From Firewalls to Fine Grain Permissions: Cyber Security Best Practice

Cyber crime is now so prevalent that guarding against it should be part of standard ‘business as usual’ company procedures, but many organisations have been – and continue to be – caught out. In parallel, the risk of physical attacks remains the same, which means that the risk manager’s role of keeping people and places safe and secure is becoming more expansive and, by extension, more complex. Tim Northwood outlines why organisations need systems and processes in place that offer robust physical security measures and keep out the cyber criminals.

We all remember WannaCry, the ransomware that crippled the UK’s NHS by locking files and demanding bitcoin payments to release them. That episode reportedly cost the NHS £20 million at the time with 19,000 cancelled appointments, not to mention a further £72 million to clean-up and upgrade its IT systems.

Last year, hotel chain Marriot International announced that contact and reservation information – including over nine million unique encrypted payment card numbers and 5.3 million unique unencrypted passport numbers – had been stolen from its database. Only last month, it was reported that China was behind the hacking of eight major computer service firms including Hewlett Packard and IBM with a view to stealing commercial secrets.

What, then, is the answer for today’s organisations looking to keep people, property and hard-won reputations safe and secure?

An assessment of firewalls

Good cyber security is all about keeping unauthorised people and programs out of your system. Firewalls allow you to set up a series of rules to determine who or what can access your internal network. You might want to block access by IP addresses in a certain area or any communications from a specified rogue state or organisation. Firewalls then become a trusted barrier between your internal network and the wider Internet, monitoring and controlling every incoming and outgoing interaction. They reduce the risk of attack, such as malicious code designed to manipulate applications to modify, steal, delete or simply access secure or otherwise sensitive data.

Hardware firewalls tend to offer more security, though software firewalls can also be effective. It depends on the nature and size of your organisation. Further, a good router should prevent the IP address of any individual computer being openly visible on the Internet. Encryption programs, anti-virus, spyware and authentication programs also make it harder for criminals to infiltrate your system. 

If your core security system integrates with other third party systems, such as video management systems, ANPR or visitor management systems to name just a few options, you need to be able to isolate those other systems. This ensures that, even if one of the systems with which you’re integrated is hacked, your system will not be compromised.

Sandboxing is the term used for the software management strategy that isolates systems and applications integrated with your core access control system. It provides an extra layer of security that prevents malware or harmful applications from negatively affecting your system. Without sandboxing, an application may have unrestricted access to all system resources and user data on a computer. A sandboxed app, on the other hand, can only access resources in its own ‘sandbox’.

An application’s sandbox is a limited area of storage space and memory that contains only the specific resources the program requires. If a program needs to access resources or files outside of its sandbox, permission must be explicitly granted.

Network secure communications

Secure communications are paramount for cyber security, whether that’s via in-house private communication networks or between access control system controllers, servers and door modules, or when the core system integrates with third party products such as CCTV.

A robust level of end-to-end encryption across all of these communications channels and interfaces is vital. Data encryption ensures secure LAN communications at all times and continuous monitoring will detect any fault or attempted module substitution. Ensuring that the communications network is isolated also helps in reducing the risk of interception.

Where a higher than normal level of security is required, you should ensure devices connected to the access control system have their own MAC addresses to help guard against cyber security breaches. This measure prevents module substitution. For example, if an attacker attempted to replace devices for others with lesser level of performance, the system would alert operators to the unauthorised change.

Ensuring your system is ‘always on’ is another key element when it comes to reducing the risk of cyber breaches in vulnerable downtime. A security system should offer high availability with an IP network that runs multiple instances of itself – at the same time – across multiple nodes or servers at the local, national and global levels. Solutions such as database failover clustering means it will auto-connect to available nodes when necessary and ensure there;s no compromise to the system.

Fine grain permissions for users

Security systems that allow ‘fine grain’ tailoring for permissions and protocols offer better protection from would-be criminals. For example, systems that allow you to create completely bespoke access credentials for each member of staff and all visitors ensure they can only access the correct areas and systems at any given moment.

Systems offering a full forensic audit trail are vital for robust cyber security. Forensic audit reports cover every single action and engagement with the access control system and can be reported at the local, national or global levels. This means security managers can see exactly who has done what to the system and when. A good audit trail system should have the ability to ‘roll-back’ changes made to system programming by any person or entity at a specific date and time. This means, for example, that any changes made by a ‘rogue’ operator can be undone in one action and the system programming rolled back to exclude these changes.

Documenting your cyber security processes, procedures and guidelines ensures that all security procedures are followed routinely and exactly as they’re written down. Having the right processes in place means sensitive data will only be accessed by authorised persons and, when required, and you can prevent data modification.

An information security program helps you train new security staff more easily. Guidance for general employees helps them understand how their actions can create cyber risks and, importantly, how they can mitigate them.

Managing an attack episode

Should the worst case scenario happen and you or your organisation suffers a cyber attack, it’s vital to have a tested disaster recovery plan in place. You will need to be able to recover lost or corrupted data and restore as quickly as possible all of your business-critical applications.

The key point here is that your disaster recovery plan needs to be tested – and repeatedly so. How regularly will depend on the size of your organisation, but quarterly is probably about right for most. If you don’t test your plan and prove that it works in practice as expected, you expose the systems and your organisation to a much higher risk of failure in the event of an attack.

Tim Northwood

Tim Northwood

The methods and types of cyber attacks and security risk are constantly evolving. Whatever new solution you design, someone will eventually work out how to hack it. Ransomware, malware, phishing and social engineering are the most common threats right now, but there are others on the horizon. Cryptojacking (ie the secret use of your computer to mine for cryptocurrency) is becoming more sophisticated. Criminals can mine your computer from a web browser rather than a downloaded program.

There’s more state-sponsored hacking with large, long-term projects that can steal commercial information, or even hack critical infrastructure organisations in other countries.

It’s estimated that there will be 30 billion devices connected to the Internet by the end of this year, including computers and laptops, tablets, mobile phones, smart watches and web cams. Smaller devices tend to be more vulnerable to cyber attack and there’s potential for criminals to cause chaos by targeting the large numbers of people who use these.

The only way in which we can stay ahead of the cyber criminals, or at least mitigate their attacks if they occur, is to remain vigilant and open-minded about what they might do next.

Investing in cyber security

The business case for investing in cyber security is clear. Attacks can cost companies millions of pounds, cause chaos and result in severe reputational damage.

There’s plenty of sophisticated kit out there to help you build a security system with robust cyber security measures, but that’s only part of the solution. You need great people to manage that system and advise on changing or emerging threats. Yet I keep hearing that companies are struggling to recruit cyber security professionals because of a shortage of qualified and experienced candidates. Investing in our people and training more cyber security professionals will be just as crucial if we want to keep the cyber criminals out.

Tim Northwood is General Manager of Inner Range

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts