Determining the right network access control (NAC) security policy for your organization isn’t an easy task.

It’s often a balancing act between keeping your network secure and ensuring employees can access the systems they need to do their jobs.

Role-based access control (or RBAC) can be a good way of ensuring your network is protected. If you’ve been considering implementing RBAC in your organization but aren’t entirely sure of the benefits, this article will answer your questions.

What is role-based access control?

Role-based access control is a way of restricting access based on a user’s role within an organization. This means that users aren’t assigned permissions directly but are instead given roles that govern their levels of access. Depending on their job and responsibilities, a user may have one or more roles.

Let’s say, for example, you have a staff database on your network, which contains all your employees’ contact details and contractual information.

Everyone in the organization may have access to edit their own personal details. Managers may have access to edit their team’s information, but no one else’s. Your HR team may have full access to the database to view and edit everyone’s data.

RBAC works on the Principle of Least Privilege (PoLP). This means users have the minimal level of access needed to carry out their job.

RBAC isn’t the only access control method available. There are other options you can consider, like attribute-based access control (ABAC), policy-based access control (PBAC) and access control lists (ACL). However, role-based access control is one of the most effective ways of not only keeping networks secure but improving organizational efficiency.

A study by NIST has shown that role-based access control addresses most of the needs of government and commercial organizations.

Why is role-based access control so important when it comes to network security?

Networks are more susceptible to security breaches than ever before. People working from home and the introduction of BYOD policies mean more endpoints that can be compromised.

In fact, according to IBM, it’s estimated that data breaches in 2021 cost businesses an average of $4.24 million.

With this in mind, it’s essential to ensure networks stay safe. Here’s how role-based access control can provide security for businesses large and small.

I. It makes it easy to ensure networks are secure

Setting up permissions for networks is relatively straightforward. However, as people start, leave, and move around organizations, permissions can become less efficient. Users may end up with access to systems they no longer need.

RBAC means IT departments can effectively manage what access people have with a click of a button.

Let’s go back to the example of the staff database above and say that a new staff member has joined the HR team. Rather than setting access at a user level, you can add them into the ‘HR’ role so they can have full access to the system.

A few years later, let’s say the staff member moves into the sales team, meaning they no longer need full access to the staff database. Rather than changing every single point of access they have, it’s just a case of adding them into the ‘sales’ role instead.

II. It reduces the attack surface

It’s estimated that one in four data breaches result from human error. With RBAC, if a member of staff causes an accidental (or intentional) data breach, there will be less impact.

Let’s say someone is a victim of a phishing attempt, and a hacker obtains their login details. The hacker will only be able to access the information that the member of staff has through the roles they have been allocated.

This means even if a data breach occurs, most of your information will still be safe.

III. It eliminates the risk of ‘insider threats’

Disgruntled employees can often try and settle the score by leaking confidential data or deleting important information. Earlier this year, an IT technician in the UK was jailed for 21 months for wiping data from the school he was formerly employed at after being fired.

As role-based access control gives just enough access to ensure staff can carry out their jobs, it minimizes the risk of users causing intentional harm to your networks.

Similarly, if you work with any third parties, you can use RBAC to assign them pre-defined roles and limit what they can view or edit. Once you stop working with them, you can quickly remove their permissions.

IV. It can quickly scale and adapt

As RBAC deals with overarching roles rather than individual permissions, it can grow as an organization’s IT requirements do.

Let’s say you acquire a new application for your organization. Role-based access control makes it easy to create new permissions as well as set different levels of permissions quickly. As a result, you can ensure any new hardware or software stays secure and that the right people have access.

V. It can ensure you stay compliant

Some industries, like healthcare and financial services, are heavily regulated and have stringent compliance regulations in place. For example, the Health Insurance Portability and Accountability Act (HIPAA) states that only certain people should be allowed access to specific systems.

Role-based access controls can ensure that organizations in these industries do what is required of them, minimizing the risk of security breaches as well as fines for willful violations of the law.

How Portnox can help with your RBAC requirements

Role-based access control can be an extremely efficient way of ensuring network security and can be as top-level or granular as your organization demands. The key is developing a solid strategy before creating and assigning roles.

Which parts of your network need access control, which departments need permissions, and how will you assign people to the right roles?

