Introduction

Captain Liddell Hart’s words have never been truer than when looking to create strict access restrictions for a business’ digital solutions. Every time a login screen is made available to the wider audience, it is like sending troops into war, with the Internet representing the battle fields.

Consequently, it is essential that everyone knows the importance of strict access control and how secure access credential management practices assist a digital business to fight their battles.

Background

All these definitions state the requirement for limiting and managing access to systems, applications, buildings, rooms, and so on to only authorized personnel.

However, as simplistic as this may appear, secure access management continues to be highly problematic for today’s digital business and, as a result, is increasingly being leveraged by criminals as a successful attack vector.

Why is this? Simply put, it is because it relies on a securely configured and managed backend operation (e.g., Active Directory and User Access Management) and consumer/user secure password management.

Let’s face it; secure access management can prove exceedingly difficult to manage and may become an inconvenience for the consumer/user. This then impacts their experience, which can then affect the convenience and usability of the digital interfaces – which, by addressing this often, makes them increasingly vulnerable and favored as a potential attack vector.

The greater the number of digital applications that rely on sensitive information, the greater the appeal for today’s criminals. Additionally, the greater the number of digital interfaces and web/cloud-based applications, the increasingly difficult it is for the consumer/user to commit the access credentials to memory.

It has become increasingly difficult for consumers and end users to commit their strong access credentials to memory (e.g., passwords, PINs, answers to security questions, etc.), and, as a result, they are either reusing the same “strong password” across multiple logins, are creating sequential passwords (e.g., P@ssword1, P@ssword2, Password3, etc.), or are using easy-to-remember passwords.

Easy passwords are easily cracked (as depicted in Figure 13-2⁹).

• With reused strong passwords, once one password is compromised, all other applications using the same password are compromised.

  Note.

  By using haveibeenpwned, you can check if one of your online accounts has been compromised (as depicted in Figure 13-3¹⁰).

Defending from the Enemy at Your Gates

Imagine that your corporate environment as being like a deployed operating base (much like Camp Bastion, as depicted in Figure 13-4¹¹).

Your business is sited within a hostile environment, with the enemy encamped within the boundaries of your business and indistinguishable from the friendlies (as depicted in Figure 13-5).

Your organization still needs to remain operational, requiring assets to move in and out of the badlands, while preventing the enemy from gaining unauthorized access to your environment and valuable assets.

Consequently, ensuring strict access restrictions are enabled and maintained becomes an essential part of an effective Protective Security strategy, which requires robust Backend and Frontend Operations.

Frontend Operations

Working in harmony with the Backend Operations, any individual who is deemed to be approved for authorized access owns a shared responsibility to ensure that the “keys to the gate” remain protected and that they respect the fact that they are a target for criminals.

Consequently, it is essential that secure keys (authentication protocols) are generated and used as per the organization’s access control policies and procedures. This is what I call “Frontend Operations” (as depicted in Figure 13-6), for example:

• Access credential management

• End user account management

• End user device management

• End user acceptable use

• Eavesdropping management

Today’s criminals have recognized that most organizations have trust in their employees and as a result may pay less attention to monitoring their “trusted assets.” Consequently, these “trusted assets” are regarded as opportunist attack vectors that the criminals can use to evade or undermine a business’ defensive efforts.

The criminals have identified that human behavior provides them a unique opportunity to exploit poor habits, for example:

• Enticing an employee to click a malicious link or download some harmful software

• Providing unauthorized access to sensitive data through careless habits, for example:

  • Having a sensitive conversation in a public place

    • Overhearing

  • Accessing sensitive data on a mobile device in a public place

    • Overseeing

• Being careless with or struggling to maintain their secure and robust keys, which allow them authorized access to the valued business assets

• Accessing sensitive areas via insecure network environments

• Being unaware of the dangers of publishing far too much personal or sensitive data on social media websites, which (much like pieces of a jigsaw puzzle) are collected up and pieced together by the criminals

• Being overtrusting and helpful of people, resulting in them bypassing the access control measures to allow unauthorized access

  • Let’s face it; it is not in most people’s nature to challenge others or to be untrusting of others.

    • This is exactly why criminals’ use of social engineering has proven so successful for them and is regarded as the weak link in the business security chain (Chapter 2: Social Engineering Penetration Testing¹⁴).

