Unauthorized access is when a person gains entry to a computer network, system, application software, data, or other resources without permission. Any access to an information system or network that violates the owner or operator’s stated security policy is considered unauthorized access. Unauthorized access is also when legitimate users access a resource that they do not have permission to use.
The most common reasons for unauthorized entry are to:
- Steal sensitive data
- Cause damage
- Hold data hostage as part of a ransomware attack
- Play a prank
The three primary objectives of preventing unauthorized access are:
- Confidentiality—the protection of sensitive information from unauthorized access
- Integrity—the protection of sensitive information from unauthorized modification or destruction
- Availability—the protection of sensitive information and information systems from unauthorized disruption
Let’s jump in and learn:
How Unauthorized Access Occurs
Understanding how unauthorized access occurs helps guide the implementation of best practices. Many common tactics fall into two broad categories: digital and physical.
Digital Unauthorized Access Tactics
Guessing passwords is a common entry vector for unauthorized access. Manual password guessing is done using social engineering, phishing, or by researching a person to come up with information that could be the password.
In scaled attacks, software is used to automate the guessing of access information, such as user names, passwords, and personal identification numbers (PIN).
Exploiting software vulnerabilities
A mistake in software is referred to as a bug. In most cases, these bugs are annoying, but harmless. However, some bugs are significant vulnerabilities that can be exploited to gain unauthorized access into applications, networks, operating systems, or hardware. These vulnerability exploits are commonly executed with software or code that can take control of systems and steal data.
Cybercriminals often gain unauthorized access by taking advantage of human vulnerabilities, convincing people to hand over credentials or sensitive data. These attacks, known as social engineering, often involve some form of psychological manipulation and utilize malicious links in email, pop-ups on websites, or text messages. Common social engineering tactics used to gain unauthorized access include phishing, smishing, spear phishing, ransomware, and impersonation.
Physical Unauthorized Access Tactics
Cybercriminals often gain unauthorized access to physical spaces to carry out their plans. Some opt to steal laptops or smart devices, then break into them offsite. Others target computers or routers to insert malware.
Tailgating or piggybacking
Tailgating is a tactic used to gain physical access to resources by following an authorized person into a secure building, area, or room. The perpetrator can be disguised as a delivery or repair person, someone struggling with an oversized package who may require assistance, or someone who looks and acts as if they belong there. Most of these situations occur "in plain sight."
Fraudulent use of access cards
Access cards that are lost, stolen, copied or shared pose an unauthorized access risk.
While incredibly simple, propping open a door or window is one of the most effective ways for an insider to help a perpetrator gain unauthorized access to restricted buildings or spaces.
Other Unauthorized Access Tactics
A malicious insider can collude with an outsider to provide unauthorized access to physical spaces or digital access to systems. Often, an insider comes up with a plan, then brings in an outsider to help. A more sophisticated third party can help override internal controls and bypass security measures.
Passbacks are instances of sharing credentials or access cards to gain unauthorized access to physical places or digital systems.
Best Practices for Preventing Unauthorized Access
Electronic Data Protection
- Monitoring should be in place to flag suspicious attempts to access sensitive information.
- Inventory of the devices on the network should be performed regularly to maintain comprehensive, up-to-date maps.
- Encryption should be used for viewing, exchanging, and storing sensitive information.
- Network drives should be used to store sensitive information to protect it from unauthorized access and for disaster recovery.
- Mobile devices and personal computing devices should not be used for storing sensitive information.
- Removable media and devices should not be used to store sensitive information.
- Access to systems and data should be limited on a need to use basis, also known as the principle of least privilege.
- Suspected security breaches should be reported immediately.
Backup and Disposal of Data
- Data should be backed up and stored according to data governance policies.
- Sensitive data backed up to cloud storage providers should be encrypted.
- Backups should be conducted on a regular basis.
- Data that is no longer needed should be permanently deleted.
- Professional computer recycling programs should be used for decommissioned computers and devices, with all data removed prior to the recycling process.
- Cross shedders should be used to dispose of paper documents.
Password Management and Protection
Organizational leaders should ensure strong password policies and effective compliance programs are in place to prevent unauthorized access, as well as follow these guidelines themselves.
- Unique passwords should be used for each online account.
- Passwords should be changed for any account or device that has experienced an unauthorized access incident.
- Strong passwords should be used that include a combination of letters, numbers, and symbols. A password should not be a word, common phrase, or one that someone with a little personal knowledge might guess, such as the user’s child’s name, address, or phone number.
- Passwords should never be shared.
- Passwords should be changed periodically.
- Passwords should not be written down or stored in an unsecure location.
System and Device Protection
- Multifactor authentication should be used for all systems.
- Malware scans should be regularly run on all systems.
- Computers, laptops, and smart devices should have the lock screen enabled, and should be shut down when not in use for extended periods.
- Single sign-on (SSO) should be considered to centrally manage users’ access to systems, applications, and networks.
- Operating systems and applications should be updated when patches and new versions are available.
- Anti-virus, anti-malware, and anti-ransomware software should be installed on all computers, laptops, and smart devices.
Electronic Communications Protection—Email, Instant Messaging, Text Messaging, and Social Media
- Sensitive data should only be encrypted or sent as a password-protected file.
- Attachments or links from untrusted sources should not be opened.
- Caution should be taken to avoid phishing scams.
Coach Employees to Avoid Risky Behaviors
- Screens should be positioned so they cannot be viewed by others.
- Special precautions should be taken when leaving devices unattended in work from home environments.
- Account recovery questions should not be easy to guess.
- Pop-ups and shortened URLs should not be clicked on unless from a trusted source.
- Sensitive information should not be accessed or discussed in public locations.
Unauthorized Access Incident Response
Timing is of the essence in the event of an unauthorized access incident. Prior planning and having a team ready to respond is critical.
The National Institute of Standards and Technology offers four steps for incident response handling:
Take a Defensive Stance Against Unauthorized Access
The damage from unauthorized access goes beyond time and money; trust and reputation are also casualties.
Protection of sensitive data should be top of mind and a high priority in all organizations. A defensive, proactive approach to preventing unauthorized access can protect information and systems from disclosure, modification, destruction, and disruption.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000 customers with millions of customers worldwide.