For non-technical decision-makers within the public safety ranks, user authentication (practices and policies that touch on access to various computer systems) may not seem like a particularly exciting or important topic to learn. But consider how much damage a disgruntled ex-employee or “hacktivist” could do if they gained access to a supervisor’s email, scheduling systems, and other digital tools. What if the illicit access went unnoticed for a day or longer? What steps can an agency take to curb this kind of unauthorized access? The answer underscores just how serious a problem something as “simple” as usernames, passwords, and related policies and technologies can be.
Why specify non-technical in the previous paragraph? These are the decision-makers who are often called upon to make critical technological decisions. This is true across the spectrum of private, public, and nonprofit organizations. Somewhere along the chain, most technical personnel will eventually report to someone without deep understanding of technical topics, regardless of the agency’s budget or investment level in IT. People, not computers, are the average organization’s first line of defense when it comes to digital security issues, per Harvard Business Review. Managers who have an understanding of solid authentication practices and can pass them along to subordinates are less likely to expose their organizations to cyberattacks and other problems.
Therefore, the following authentication tips, tricks, and best practices are presented with the non-technical manager/decision-maker in mind. They offer an overview of authentication and how it can affect teams in the law enforcement, emergency medical, and firefighting industries — and beyond.
Consider for a moment all the user accounts that may have access to various corners of your agency’s digital systems. Beyond the usual slate of employees and managers, outside entities often have some measure of access. Product vendors and other third-party partners, users of shared databases, and members of the public (such as citizens who must log in to pay fines and fees, for instance) are just a few examples of these accounts, and they all ultimately represent some kind of risk. Users themselves do not have to be hostile to do significant damage to an agency’s network and operations, and the issues can strike hard and fast when they arise.
A number of recent high-profile hacking incidents illustrate how these issues can occur. Key to the discussion is the idea of leapfrogging, or using information gained from one form of illicit access to move up to the intended target. In the public sector, attackers breached systems related to megastore Target’s internet-connected HVAC systems, a flaw that ultimately helped them find intelligence on some 40 million consumer credit and debit cards. Readers may recall similar attacks befalling Home Depot around the same timeframe. In the public sector, meanwhile, attackers were able to exploit a flaw attributed to a third-party vendor to gain access to data on millions of federal government background checks, most tied to job applicants, via the Office of Personnel Management (OPM).
There is a highly worrisome and discouraging aspect common to all these attacks. The organization in question had very little control over the negative outcome that befell them. The attacks also highlight the diversity of information hackers may be after when they attempt to gain illicit access to a computer system: For the retailers, the goal was payment data. For the OPM, it was deep information on job applicants, including data the average employee file may not contain.
Of course, the proliferation of ransomware attacks against public agencies makes the financial motivations of hackers clear to anyone who scans the headlines. Agencies with roles carrying political implications, meanwhile, may face even greater risks. Law enforcement is perhaps the most visible of these. To some groups, including domestic “hacktivists” and malicious foreign actors, simply disrupting operations can be the ultimate goal of a breach, which is all the more reason to pay close attention to access controls over which the agency can exert direct influence.
For many agencies concerned about authentication, the question is not the why so much as the how. What can an agency with a limited technical budget do to ensure the people logging into accounts are truly the ones authorized to use them?
Sadly, the answer leans more towards mitigation of risk than full negation. Presuming a sufficient level of motivation and resources, attackers with financial or political motivations (or some other agenda) will find holes through which they can sneak. Fortunately, the majority of organizations will never find themselves specifically targeted by such actors. “Fishing trips,” in which attackers essentially browse through networks in search of weak spots, are a much more likely scenario.
For the latter category, policy and technological measures can be of equal value. While dedicated technical personnel will likely be needed to implement many such changes, none are extremely tasking or expensive, provided they’re done within normal network architecture with the usual features.
As with many technical measures, the concerned agency’s first and best measure starts with solid policy and clear communication. Personnel ranging from management to street-level primary employees to janitorial staff should all be made aware of the following points:
These rules should make clear, in no uncertain terms, the expectation that digital systems will not be compromised by careless employee behavior, and the discipline personnel can face for their disregard – up to and including termination. Policies should also take into account emerging access-related tools in the public sector, such as two-factor authentication, and delineate who must have the additional security measures placed on their accounts.
Ideally, this information will be passed down in a training environment. This is especially important in settings where major changes have been made to access policy.
Another key feature of solid user authentication strategy comes down to information gathering. Does your agency know precisely who can access what? Have systems been reviewed recently for flaws or mistakes that may give user accounts a greater level of access or privilege than intended?
As TechTarget puts it, determining who needs access to what systems, and who may currently have unnecessarily broad access, is “as challenging as it gets.” Agencies with the budget in place may even wish to call in the help of a third-party audit service, which can be useful in gaining an objective view of current practices and the risks they impose. Pay close attention to longstanding employees. As the TechTarget piece notes, their accounts are most likely to suffer from “access creep,” having accumulated credentials to various systems for one-off tasks and other functions over time. This can make them a choice target in the event of a digital attacker “fishing” in the network architecture.
The presence of inactive accounts with privileged access should come up as a part of an access audit, but the threat they pose makes them worthy of special attention. When an employee is terminated, transferred, or otherwise sees a status change that should result in a loss of access to the network, it is imperative that the access is actually removed. As Info Security Magazine says, the alternative is akin to going on vacation and leaving the house unlocked.
The high-level solution here is twofold. First, accounts belonging to former employees should be double-checked for unwarranted access, a search that can date back years if the agency has never undergone such an audit before. Next, policy and practice related to future terminations and removals should be given a thorough review. Ideally, the process will largely be automated, so a supervisor’s action to mark an account inactive will automatically cancel its ability to access various tools and systems. Agencies employing popular identity and access management (IAM) solutions such as Active Directory can further ensure safety by implementing measures that alert stakeholders when inactive accounts show unexpected activity, including simply logging in.
Finally, agencies should take steps to ensure vendors supplying third-party digital products are authentication-secure. This includes new vendors, as well as those with which the organization currently conducts business. Again, well-versed technical personnel can be immensely helpful in asking the right questions. Simple inquiries about vendor IAM measures and the practices they undergo to ensure client safety — such as penetration testing — can yield worthwhile results and peace of mind.
Access management may not be the most glamorous or exciting topic to tackle as a non-technical manager. Attention is needed, however, to plug leaks and prevent problems that can otherwise be highly damaging to the agency, its overseeing entity, its employees, and the public.
It is also a practice that can be undertaken bit by bit, but the average agency without a history of strong access controls would still be wise to make the practice a top priority. Since many of the tips offered here require little expenditure on outside staff or products, it is fair to say most agencies across the response spectrum can instill smarter, more secure measures in short order. Considering the outcomes that can befall an agency without the right protections in place, it is clear which option is the wiser one.
Posted on Mar 11, 2020