Indeed, having robust and strong Frontend Operations in ensuring strict access restrictions has become as equally important as having the effective Backend Operations and clearly requires the three-pillar approach (as depicted in Figure 13-7¹⁵) to be applied across the Backend and Frontend perspectives.

It is no longer appropriate just to expect the Frontend Operations to run efficiently and effectively without some investment of time and resources to identify the specific risks to the Frontend and to provide proportionate mitigation controls to reduce these risks to within acceptable tolerances and to act as a complement to the Backend Operations.

As an example, if you were to engage with your sales team or senior management, you may discover that they have a business requirement to carry out work while traveling on public transport and, as a result, have an increased risk of being overlooked. However, for a relatively small investment, this risk could be reduced through some security awareness training and the procurement of privacy screen filters (as depicted in Figure 13-8¹⁶) that can be used with their mobile devices.

Additionally, another area of difficulty for the Frontend Operations is the management of their access credentials, and this is often not helped by some organizations’ insistence on enforcing rigorous access credential management requirements, for example:

• Password must meet strong criteria:

  • Lengthy string

    • 15 characters or more

  • Must include a combination of

    • Uppercase characters

    • Lowercase characters

    • Numbers

    • Symbols (special characters)

  • Must be changed frequently:

    • Every 30 calendar days (20 working days)

  • Must not be a previously used password.

    • Not the same as the one used in the past four passwords.

  • Passwords must not be written down.

  • Passwords must not be commonly cracked passwords (as depicted in Figure 13-9¹⁷).

Consequently, while the end user is struggling to remember and manage this and all the other access credentials (typically more than 40), they end up doing the following:

Establishing password chains:

• Creating memorable corresponding strings

• Reusing the same “strong” passwords across multiple logins

• Creating convenient passwords that are easy to compromise

As a business, you need to allow the Frontend Operations to interact with the “badlands,” providing the opportunity to use these interfaces as a “mule” to help deliver malicious payloads or to act as a conduit to gain unauthorized access to the inner sanctums.

Why wouldn’t you consider the benefits of reducing these risks through such things as

• Adjusting the access credential requirements (as per the NIST guidance¹⁸) or providing the Frontend Operations with supporting technical solutions (e.g., password managers¹⁹)

• Providing additional protective measures

• Providing suitable levels of training to help them to be a more effective contribution to Frontend Operations

Two/Multifactor/Strong Customer Authentication

Another enhancement to Frontend Operations is the use of an additional layer of access protection, where the user is required to use an additional method to authenticate themselves:

1. 1.

   Something you know (e.g., password, PIN, etc.)

    
2. 2.

   Something you have (e.g., token, smart card, etc.)

    
3. 3.

   Something you are (e.g., fingerprint, retinal scan, etc.)

    

By employing two or more of these requirements to meet the two-factor authentication (2FA),²⁰ multifactor authentication (MFA),²¹ or strong customer authentication (SCA),²² you are providing an additional barrier to the opportunist criminals. Rather than just needing to compromise the passwords, they need to compromise the other authentication elements.

A compromised username and password, via a phishing email, will not allow unauthorized access to the accounts.

Note.

Despite several social media accounts offering (not by default) this enhanced authentication model (as depicted in Figure 13-10²³), many users/consumers regard the additional hassle, for using further authentication requirements, as an inconvenience and do not take up this option.

However, it is important to remember that this is a case of balancing this inconvenience with the risks/threats. If you value the data that resides within, you should promote the value and benefits multilayered access controls bring.

• If it is easy and convenient for the user, it is likely to be easy and convenient for the opportunist attacker.

Military Comparison

Whether this was controlling the access at the main gate of the establishment or an internal access gate or an aircraft apron,²⁵ the principles were the same. Ensure that the individual could be identified (RAF Form 1250/MOD 90 identity card) and was authorized to access the environment (e.g., access control list, “PIT” tag exchange, etc.).

I would have been an extraordinarily rich man.

Consequently, I have endless tales providing the value of effective access restrictions, ranging from some of the incidents that occurred in Camp Bastion (potential suicide bomber, local national caught in the perimeter fence line, etc.), as mentioned in my book about Payment Card Security (PCI DSS: An Integrated Data Security Standard Guide²⁶).

However, rather than focus on retelling the same accounts, I will focus on my first role as a Counter Intelligence operative, where I not only had oversight responsibilities for the main access/egress but also had responsibility for maintaining the internal strict access restrictions.

