Access control and administrative privilege management
Protecting user accounts and helping prevent misuse of privileged accounts is essential for any cyber secure system or network. 88% of insider threat incidents included privilege abuse, according to the 2014 Verizon Data Breaches Investigation Report (DBIR).
User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers and networks.
The term ‘privilege creep’ has gained momentum as this problem has grown, and refers to the gradual increase in access privileges that accrue when users get promoted or change roles without the old ones being reviewed and removed.
Are you at risk? The following practices should be avoided:
- Lack of a user account management system or privilege management process.
- Network and system administrator user accounts being used for non-administrator activities.
- Unauthorised user accounts have special access to applications, computers and networks.
- Lack of a documented process for user access permissions.
- Failure to enforce unique usernames and a strong password policy.
- Failure to change passwords on a regular basis.
Gawker Media was hacked in December 2010, compromising email addresses and passwords of about 1.3 million commenters on popular blogs, and resulting in the theft of the source code for Gawker's custom-built content management system. A group calling itself Gnosis claimed responsibility for the attack, saying it had been launched because of Gawker's “outright arrogance” toward the hacker community. According to sources, the main problem was that Gawker stored passwords in a format that was very easy for hackers to understand. Some users used the same passwords for email and Twitter, and it was only a matter of hours before hackers had hijacked their accounts and begun using them to send spam.
Read more about Gawker Media's story >>
View another control:
Solutions for Cyber Essentials certification
IT Governance offers three unique solutions that will enable you to achieve certification to either Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.
View the three solutions >>