If you need extra support keeping your network safe, Portnox is here to provide you with peace of mind. Our NAC security solutions come with role-based authentication and access policies to ensure the right people can access your network at the right time.

Contact our team today to find out more.

IT security policies have traditionally been perimeter-based, primarily concerned with the network activity within their own office and corporate network. While remote work certainly existed before, it has now become a standard – even an expectation among employees – no matter the industry or job function.

This rapid expansion of remote workforces has created significant operational and cultural changes for companies worldwide – particularly when it comes to IT and securing corporate digital eco-systems. Many organizations were not fully prepared for such an immense transition of expanding corporate edges and countless new endpoints.

With so many workers now scattered beyond the walls of their physical offices, this has created a considerable challenge for IT departments that find themselves struggling to monitor and gauge the real security posture of their networks, and the endpoints in use across them. The weakest link is no longer in the cubicle next to you – it can be halfway around the world in the home office of an employee using a VPN on a compromised laptop.

Secure Network Access for Remote Workers: Challenges Today

There are numerous potential risks for companies when it comes to enabling secure network access for remote workforces:

• Limited Network & Endpoint Visibility: Remote work environments can make it considerably more difficult for an organization to maintain visibility and control over the data security of its employees. A lack of visibility inhibits IT and security teams from achieving operational and security objectives, while putting the business at increased risk.

• Increased BYOD Use: An increasing number of employees these days use personal devices to access company networks. This is especially true as employees find themselves working from home with greater regularity. In many cases, these devices are often not fully compliant with their employer’s security policies. Unsecured personal devices can provide potential attack vectors for cybercriminals to target a corporate network.

• Social Engineering Attacks: As organizations have bolstered their cybersecurity measures over time, tit has become more difficult for cybercriminals to exploit security posture vulnerabilities. In turn, many have favored more cost-effective tactics to breach networks like phishing emails that capitalize on human error and trust. Social engineering tactics need only an unwitting or distracted employee to succeed, and therefore typically require less technical knowledge to pull off.

What’s Needed to Secure Network Access for Remote Workers

Here are some critical considerations when it comes to enabling secure network access for remote workers:

• Firewall: Serving as somewhat of an electric fence to your network, firewalls remain a basic but essential extra layer of protection for remote workers. One pitfall is that many employees may disable their firewall if they believe it to be slowing down their device, keeping it from blocking malicious traffic.

• Antivirus: A just as essential, yet often forgone staple in your security stack is antivirus software. In addition to providing protection from all sorts of malware, the Next-Generation Antivirus (NGAV) of today utilizes predictive analytics driven by AI and machine learning for advanced threat detection. This includes determining root causes from endpoint data and responding to previously undetected emerging threats.

• Managing Endpoint Visibility: Unmonitored remote devices can bring an abundance of potential threats to a network if they are not up-to-date and properly configured. Visibility is a key issue here. By implementing solutions like NAC, companies gain insight into every user and device on their network, allowing them to pinpoint any weaknesses within it. With this visibility they can then control, adjust, or deny access for any device as needed.

• VPN: While it’s common for many companies to offer secured VPN connections for remote employees, VPN can’t serve as a comprehensive security solution. A VPN alone can leave you in the dark about the security posture and compliance level of the device connecting to it. You could unknowingly be giving safe passage for a compromised device directly to your network.

• Device Risk Monitoring & Mitigation: With the help of an agent or MDM, NAC solutions like Portnox CLEAR can work alongside a VPN, offering two factor authentication based on user identity and endpoint risk score. Continuous monitoring is key here for keeping countless users and devices in compliance, no matter their location. By knowing the security posture of remote devices, IT teams can adjust their security policy and mitigate potential threats.

• Employee Training & Awareness: Employees are more likely to be lax with their security habits outside the office, and cybercriminals are no stranger to this reality. Maintaining employee awareness of these potential threats is key for risk mitigation. Whether regarding proper password management, compliance policies, or how to spot phishing attempts, it’s highly beneficial to offer employee education and training in security best practices.

We have all been there. We are at a new place with new devices and the previous person did not keep good records. Now we’re being asked to secure the network without losing current functionality. Allow the good devices and block the bad, or at least put the bad on the guest network. So, what are all the devices on the network?

Some of the devices will be easy to identify and others not so much. An invaluable free tool to help you get started is Nmap (https://nmap.org/) . This tool helps you do a quick scan of your network to help find out how much you know and how much you don’t know.