This was enabled using various security graded buildings, rooms, and containers. Where there was a need to retain hardcopy media, containing sensitive data assets, these needed to be retained securely but made accessible to those who had a legitimate need to access the data.

To enable this, I had the responsibility for managing and maintaining a large estate of mark 4 manifoil combination locks (MCL; as depicted in Figures 13-11²⁷ and 13-12²⁸) and their containers.

As the custodian for this estate of MCL, I had the responsibility for carrying out servicing and maintenance of the locks and ensuring that the combinations were periodically changed and an effective recovery process (in case of authorized users forgetting the combination) was established.

Now, much like some of your growing number of applications and systems, to which you need to commit to memory a unique access code or password, some of these containers may only have needed to have been accessed on exceedingly rare occasions.

To access the contents of these secure cabinets, authorized users needed to enter a unique combination (## – ## – ## and opening digits ##, e.g., 21 – 32 – 43 – 75). However, you didn’t want to make these combinations too easy to guess, but they needed to be committed to memory.

Consequently, based around the Battle Code concept (aka BATCO, as depicted in Figure 13-13²⁹), I would place a grid (as depicted in Figure 13-14) on the wall adjacent to the locks, which they could use as a prompt to help them remember the combination code.

These security containers were only to be used for the storage of sensitive data, and it was prohibited for using the containers for another purpose (segregation of use), that is, secure storage of the Squadron Team Bar funds.

Access to these security containers was strictly restricted, based upon an access control list, provided by the unit security officer (USyO)/branch security officer (BSyO). Other than the scheduled combination changes, the combinations would also be immediately changed when someone had their access revoked (e.g., change of role, termination, etc.) or if compromise was suspected.

Using the same principle, you can make it easier to create and remember secure authentication data, without having to write the passwords down.

For example, by applying a memorable pattern or reference, you can easily create and remember secure passwords (as depicted in Figure 13-15).

In preparation for these duties, we had this included within the 10-week residential Counter Intelligence training course, which also included the stripping down and reassembling of these complex locks. However, this was the phase of the training I had missed out on because of the sudden death of my father. Fortunately, the instructor gave up some of his time over the weekend to deliver one-to-one mentoring to enable me to answer the exam essay question on how to operate the MCL and the practical evaluation of being faced with a stripped-down lock, which needed to be reassembled (as depicted in Figure 13-16³⁰).

I have learned many lessons from the management of the MCL property estate, which can be seen to be directly applicable for the enhancement of strict access restriction requirements, used to help safeguard valued business assets.

Building BRIDGES

To help demonstrate the value of strict access restrictions, I will now convey this using the BRIDGES acronym for a specific business area of operation.

Risk and Resilience

The sales team has proven particularly good at customer relations, but their security culture had not, previously, been regarded as a risk. However, following a review of the sales operations, there were several issues observed regarding their Frontend Operations. This, in turn, could significantly undermine the efforts of the Backend Operations.

For example, they were seen to have a very relaxed attitude to the access controls around their Frontend IT assets:

• For convenience, they would share access credentials into the network-connected business IT systems.

• Often, the business IT systems would be left “unlocked” while unsupervised but in the presence of a customer (stranger).

• They would frequently leave customers alone, for periods of time, with uncontrolled access to the payment card reader devices and business IT systems.

  • Allowing an opportunist stranger to place a clandestine hardware keyloggers (as depicted in Figure 13-17³¹) between the keyboard and the business IT systems (capturing every keystroke) to allow the circumvention of any access restriction controls

Identify and Isolate

The business needs to ensure that all the sales teams receive security awareness training regarding the requirements for restricting access to the payment card devices and business IT systems and the risks that they are presenting by not strictly restricting the access to authorized personnel.

The payment card devices and business IT systems should be isolated and stored away, when not required. This can easily be achieved by relocating the business IT systems into an out-of-site location, for example, under the sales desk (as depicted in Figure 13-18³²).

Reality Bites

There are many accounts spanning throughout historic events that have clearly demonstrated how poor access control practices have undermined the strongest of defenses.

Take, for instance, the fall of the city of Constantinople,³⁴ which had been described as an impenetrable fortress. Despite a formidable array of physical defensive layers, after many failed attempted sieges and hundreds of years, the city was eventually compromised, as the attackers exploited the weakest points – the access/egress gates!

