Blog / Use Risk Assessments Before Providing Access
Risk assessments let you evaluate the risks of offering external access.
Any time you consider providing access to something inside your network it’s important to handle the situation properly. Usually though, the only thing most people think about is the business need or why doing so might be useful. But making a decision solely on the benefits sharing access shouldn’t be enough. You also need to perform a reasonable risk assessment of the situation.
There’s no real trick to performing risk assessments. The easiest way to start is to simply come up with a comprehensive list of security that’s in place, including things like antivirus, multifactor authentication, IP restrictions and so on. The point is to understand how difficult it would be to bypass or disable each particular security measure on the list and how much damage could be done. About the only mistake you can make here is to assume that you are smarter than the attacker; you’re much better off to assume that any would be attacker is at least as smart as you and knows everything about your network that you do, including your defences.
For example, many TRINUS customers run water treatment plants and so need to provide outside access to internal resources for contractors. Let’s break this situation down a little bit:
Most of those devices communicate using the SCADA (supervisory control and data acquisition) protocol, which doesn’t support encryption or authentication, and, while not openly published, the SCADA protocol has been deciphered for a long time. This means anyone can connect to the device using SCADA and take complete control of it. Of course, to do so requires specialized skills, but even though those skillsets are fairly rare, remember that is someone’s in full control of a SCADA device in a water treatment plant, plenty of people could die due to incorrectly set chemical levels.
One way to secure these devices is to put them behind a firewall with an IP restriction so that only designated IPs can connect. This may seem like a good idea but how hard is it to bypass? VPNs are commonly available, trivial to setup and trivial to configure, so oftentimes an IP restriction can be trivial to bypass, especially if you’ve only restricted it to IPs in a region, such as IPs in the same city, province, or even country.
Evaluating risk isn’t difficult but it does mean you need a comprehensive understanding of cybersecurity protocols and options. It’s difficult to evaluate the risk of allowing contractors access to OWA (Outlook Web Access) if you don’t understand of how it works. And, as usual, risk assessments in these situations can and often are mandated by legislation or regulations like PCI-DSS and PIPA. A proper risk assessment is necessary to properly weighing the pros and cons whenever considering providing access to a resource.
If you’d like help evaluating potential risks or creating your own risk assessments, contact a TRINUS cybersecurity professional today and get yourself some stress-free IT.
This week’s quote comes from the Shakespearean play Macbeth; “Fair is foul, and foul is fair: Hover through the fog and filthy air.”
Be kind, courtesy your friendly neighbourhood cyber-man.