Cyber Security arrangements – common weaknesses and how to address them
Posted on: February 8th 2024 · read
MHA’s Internal Audit teams have carried out a number of Cyber Security and IT Health-check reviews across the previous 12 months in response to the elevated level of external (and potentially internal) threats within this area. Whilst the outcomes of these audits have differed from organisation to organisation, as you might expect, a number of common areas of weakness have been noted, the most frequently observed being in respect of activity directory management (access controls over IT systems and directories). We have therefore set out below some of the common failings observed, together with highlighting some of the controls that should be established over this area to reduce the risk of system compromise in the event of a cyber-attack.
The following control weaknesses have been observed across our audits in respect of the general management of system and user access to IT systems:
- Outdated policies and procedures which do not reflect National Cyber Security (NCS) Guidance
- Leaver accounts still active after the employees had left, in some cases for more than one year.
- Accounts established with a ‘cannot change password’ setting enabled, meaning users cannot change passwords themselves, even when they may be concerned their password has been compromised.
- Accounts established with a ‘password never expires’ setting, which may mean that older passwords which do not comply with current password practices might still be in use and these are more likely to be compromised in the event of a cyber-attack.
- Service accounts (accounts which have some form of service functionality) having passwords which have not been changed for over 10 years.
- Password length and complexity below what is recommended within NCS guidance. Such guidance recommends the introduction of minimum password lengths of 10 characters, or three random words approach, and further guidance can be found here.
- No process of review between the IT user database and HR database to ensure only active employees have their accounts enabled on the system.
In addition, for elevated privilege groups the following was observed:
- Default administrator accounts still named as such and not changed to an anonymous name. This could make these accounts more vulnerable to cyber-attacks.
- High numbers of staff having access to privileged accounts where such access may no longer be required. This presents would be attackers with more accounts to try to hack which have enhanced levels of access.
- Multi Factor Authentication (MFA) not in place for gaining access to privileged accounts.
What controls should be established to reduce the level of risk in this area?
NCS Guidance recommends a number of controls and processes which should be established in respect of this area, and further guidance can be found here. The key actions in respect of this area are summarised below.
Develop and embed appropriate policies and procedures. Such procedures should set out:
Who should have access to which system and / or data and why. This should include consideration of part time staff, volunteers and contractors in addition to full time employees.
- The policy should detail what and how audit records are acquired, how they are safeguarded against tampering and what authorisations are required to access them.
- In addition, the policy should include a section on account management for new starters, movers and leavers, whether full time or otherwise
- The arrangements in place for how third parties who require access to your systems can do so and what authorisations and disclose agreements are required.
- Finally, the policies should outline what your organisational entities work email address are able to be utilised for e. g. what websites and services staff can access using their work email account.
Implementing multi-factor authentication for all user accounts where appropriate. In doing this it is important to consider:
- That the type of MFA utilised is proportionate to the level of risk faced. For example, any accounts for online services should have MFA implemented to protect against password guessing. If there is the potential to do so, offer users the choice of how to authenticate (e.g., SMS, email, software etc) so that the approach can operate across different users and locations.
- Where passwords are required, implement a password policy that balances usability and security.
- Ensure credentials are adequately protected both at rest and in transit.
Implement MFA and other controls in respect of privileged accounts with increased access levels, including:
- Consideration of the level of privileges that should be allocated for such accounts, and only providing full privileges where it is absolutely necessary for domain admin or cloud admin accounts.
- Ensure that MFA is enabled for these accounts and consider the use of strong authentication methods for these, using risk based decision making depending on the levels of risk associated with the accounts and the nature and volume of activity.
- System administrators should have separate user accounts for their day-to-day business (e.g. email access) and for their administrative activities. These two accounts should be separate from each other, including use of separate devices with any unnecessary web or email access blocked from the admin account to limit the level of exposure to phishing attacks.
- There may also be some benefit in considering the above approach for accounts for users who are able to authorise high value financial transactions or make changes to key software systems.
- A regular review should be carried out regarding who has been provided with privileges and these should be removed when they are no longer required.
Finally, it is important that appropriate security monitoring tools are in place to detect potential malicious behaviour. This should include:
- That there are systems in place for logging and monitoring authentication and authorisation events so that suspicious behaviour that may indicate a potential compromise can be detected.
- Such a monitoring system should be designed so that any activity performed and system used can be identified against the person who performed and used them.
If you require any further information in respect of the above, or would like further assurance over your key IT systems and controls in place, then please do not hesitate to contact Chris Rising for how we may be able to assist further.