In this sixth blog in the series we look at User Privileges, following the guidance from the UK National Cyber Security Centre (NCSC). We explore how schools can reduce the likelihood and impact of a cyber attack through effective use of user authentication, authorisation, and accounting (AAA). With each blog in this series, we are building upon every stage of the NCSC’s 10 Steps to cyber Security, and in turn, providing our independent recommendations, examples and guidance.
In our previous blog, 9ine Steps for Incident Management, we outlined how a well structured, clearly written incident plan and procedure can reduce the impact of a cyber attack and ensure that your key systems and services are up and running as soon as possible. In this blog, we look to outline how you can potentially reduce the likelihood or impact of an incident in the first place!
By following the recommended steps below, you will be able to evidence that your school has the appropriate mechanisms in place to reduce the possibility and probability of a cyber attack and protect the school's assets. By ensuring that the school applies the principles of least privilege (PoLP) and implements role-based access to critical systems and services, you will provide the school and your users with increased security, ultimately protecting your personal data and other key school assets.
Before we go any further, ask yourself the following questions...
- Do you know which systems/services hold your key assets?
- Have you clearly defined the roles of users accessing these systems/services?
- Have you defined the privileges required to perform each role?
- Do you have a list of users with access to these systems/services and their role?
- Do their current privileges / rights match their role?
- When was the last time you checked who has access to what and what their permissions are?
- What would an attacker require to gain access to these assets?
- If a user's credentials were stolen, what could an attacker access? What damage could they do with that account?
- Are you actively using role based access and the Principle of Least Privilege?
Prepare your first line of defence
With the vast majority of cyber related incidents and subsequent data breaches starting with a phishing email, we need to look at our first line of defence which is your users; the human firewall.
It is crucial that users are provided with the most appropriate training and tools to perform their jobs (without impeding them) and understand how they play an important role in the ongoing security of the school and their assets.
A recent survey by Teacher Tapp (based on 5.8K responses) established that 20% of teachers regularly share their passwords.
Although the sharing of passwords may facilitate an easier lesson, allowing a colleague to pick up where you left off or access a device that has locked whilst you attend to an incident/or help a student it is not best practice and could lead to an unintentional/intentional data breach. All users are trusted custodians of their own user credentials and hence the systems and services they have access to. If users are sharing their credentials/passwords you need to understand why. Is there a better way for users to achieve what they need to without sharing passwords? Are the security measures impeding their day-to-day duties or are the users unaware of the possible implications to themselves should an incident arise due to this practice?
Several cyber incidents and subsequent data breaches that 9ine have helped manage were the result of unintentionally disclosed credentials, with malicious users/attackers then accessing systems and services that those accounts had the privileges to access. There are several mitigating actions that you can put in place to limit the likelihood and/or impact of credential loss.
Learn more about cyber crime in schools in a free webinar, 14 Nov, presented by Ian Hickling, UK Cyber Protect Officer of the UK Cyber Crime Special Operations Unit.
Essential steps you need to take now!
The first and foremost action is always to educate users on the importance of being vigilant with the management of their accounts. As well as understanding the implications of attackers gaining access to their accounts, this includes:
- Using strong passwords
- Implementing two-step-verification (2FA)
- Not disclosing passwords anyone
- Assessing unverified websites
Even with effective and regular training genuine mistakes will be made. It is unrealistic to expect that users will always spot a malicious email requesting their users credentials.
Define/re-define job roles and positions - understand what right/privileges each role needs in order to perform their duties. For example, not every member of an administration team needs admin access to the MIS/SIS.
- Assign these defined roles to the appropriate users.
- Limit the number of users who have the highest level of privilege.
Provide those users who have the highest level of privilege with a standard account for day-to-day tasks.
- Ensure, where possible, mission critical/high privileged accounts utilise two-step-verification.
- Monitor and enable auditing of user activity, especially on high privileged accounts and accounts that have access to mission critical/systems that hold personal data.
- Ensure that you have a password policy that strikes a balance between security and usability.
- Train users on your incident response plans, ensuring there is a no blame culture and that the identification and notification of disclosed credentials is a positive behaviour.
- Regularly review who has access to your systems and have a defined process for the ongoing user life-cycle from creation, through to job role changes and onto retirement of the account.
With the above in place you will have put up your first line of defence in a multi-layered, defence-in-depth approach. The next layer involves having a clear understanding of the vulnerabilities your systems and services offer a would be attacker or malicious users. More information on the next layer of defence can be found in our blog: How To Assess Your School’s Vulnerability To Cyber Attacks.
For more information about our Cyber Defence Essentials Services or other Security initiatives such as Phishing Campaigns, Data Loss Prevention, Advanced Threat Protection, End User Email Digest Solutions and our recommendations on configuring Office 365, please contact firstname.lastname@example.org