). Once the implementation is completed, it will be up to the administrators to maintain and keep the system clean. No user should have privileges outside their role on a permanent basis and regular auditing and monitoring should be performed on critical resources (Petters, 2018).

Denied NAC Router

The denied NAC router was requested to improve our security and help manage our network. A network access control (NAC) is used as layers of security to protect our network as a line of defense. The NAC would provide assessments of the computers on the network and enable or disable access while enforcing a security policy based on the state of the computer (Davis, 2019). With technology growing and employees or third parties bring in their own devices and connect to the network bringing with them security risks that could affect the entire network. NAC will deny network access to noncompliant devices and place them in a quarantined area or restrict their access; this helps protect the network from unwanted malware or viruses (Davis,2019).

Creating/Removing Accounts

With RBAC, it is important to maintain good records of all users and what roles they require as well as updating or deleting records. In this quick review, we will be using Periscope Data, which we will be using with RBAC. Within the UI, admins will be able to view an overview of all permissions and from here create or delete user accounts. Only the admin will have access to setting up new users and picking which role and privileges they will have access to. Deleting a user can be done on the same tab by selecting the user and viewing the permissions associated with them; once deleted, a user loses all access to our network (Periscope Data, 2012).

Vendors First-hand Experience using NAC routers

• Forescout Technologies Inc. is a leading provider of automated security control solutions for Fortune 1000 enterprises and government organizations that are a leading NAC vendor. The company was founded in 2000, the CEO is Michael DeCesare, and with their NAC they offer a physical or virtual appliance that is managed in a central console and can handle up to 1 million devices (Shapland, 2017).  Forescout allows organizations to accelerate productivity and connectivity and access network resources anywhere without compromising security.  Here are just a few of the various businesses that have used and recommend their products and services: Aflac, BlueCross BlueShield, Symantec, and many others. To date, there has been more than 1,300 secure enterprises and military installations that have chosen to utilize their NAC and other technologies they have to offer (Forescout, 2012).
• Extreme Networks Inc. has been pushing the boundaries in networking technologies since 1996 and has worked with Universities, NFL, and Lowes’s with their networking needs (Extreme, 1996). The current CEO is Ed Meyercord, and the company offers products for networks that can work in a heterogeneous environment. They claim their product will offer greater control of quarantined devices and can be deployed as a physical or virtual appliance. With Extreme Networks focusing on NAC products dealing with BYOD and Internet of Things (IoT). (Shapland, 2017).
• Auconet Inc. is another company providing products best suited to heterogeneous network environments and can enforce authentication via Layer-2 MAC and 802.1x. The company was founded in 1998 by its founder and current CEO Frank Winter. They also manage IoT, BYOD, and help control data acquisition-based networks, which makes them stand out from their competitors (Shapland, 2017). Supporting companies such as DHL, Airbus Group, and BASF have gone with Auconet Inc. technologies for their network needs.

References

• Davis, S. (2018, October 25). 3 Types of Access Control: Which is Right for Your Building? Retrieved August 1, 2019, from https://www.tedsystems.com/3-types-access-control-which-right-building/
• Davis, S. (2019, March 13). Why Your Business Needs Network Access Control. Retrieved August 2, 2019, from https://www.tedsystems.com/why-your-business-needs-network-access-control/
• Extreme. (1996). Extreme Networks to Acquire Aerohive Networks. Retrieved August 2, 2019, from https://www.extremenetworks.com/
• Forescout. (2012). Forescout Proves NAC Superiority Over Other Leading Vendors in Independent Test. Retrieved August 2, 2019, from https://www.forescout.com/company/news/press-releases/forescout-proves-nac-superiority-over-other-leading-vendors/
• IBM. (2014, October 24). Mandatory access control (MAC). Retrieved August 1, 2019, from https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.icha700/icha700_Mandatory_access_control__MAC_.htm
• Oracle. (2010). How to Plan Your RBAC Implementation. Retrieved August 2, 2019, from https://docs.oracle.com/cd/E19120-01/open.solaris/819-3321/rbactask-16/index.html
• Periscope Data. (2012). Managing User Permissions – RBAC. Retrieved August 2, 2019, from https://doc.periscopedata.com/article/managing-user-permissions-rbac#AddingUserstoRoles
• Periscope Data. (2012). Managing User Permissions – RBAC. Retrieved August 2, 2019, from https://doc.periscopedata.com/article/managing-user-permissions-rbac#AddingUserstoRoles
• Petters, J. (2018, May 31). Role Based Access Control (RBAC). Retrieved August 2, 2019, from https://www.varonis.com/blog/role-based-access-control/
• Schulman, A. (2006, December 7). Top 10 database attacks. Retrieved August 2, 2019, from https://www.bcs.org/content-hub/top-10-database-attacks/
• SearchSecurity. (2007, May 1). Role-Based Access Control – Information Security Magazine. Retrieved August 1, 2019, from https://searchsecurity.techtarget.com/magazineContent/Role-based-access-controls
• Security. (2017, September 25). Cyber Crime Costs $11.7 Million Per Business Annually. Retrieved August 1, 2019, from https://www.securitymagazine.com/articles/88338-cyber-crime-costs-117-million-per-business-annually
• Shapland, R. (2017, December 15). An in-depth look at NAC vendors and what they can offer you. Retrieved August 2, 2019, from https://searchsecurity.techtarget.com/feature/An-in-depth-look-at-NAC-vendors-and-what-they-can-offer-you
• Vonnegut, S. (2016, June 24). The Importance of Database Security and Integrity. Retrieved August 2, 2019, from https://www.checkmarx.com/2016/06/24/20160624the-importance-of-database-security-and-integrity/
• Wiech, D. (2015, August 11). The Consequences of Neglecting Access Management. Retrieved August 1, 2019, from https://www.securitymagazine.com/articles/86566-the-consequences-of-neglecting-access-management
• Zhang, E. (2019, July 15). What is Role-Based Access Control (RBAC)? Examples, Benefits, and More. Retrieved August 1, 2019, from https://digitalguardian.com/blog/what-role-based-access-control-rbac-examples-benefits-and-more