Post

Detecting and Responding to Unauthorized Access

5 min Read

Christian Wimpelmann

The simplest way to think about data security comes down to controlling access and unauthorized access. Either in the form of unauthorized data access or unauthorized access to a computer network, it is the archetype of data security risk. While it’s a simple idea, the challenge comes in defining what constitutes unauthorized access, how to prevent it, and how to detect and respond to unauthorized access when it inevitably does occur.

What is unauthorized access?

Unauthorized access encompasses any time an individual — an internal or external actor — accesses data, networks, endpoints, applications, or devices without permission. There are several common causes or scenarios of unauthorized data access and unauthorized access to computer networks — from weak passwords that are easily guessed or hacked to sophisticated social engineering schemes like phishing that trick authorized users into exposing credentials, to compromised accounts that have been hacked and taken over by illegitimate actors.

What are the risks of unauthorized data access?

Once an individual has gained unauthorized access to data or computer networks, they can cause damage to an organization in a number of ways. They may directly steal files, data, or other information. They may leverage unauthorized access to further compromise accounts. They may destroy information or sabotage systems and networks. All of these scenarios carry inherent risks, costs, and potential fines to the business — but the long-term damage from unauthorized access can carry on insidiously in the form of damaged reputation and trust, as well as ongoing impacts on revenue.

5 strategies to prevent unauthorized access

1. Adopt the Principle Of Least Privilege (POLP)

A 2020 report found that half of organizations have users with more access privileges than are necessary to do their jobs. The POLP approach aims to regularly audit internal user access privileges to ensure the minimal-necessary level of access to data, systems, networks, and devices for the individual to perform the core responsibilities of their role. One key is focusing on the “core responsibilities” idea; temporary access can be granted in exceptional cases while still maintaining the least privileged access for day-to-day work.

2. Put a strong password policy in place

Strong passwords are one of the best protections against unauthorized access. That means developing and enforcing a strong password policy that requires all users to follow established best practices for creating — and regularly changing — strong passwords, as well as ensuring passwords are not reused across devices, apps, or other accounts. One of the easiest ways to help your users maintain strong passwords is to use a password manager that can generate (and remember) passwords with much deeper complexity and randomness than a human ever could.

3. Use Multi-Factor Authentication (MFA)

Unauthorized access often stems from a single compromised password or credential. But if all the individual has done is guessed, hacked, or otherwise illegitimately obtained the password, multi-factor authentication can easily stop the unauthorized access. The illegitimate actor almost certainly won’t have access to the secondary (or tertiary) form of identity verification (like a one-time passcode sent to the legitimate user’s mobile device). Microsoft estimates that 99.9% of compromised user accounts could be prevented with MFA.

4. Keep security patches up to date

External actors often gain unauthorized access through known vulnerabilities. Fortunately, this means these intrusions can be blocked by simply ensuring you regularly update all software, keep security patches up to date, and set security updates to automatic whenever possible.

5. Don’t forget about physical security

While most unauthorized access happens in a digital sense — the unauthorized actor is using a compromised credential to access data or computer networks from their own device—physical security in your workplace is still essential. Whether it’s a malicious inside actor or an external actor visiting your workplace, leaving devices unlocked or written-down passwords plainly visible is an easy recipe for unauthorized access.

How to detect unauthorized access

Prevention is the first defense against unauthorized access. But when these incidents do happen, time is of the essence in mitigating the damage. The more immediately you can detect unauthorized access — and the more efficiently you can investigate the incident — the faster you can effectively respond to lock down access, shut out the illegitimate actor, and take back control of your data, systems, and networks.

There are many conventional security technologies, such as DLP and CASB, that promise to alert security teams to unauthorized data access or unauthorized access to a computer network. Unfortunately, there are three big problems that conventional security tools typically struggle with:

Big Problem #1: Most unauthorized access comes from insiders

Calling unauthorized access incidents “intrusions” is a common misnomer. That’s because around two-thirds of data breaches stem from insiders. These are employees, third parties like vendor partners, and other inside actors that already have significant access privileges within your organization. So, it’s not as simple as looking for the red flag of an outside actor you don’t recognize.

Big Problem #2: A lot of unauthorized access isn’t forced

“Gaining access without permission” carries connotations of hacking or breaking into a system or network. Much of the time, it’s not that hard: Files and information aren’t properly secured, whether that means not securing information at all for internal users or not following the least privilege principle. And the “without permission” part of defining unauthorized access is squishy, as well: If it’s not secured or if an employee can access the data or network, do they need to ask for specific permission? Conventional policy-based security tools struggle with this kind of unauthorized access because the internal users aren’t breaking any rules that would trigger alerts. But regardless of intent, the risk is still there.

Big Problem #3: More and more data doesn’t have set permissions

In the typical “knowledge economy” enterprise, the “work” employees are doing every day takes the shape of files and data they’re creating, sharing, and iterating on all day. This unstructured data lives on endpoints, in cloud storage and sync-and-share apps like Box or Google Drive, in email attachments, Slack chats, and more. Illegitimate access to this data might not be technically “unauthorized” because the data is being created and evolved too quickly for it to be officially classified as sensitive, protected, or of high value. But when those files develop into more definitively valuable or sensitive information, security teams need to be able to monitor (and traceback) who had access to what, when, and through which channels.

All data matters — focus on signals of risk

As the complexity of data, systems and networks grows in the modern enterprise, preventing, detecting, and responding to unauthorized access requires a shift in thinking: All data matters. Security teams need to have continuous visibility to all data and file activity, across all users and devices, on and off the network.

This foundation of data visibility will enable security teams to tune out the noise of everyday activity and identify a high-fidelity signal of risk that may indicate unauthorized access that isn’t easily flagged or blocked by conventional security tools. These signals of risk fall into a few main categories — off-hours activity, activity by departing employees, high-volume file activity, or high-value file activity — but all of it comes down to one idea: Users access systems, files, or information that they typically do not.

Take a right-sized approach to unauthorized access response

There’s no one-size-fits-all approach to incident response in the event of unauthorized access. The response depends on what was accessed, who accessed it, and what happened next. The key to mitigating damage is ensuring that your security team can get fast answers to those critical questions. That same foundation of comprehensive visibility into all user, file, and data activity is the basis for accelerating incident investigation, giving security teams contextual information to answer those central questions and giving them the forensic evidence to work with HR, legal, and IT to respond quickly and effectively.

Learn more about how Code42 Incydr can help you detect and respond to unauthorized access to data, devices, systems, and networks in your organization.

Christian Wimpelmann

Christian Wimpelmann, CISSP, CCSP is an IAM Manager at Code42, focused on identity strategy and implementation. Christian spent the first 14 years of his career at Target Corporation, building and maintaining identity management and directory platforms.