This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Break-in Prevention
    • Building AppSec in Enterprises
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Limiting Access Is the First Step to Securing Networks
Cyber Security NewsCyber Tactics

Limiting Access Is the First Step to Securing Networks

Limiting Access Is the First Step to Securing Networks, cyber security news, NIST Cybersecurity Framework, access management
Cyber Tactics by Steven Chabinsky
Limiting Access Is the First Step to Securing Networks, cyber security news, NIST Cybersecurity Framework, access management
Cyber Tactics by Steven Chabinsky
February 1, 2016
Steven Chabinsky
KEYWORDS access management / Chief Security Officer (CSO) / cyber security / network security / NIST cyber security framework
Reprints
No Comments

As part of our continuing series on the NIST Framework, we completed our review of the “Identify” category last month.  Now, let’s consider NIST’s advice for how best to “Protect” networks, starting with access control.

At the heart of this important topic is establishing everything that needs to be locked down, as to whom, and against what.  Everything that requires protection commonly includes data, computers and applications; from whom includes insiders and outsiders, and extends all the way from honest employees to malicious hackers; what is being controlled, despite the category’s name, extends well beyond access and equally includes restricting the ability to modify resources.

Let’s break this down a bit.  While data access restrictions are meant to lock down the ability to view sensitive information (such as trade secrets and customer data), controlling data modification assumes authorized access to the information, but limits or prohibits the ability to alter it (think of a website that anybody can view, or documents with “read only” permissions of “look, but don’t touch”).

Turning to the devices themselves, computer access restrictions include physical protections against human tampering (starting with your server room), as well as restricting which computers can talk to each other (air-gapped networks offer a great example).  Then there’s the separate ability to modify computer hardware, whether by unscrewing the back and swapping out parts or, more simply, by adding or disabling a peripheral device like a printer.

Finally, there are considerations relating to applications, which range from a company’s ability to track and abide by the number of software licenses it purchased, to a hacker’s ability to modify firmware and security settings.

To accomplish the essential goal of access control, NIST focuses on five objectives:

  • Establishing verifiable identities, issuing trusted credentials, and de-provisioning access when required.
  • Controlling physical access. For more on this topic, see the July 2015 Cyber Tactics column, “Securing the Physical Side of Cybersecurity.”
  • Managing remote access, while taking into account teleworkers, mobile devices, Web platforms, as well as trusted vendors and business affiliates.
  • Restricting permissions, by providing users only with those abilities they require (this is the concept of  least privilege) and dividing roles and responsibilities so more than one person is needed to perform certain critical functions (this is the concept of separation of duties, and it’s not limited to nuclear launch codes).
  • Protecting network integrity which, for larger systems, likely will include some form of network segmentation (partitioning) and network segregation (restricting the devices that can communicate with one another) to prevent lateral movement should part of the network become compromised.

As you can gather, there is a lot underlying each of these points.  To gain a more in-depth understanding of access control, consider supplementing the Framework by reading NIST’s Security Controls and Assessment Procedures for Federal Information Systems and Organizations.  But please, if you access it online, don’t try to modify it.  Doing otherwise might lead to an understanding of how the FBI enforces access control!

Subscribe to Security Magazine

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

Managing Supply Chain Risk

Chabinsky-2016-200px

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

Related Articles

7 Steps to Better Data Security

3 Steps to Better Cybersecurity Training

Related Events

Training Future Digital Security Leaders

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

ransomware-enews

British American Tobacco Suffers Data Breach and Ransomware Attack

cybersecurity breach

The Top 12 Data Breaches of 2019

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

server room, cybersecurity, penetration testing,

Explained: Firewalls, Vulnerability Scans and Penetration Tests

cyber network

How to Achieve Cybersecurity with Patience, Love and Bribery

SEC2019_Everbridge_1119_360x184customcontent

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing