In this sixth blog in the series we look at User Privileges, following the guidance from the UK National Cyber Security Centre (NCSC). We explore how schools can reduce the likelihood and impact of a cyber attack through effective use of user authentication, authorisation, and accounting (AAA). With each blog in this series, we are building upon every stage of the NCSC’s 10 Steps to Cyber Security, and in turn, providing our independent recommendations, examples and guidance.
In our previous blog, Incident Management - How to improve resilience and support school business continuity we outlined how a well structured, clearly written incident plan and procedure can reduce the impact of a cyber attack and ensure that your key systems and services are up and running as soon as possible. In this blog, we look to outline how you can potentially reduce the likelihood or impact of an incident in the first place!
By following the recommended steps below, you will be able to evidence that your school has the appropriate mechanisms in place to reduce the possibility and probability of a cyber attack and protect the school's assets. By ensuring that the school applies the principles of least privilege (PoLP) and implements role-based access to critical systems and services, you will provide the school and your users with increased security, ultimately protecting your personal data and other key school assets.
Before we go any further, ask yourself the following questions...
- Do you know which systems/services hold your key assets?
- Have you defined the roles and responsibilities of users accessing these systems/services?
- Have you defined the rights, privileges and access required to perform each role?
- Do you have a list of users with access to these systems/services and their role?
- Do their current rights, privileges and access match their role?
- When was the last time you checked who has access to the systems/services?
- What would an attacker require to gain access to these assets?
- If a user's credentials were stolen, what could an attacker access? What damage could they do with that compromised account?
- Do you apply the Principle of Least Privilege and use Role Based Access?
With the vast majority of cyber related incidents and subsequent data breaches starting with a phishing email, we need to look at our first line of defence which is your users.
Ian Hickling, UK Cyber Protect Officer of the UK Cyber Crime Special Operations Unit discussed the importance of our end users at 9ine and ISL’s recent Data protection and Cyber Security Summit in Luxembourg, describing them (us) as the “the human firewall”.
It is crucial that users are provided with the most appropriate training and tools to perform their jobs (without impeding them) and understand how they play an important role in the ongoing security of the school and their assets. A recent survey by Teacher Tapp established that 20% of teachers, (based on 5.8K responses), regularly share their passwords. Although the sharing of passwords may facilitate an easier lesson, allowing a colleague to pick up where you left off or access a device that has locked whilst you attend to an incident/or help a student it is not best practice and could lead to an unintentional/intentional data breach. All users are trusted custodians of their own user credentials and hence the systems and services they have access to. If users are sharing their credentials/passwords you need to understand why. Is there a better way for users to achieve what they need to do without sharing passwords? Are the security measures impeding their day-to-day duties or are the users unaware of the possible implications to themselves should an incident arise due to this practice?
Several cyber incidents and subsequent data breaches that 9ine have helped manage were the result of unintentionally disclosed credentials, with malicious users/attackers then accessing systems and services that those accounts had the privileges to access. There are several mitigating actions that you can put in place to limit the likelihood and/or impact of credential loss.
Register for a free 30-day trial of the 9ine App and transform the way you manage data privacy and protection.
Essential steps you need to take now!
The first and foremost action is always to educate users on the importance of being vigilant with the management of their accounts. As well as understanding the implications of attackers gaining access to their accounts, this includes:
- Using strong passwords
- Implementing two-step-authentication (2FA)
- Not disclosing passwords anyone
- Not accessing unverified websites
Even with effective and regular training genuine mistakes will be made. It is unrealistic to expect that users will always spot a malicious email requesting their user’s credentials.
- Define/re-define job roles and positions - understand what right/privileges each role needs in order to perform their duties. For example, not every member of the administration team needs admin access to the MIS/SIS.
- Assign these defined roles to the appropriate users.
- Limit the number of users who have the highest level of privilege.
- Provide those users who have the highest level of privilege with a standard account for day-to-day tasks.
- Ensure, where possible, mission critical/high privileged accounts utilise two-step-verification.
- Monitor and enable auditing of user activity, especially on high privileged accounts and accounts that have access to mission critical/systems that hold personal data.
- Ensure that you have a password policy that strikes a balance between security and usability.
- Train users on your incident response plans, ensuring there is a no blame culture and that the identification and notification of disclosed credentials is a positive behaviour.
- Regularly review who has access to your systems and have a defined process for the ongoing user life-cycle from creation, through to job role changes and onto retirement of the account.
With the above in place you will have put up your first line of defence in a multi-layered, defence-in-depth approach. The next layer involves having a clear understanding of where the vulnerabilities are in your systems and services that a malicious user could exploit. More information on the next layer of defence can be found in our blog, How To Assess Your School’s Vulnerability To Cyber Attacks.
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.