Access control is a security technique that enables only authorized persons to access the areas and resources in a given physical facility or computer-based information system. Access control also allows a trusted person to control the access 1by allowing the authorized persons, or it can be automatic; security software can be designed to control.
Overview
Access control has various vulnerabilities and threats, as they are exposed to different persons with different intentions. The persons are either the attackers or the new persons who would wish to intrude into the system. The persons can also be the authorized persons who are allowed to access the areas and the systems in place. Businesses strive to put an end to vulnerabilities so that they aren’t affected in any way by the vulnerabilities. There are also containment measures put in place to control the threats. Some threats and vulnerabilities of access control are:
Employees are the biggest threat to access power. Employees may use their privileges for personal gain. Manworren, Letwat, and Daily (2016) reported that most data breaches and exposure are always traced back to employees or a person within the business or company. It is advisable in this sense to ensure that security data of such sensitive devices are given to few trusted individuals within the company rather than the whole company. Employees may as well give it their login credentials to the wrong persons who can use that opportunity to access the system.
Phishing attacks are another threat to access control. Ghafir, Prenosil, Alhejailan, and Hammoudeh (2016) disclosed that it is where attackers trick an employee in the company or business and acquire the information they need without the knowledge of the person. The most common form of phishing attacks is mimicking the employees’ words to get full access. Security misconfiguration is another vulnerability associated with the failed implementation of security controls for servers. It is related to implementing security controls with common mistakes or errors. This flaw gives attackers unauthorized access to system data and, after that resulting in system compromise.
Injection threatens access control when an attacker can use it to send hostile data to an interpreter. Chapple, Ballard, Tricia, and Banks (2013) maintained that devices like Scanners could help attackers find injection flaws. It can cause data loss and disclosure of the business information to unauthorized persons. When attackers find their access through this, they rush and find ways to have complete takeovers before they are discovered.
How business can control
Controlling the employees not to disclose information to strangers of the business may be a challenging task to achieve. Yan, Li, Wang, and Vasilakos (2015) suggested that companies may improvise a policy where the least privilege is to access too much data. In turn, this makes the employees have not much information, a challenging scenario to leak out information. Business benefits through this since their data is assured of safety in the long run.
Businesses can have control over phishing by ensuring cybersecurity training to enlighten the employees about the systems’ vulnerabilities. This will help them know when wrong people trick them into providing business information. This is a way in which businesses protect themselves from intruders.
The business can handle security misconfiguration, a usual cause of business information exposure. Nedelcu (2015) maintained that enterprises could establish a repeatable hardening process that makes it very easy and fast to introduce another properly locked environment. This will bar the attackers from finding it easy to access the system’s data without authorization.
Complete takeovers of the host are a threat created by injection; however, the vulnerability can be done away by keeping data separate from commands and queries. Software recommendations that avoid the exclusive use of an interpreter or provide a parameterized interface.
Access control is the gateways within which a business reputation can either be built or destroyed. Businesses put up many ways to ensure their data is kept safe with them from reach by the intruders. This is therefore done by many methods including creating a threat intelligence framework
References
Manworren, N., Letwat, J., & Daily, O. (2016). Why you should care about the Target data breach. Business Horizons, 59(3), 257-266.
Ghafir, I., Prenosil, V., Alhejailan, A., & Hammoudeh, M. (2016, August). Social engineering attack strategies and defence approaches. In 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud)(pp. 145-149). IEEE.
Yan, Z., Li, X., Wang, M., & Vasilakos, A. V. (2015). Flexible data access control based on trust and reputation in cloud computing. IEEE transactions on cloud Computing, 5(3), 485-498.
Nedelcu, B., Stefanet, M. E., Tamasescu, I. F., Tintoiu, S. E., & Vezeanu, A. (2015). Cloud computing and its challenges and benefits in the bank system. Database Systems Journal, 6(1), 44-58.
Chapple, M., Ballard, B, Tricia, B, & Banks, E. (2013). Access Control, Authentication. And Public Key Infrastructure. 2nd Edition.