How to Identify Critical Access PointsMost Critical Access Points are Defined by Frequency, Risk and Urgency
The current trends in the cyber landscape are all rotating around one axis — access points. Hackers and cybersecurity professionals alike are all focusing on access points as their means of success — whether that’s to infiltrate or protect those entryways into critical systems, data, and applications.
See Also: MITRE ATT&CK Evals Explained
In order to secure access points, you first need to identify them. Access points are decentralized, and displaced users are accessing assets that no longer sit just behind a perimeter wall. Inventorying and identifying your access points needs to start with inventorying and identifying what you’re protecting.
Step 1: Identify your high-risk, critical assets.
The more privileges needed, the more critical the access point is — and the more protection it needs.
Your critical access points are the doorways that lead to critical (and vulnerable) assets, such as operating systems for a manufacturing plant or personally identifiable information (PII) in a CRM system. A business has many assets, but the ones that need the most security are those categorized as critical — the ones that, if accessed improperly, could have damaging consequences. You can determine if an asset is critical based on three aspects: frequency, risk, and urgency.
- Frequency: How often is the asset being accessed?
- Risk: What’s at stake/What’s the cost of that asset?
- Urgency: How fast does user need to access that asset for a critical job function?
Critical assets are considered to have lower frequencies, a higher risk level, and high urgency. But if any two of these three factors are critical, the asset needs to be treated as critical with strict access policies, tight security controls, and session monitoring in place.
Step 2: Consider all the users who need access to the asset.
Identifying each critical asset is a great first step, but the most crucial step is asking, “How can a user access this asset?” Put yourself in a variety of users’ shoes: an internal employee, a third-party vendor rep, an IT help desk admin, etc. However each of these respective users can access the asset needs to be documented so each level of access is recorded and identified.
For example, let’s look at assets like patient data in an electronic medical record (EMR) database or PII found in a retail chain’s customer database. If you think about who has access to those assets, you can find your access points: nurses need access to EMR data via their usernames and logins, and retail employees need to access customer data through their CRM system admin credentials. IT administrators access each database through methods such as RDP or desktop sharing, and third-party vendors could connect through remote access software.
Step 3: Identify all access points.
Now that we know what assets are critical and who is using each asset, we can identify each access point that a user could use to get to these assets. The most critical access points are not only defined by frequency, risk, and urgency, but also the types of privileges that are needed to access the asset. The more privileges needed, the more critical the access point is — and the more protection it needs. Tight security controls need to be implemented to fully secure these points of connectivity and restrict access down to a granular level
Secure Your Access Points with Fine-Grained Controls
All forms of granular access control are important here, but one of the most important is credential management. Credentials are the keys to the “critical asset” kingdom. If a user (or hacker) makes it to the access point of a critical asset, an entire asset, system, or network is at their fingertips. Managing credentials is the difference between critical asset protection or exposure.
Privileged access management products are designed to safely manage credentials, rotate passwords periodically so a stale password isn’t compromised, and mask them so users never actually have to see passwords. And for external users like third parties, cover all your bases and find a solution for third-party credential management. These can be found in third-party remote access software solutions that also mask and inject passwords so vendors are immediately connected without seeing your credentials. These solutions, when mixed with a combination of other controls, are the most effective ways you can lock down your access points and protect your company’s critical assets.