One of the most recent and notable incidents, relating to a compromise of the Frontend Operations, can be seen in the cyber-attack on The North Face.³⁵ The organization’s web-based operations³⁶ had been compromised after the attacker used compromised customer credentials from other data breaches against The North Face customer logins (aka credential stuffing³⁷).

Where customers had reused the same access credentials (Frontend Operations) across multiple accounts, the attackers had been able to use these to compromise their North Face logins. Therefore, The North Face’s Backend Operations had to instigate their “Survive to Operate” activities and reset all their customer logins.³⁸

I have a personal account of an incident which could have been avoided, had the business have listened to my concerns. I had only recently started with an organization that had just moved to Microsoft’s cloud-based Office 365.

I was surprised to discover that they were allowing end user access to their accounts from any device, anywhere in the world, with the only reliance being on the unique user ID (e.g., no conditional access, multifactor authentication (MFA), etc.). However, when I voiced my concerns to the IT Operations Director and the chief information officer, I was basically “shot down in flames,” being informed in no uncertain terms that this was not regarded as a risk, that it was a matter of business convenience, and that the criminals would not be interested in attacking a business-to-business (B2B) organization like theirs.

Clearly, they had not considered the risks and the additional mitigation costs needed for a secure transition to the use of Office 365 and did not want to consider the embarrassment of having to go back to the board members to get approval for the additional costs to mitigate the extra risks that they had overlooked or omitted from their initial business case, for moving the business onto Office 365.

You can probably guess what happened next; this process became convenient for the opportunist criminals!

Seven months later, three employees received a malicious email from one of the B2B customers. The email was requesting the urgent review of an attached document, access via a link. Once the link was clicked, an Office 365 login page (as depicted in Figure 13-19³⁹) was presented, and the end user would enter their Office 365 credentials.

Well, the junior assistant then clicked the link and entered their access credentials into the malicious Office 365 web page and clicked the sign-in button. However, they were then greeted with an error page and so just discounted it and carried on with their day.

Exactly 30 days later, less than 5 minutes after logging out of their Office 365 account, an unknown and unauthorized individual logged in to the account (IP address originating from Nigeria) and, using the considerable information available in the business email account, spent around 1 hour sending out more malicious Office 365 emails.

After around 1 hour, they logged out and another logged in, this time with an IP address originating from London, United Kingdom. This activity went on for around 4 hours, that evening (with the attackers even responding to any emails received within this time), until they had sent out over 500 malicious emails.

As soon as this incident had been discovered, the response was to immediately identify any of the business’ employees who could have received this email and to lock their accounts, requiring password resets. However, the distribution list for these malicious emails had not been limited to just the business’ employees, and so an email had to be sent out to all those external recipients to ensure that they were made aware of the issue.

With this incident being regarded as a “near miss” for the organization, the business decision was made to upgrade the end user accounts so that conditional access⁴⁰ could be enabled.

Consequently, all access was then limited to registered devices, preventing unauthorized access in the event that an end user has their access credentials compromised. Additionally, once implemented, the users would be presented with a company-branded login web page (as depicted in Figure 13-20).

However, this did not turn out to be the end of this. It took a considerable length of time to upgrade all the accounts, and the Office 365 was set up to employ single sign-on between the different Microsoft business applications, and some of the board members found changing their account passwords, or not being able to reuse the same “secure password,” a great inconvenience for them.

Approximately 1 week before the conditional access was ready to be implemented (several months later), a payment clerk received several communications, across a few different mediums, purporting to be from three of the board members.

These communications were stressing that there was an urgent invoice, for around $50,000, that needed to be paid immediately. However, in one of the communications, the unknown attackers had made the mistake of addressing the recipient by their surname, when they were on first-name terms. This had made the payment clerk suspicious, resulting in him making a telephone call to the alleged originator of the communication.

Of course, once again, this had been compromised accounts that were being used by the criminals to try and get a fraudulent payment. On discovery, the payment clerk contacted me immediately to raise the alarm.

Having responded and contained the incident, the ensuing investigation revealed that none of the board members could recall having received the initial email and having compromised their accounts, and the access logs did not go back far enough to identify when this compromise may have occurred.

However, it is probably safe to assume that these senior management exceptions to the access restriction rules had allowed them to gain a clandestine persistent presence of their accounts.

Key Takeaways