How Nmap Enables Endpoint Visibility

You can run Nmap from the shell prompt, among the myriad of other command line options, but an easier way to get started is to use the Zenmap tool that has a UI to help you navigate your initial discovery.

One helpful feature of both the Nmap command line tool and Zenmap is the ability to output the results as XML. This output then allows you to use additional data parsing techniques to dig further into your data and look for patterns that can help you identify various devices with some detective work.

Nmap does a great job at identifying certain devices, but it’s not a comprehensive resource for all IoT devices in the market. Most of the time, you can identify the laptops, servers, and networking devices in your network, but not the mass of IoT devices people carry around or use in modern offices. TVs, projectors, lightbulbs, phones, and other harder to identify devices need to be properly identified especially as you strive to not interrupt business as usual.

Getting Started With Nmap

Let’s work through a small example on how to use the results from Nmap to help identify groups of devices on your network to help you determine network security rules for applications like your Network Access Control (NAC) software.

First, we will install Zenmap to help us through our process. The latest instructions can be found here: https://nmap.org/zenmap/

Running a Scan on Your Network

After installation, we select to run an intense scan on a subnet of our network. In this case the 192.168.1.X part of our network by specifying the proper CIDR notation.

The UI shows you the resulting command line from your profile selection should you choose to use the command line in future scripts. Look here for formatting your output to your desired format. For this example, we will be using the -oX option from Zenmap which allows us to look at and search the XML.

Examining Your Scan Results

Running this scan on a network you have access to might yield a typical IoT set of results.

As you can see there are many devices that are identified as Linux OS and unknown OS. Also, there is the easily identified Windows OS which is one of the laptops on the network, and many MacOS devices which include the Macbooks, iPhones, Apple watches, and other devices that attach to the network.

Classifying Unknown IoT Devices

Since many IoT devices use a base Linux OS, let’s see if we can find a pattern to help classify a larger subset of these unknown devices.

By selecting a device from our list, we can find some good details about what the device might be. Selecting the “Port/Hosts” and “Host Details” tabs we get some insightful data into the identity of this device.

Host Details (Enlarge)

Ports/Hosts (Enlarge)

Already we see that one of the ports is associated with Amazon devices. There is one more hint in the XML output which can be obtained from the menu selection Scan -> Save Scan and opening the XML in Visual Studio Code.

Here we can see that the MAC vendor (the manufacturer of the network access card) is also Amazon Technologies. MAC vendors are identifiable from the first three bytes of the MAC address and searchable from such online sources as https://standardsoui.ieee.org/oui/oui.txt

Filtering Out Devices From Results

With these hints we can start to look at our network with the lens of filtering out all Amazon devices like Alexa Echo Dots and Fire TV sticks.

A short PowerShell script run on the XML output yields the results that follow:

Or even better, you can use this script to get the IP addresses of those same devices, although you will still want the MAC addresses for NAC and other purposes.

This tells us that we likely have 8 devices on our network from Amazon and I could start to scan our larger network looking for IP addresses for MAC addresses belonging to Amazon and classifying those devices. Our network is one step closer to being secure.

Use Nmap to kickstart your network detective work and get your network more secure by knowing what devices are out there.

If you face a major cyber attack or pay ransom to attackers, you may have to report it to the Cybersecurity and Infrastructure Security Agency (CISA) within a certain timeframe under the new cybersecurity law .

The Strengthening American Cybersecurity Act of 2022, which became law in March 2022, imposes strict reporting obligations on critical infrastructure owners/operators: Entities operating and/or owning critical infrastructure have to notify the CISA of the ransomware payment within 24 hours and of the major cyber incidents within 72 hours.

Who is covered by the new requirements? When and how are cyber incidents reported under the new law? Keep reading to find out more.

What is Strengthening American Cybersecurity Act of 2022? 

Although the new requirements on incident-reporting makes the headlines, the new cyber security law is composed of three separate regulations:

1. The Cyber Incident Reporting for Critical Infrastructure Act of 2022: This regulation imposes on critical infrastructure operators the obligation to notify the CISA of “covered cyber incidents” and “ransom payments” within a certain timeframe.
2. The Federal Information Security Modernization Act of 2022: This regulation contains requirements on federal information security management and on reporting of cyber attacks and how these attacks will be remedied
3. The Federal Secure Cloud Improvement and Jobs Act of 2022: This regulation deals with the security requirements for the use of cloud products.

