Authenticate and control access #CyberSecMonth

by | Nov 7, 2018 | CyberSecMonth, News & Events

As the second thematic week of CyberSecMonth gradually ends, we continue to provide you with our CyberAdvice. We conclude this week, focused on the discovery of digital professions, with a computer graphics on the importance of authenticating and controlling access to your system. This is an opportunity to highlight the position of Chief Information Security Officer (CISO), as you will see below!

Authenticating and controlling access, a natural reflex?

Access control has become a real challenge for organizations, each vulnerability can turn into a breach and be a source of a cyber attack. Authenticating and controlling digital access must therefore become as natural as closing the door of your home before going to sleep.
Authenticate and control access graphics

Despite the importance of such actions, authenticating and controlling access is not necessarily easy. However, it is possible to act effectively on two levels. First of all, it is important to set up tools to control the different accesses. It is then necessary to make employees aware of the protection of their data (such as passwords) in order to effectively convey good practices internally.

Good practices:

Account management:

Authentication elements must be modified as soon as they are installed. Indeed, default passwords are easy to obtain. Strong authentication is one more step towards a secure system. It is therefore wise to use two-factor authentication to prevent intrusions. So, you’ve just changed the lock on your door and you’re the only one with a key!

Accounts accessing the information system must be nominative to facilitate the identification of the origin of incidents or potential vulnerabilities. The use of generic accounts should therefore be prohibited. These accounts must be subject to an even stricter data protection policy. Logins, passwords and connection traces must remain secret. Would you give a copy of your keys to a stranger you can’t fully trust? Do you want to answer “No” instinctively? Well, it’s the same for passwords.

Password management:

Items such as directories, databases or mailboxes can be a source of valuable information and therefore subject to cyber attack. These elements require the utmost vigilance on the part of the Chief Iinformation Security Officier (CISO). The listing of sensitive elements is not sufficiently effective, it is necessary to define, authenticate and control access to the system. Duplication and dispersion of these elements must also be avoided to ensure the security of the information system. Without too much effort, you’ve just added a lock to your precious door! But what’s the point of having a locked door if the window was left open?

The first front door for a hacker is the user’s workstation. So, even if on the admin side you have locked everything, you also need to control your users and especially their passwords. Poor password management is a huge risk for organizations, so it is important to educate your users so that their session is protected. Recycled passwords or passwords that are too easy to guess should be banned. In addition to awareness-raising actions, it is possible to take restrictive measures such as blocking accounts after several connection failures or carrying out an audit concerning password robustness. The storage of these passwords must be done through secure solutions including encryption mechanisms.

What does it mean to authenticate and control access?

The CISO is the expert who guarantees the security and integrity of the information system. Often also in charge of data protection for the organisation (when there is no DPO), he is often the person to turn to when questions arise about access management.

Keepass allows you to manage passwords efficiently and securely. The little extra is that it is free and Open Source. Although optimized for Windows, Keepass also supports macOS and Linux operating systems. Encrypted files can contain user names, passwords, notes or even attachments.

Your Active Directory manages the authentications and rights on your network since it lists all the information on the network, users, machines, groups and your system in general. You can use Microsoft Active Directory or its Open Source equivalent, Samba-AD. These two Active Directory’s are manageable via the same tools, mainly the MMC console and RSATs. RSATs make it possible to control users’ rights but also their inputs and outputs. It is therefore easier to identify sources of vulnerability and act locally before a tragedy occurs.

Why choose an Open Source Active Directory?

In France, Tranquil IT is the first integrator of Samba Active Directory, the Open Source equivalent of Microsoft Active Directory. Our expertise, gained over 13 years on Samba, allows us to effectively perform IT asset audits, Active Directory migrations, domain mergers and even recognized datadock training. Our proximity to the SambaTeam has enabled us to succeed in more than 270 projects over the years. Choosing Open Source means choosing to save on licensing costs and trust our experts!

At Tranqui lT, we favour Open Source tools for their reliability, maintainability and also for the freedom they provide. Why embark on extended contracts with exorbitant licensing costs with Microsoft? Invest your money wisely in direct improvements by funding the development of an Open Source solution.

France takes up the ECSC challenge!

Before getting to the heart of the matter, we would first of all like to support the French team, which is participating for the first time in the ECSC challenge. Indeed, the European CyberSecurity Challenge takes place from 14 to 17 October and pits 17 national teams of young ethical hackers and professional trainers. Teams must overcome several challenges such as cryptography, reverse engineering or even vulnerability research to hope to win the competition. You can show your support for our national team on the networks (#ECSC2018; #TeamFR) or by downloading the ECSC kit made available by ANSSI, which funds the event in association with HackerZvoice.

What you shouldn’t have missed:

Who to follow during #CyberSecMonth?

Articles not to be missed:

Find all our recommendations on Twitter and LinkedIn and on hashtag: #TousSecNum, #CyberSecMonth, #ECSM2018 et #ECSM. Also follow our hashtag #CyberConseil to follow Tranquil IT’s advice and discover the following graphics

WAPT 1.8 : Stear clear of heterogeneous parks!

WAPT 1.8 : Stear clear of heterogeneous parks!

"Is this real life? Is this just a fantasy?"Attention, this is not a dream, WAPT 1.8 is (finally) here! Just like you, I have had to be patient before I began writing about the new version; But, it is with great pleasure that I get to present you with newest...

read more
WAPT Self Service: Allow users to install software

WAPT Self Service: Allow users to install software

At Tranquil IT, we work on a daily basis with system administrators who are looking for fast and efficient solutions to manage and secure their IT assets, which is certainly why they come to meet us (hello WAPT). And if there is one problem that any AdminSys is likely...

read more