What Entities Are Covered in the Cybersecurity Act?

Under the new law, the CISA will have the power to decide what types of entities will be subject to the new incident-reporting requirements.

While the CISA is provided with wide discretion, the law requires the CISA to consider the following three factors when determining the “covered entities”:

• How would national security, public safety, and public health be affected if an entity’s operations are disrupted or compromised
• What is the likelihood that a malicious actor, such as a foreign country may target the entity?
• “the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.”

Considering that these criteria refer to “national security”, “public safety” and also to the possibility of being targeted by foreign state actors, the 16 critical infrastructure sectors defined by the Presidential Directive 21 will likely be declared as “covered entity”.

These sectors include, but are not limited to:

• Defense Industrial Base
• Emergency Services
• Energy
• Financial Services
• Healthcare and Public Health

While it is reasonable to expect that these sectors will be defined as “covered entities,” the CISA will likely go further and determine additional sectors as falling under the new law.

What Incidents Should Be Reported

Under the Act, there are two categories of attacks that needs to be reported:

Cyber incidents

The Act does not require all incidents to be reported to the CISA and provides CISA with the power to determine the criteria and threshold for cyber incidents to be covered by the Cybersecurity Act.

However, the Act lists three types of high-impact cyber incidents that is covered by the Act.  For example, incidents that involves “unauthorized access or disruption of business or industrial operations” due to a “compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise” must be reported under the Act.

A recent example of such a cyber attack is the SolarWinds attack. After Russia-backed hackers inserted a malicious code into the SolarWinds’ network monitoring software, they gained access to thousands of companies’ networks, including electricity, oil and manufacturing companies.

Ransom payments

“Ransomware Attacks” are defined broadly under the Act: Use or threatened use of all techniques aimed at hindering an entity’s information processing operations falls under the definition of “ransomware attack”. Alongside the traditional ransomware technique, encryption of data, the following types of mechanisms are also subject to the Cybersecurity Act:

• Distributed denial of service attacks
• Insertion of malicious code.

When to Report the Incidents? 

The Act sets out two different deadlines for the reporting of incidents:

1. Incidents falling under the “ransom attack” category must be reported to the CISA within 24 hours after the entity operating/owning the critical infrastructure makes a ransom payment.
2. “Covered entity” must report cyber incidents within 72 hours after it “reasonably believes that the covered cyber incident has occurred”

Criticisms Against the Law

Though the new law is welcomed by many in light of the growing numbers of cyber attacks targeting critical infrastructure and the rising geopolitical tension in Eastern Europe, it is also criticized for not addressing a few critical issues:

• No reporting to the FBI: The Department of Justice publicly opposed the new law for not requiring “covered entities” to report the incidents to the FBI. Some agree that direct notification of incidents to the FBI would enable the FBI to provide support to affected entities promptly and warn the other potential vulnerable entities against the risks.
• DNS: Another criticism directed at the new Act is that DNS information is not included in the reporting requirements. Some argue that DNS information is critical to law enforcement agencies and investigations and it would make it easier for the law enforcement to carry out investigations and determine the origin of the attacks.

What Should “Covered Entities” Do?

Monitor new developments

It is far from certain what entities will be covered by the new reporting requirements, what the contents of the report will include or what types of incidents will fall under the applicability of the new Cybersecurity Act.The CISA will have the power to issue directives in these critical issues and organizations should closely monitor new directives and opinions issued by the CISA.

Establish and Implement an Incident-Response Plan

Given that the new Act sets 24-hour and 72-hour notification requirements and defines the minimum content the reporting must include, organizations must put in place a robust incident response plan.

Diving into Internet of Things Statistics

An Internet of Things (IoT) device simply means a device which can communicate back and forth with a central hub, mainly via WiFi but also using technologies such as SIM cards and radio frequencies. We are living in the age of digital connectivity, if it can have an IP address then you best believe it’ll have one assigned. From Samsung’s AI-powered Family Hub Smart Fridge which tells you what recipes you can make based on the ingredients inside, to Tesla vehicles with over-the-air updates for not only the software but also actual motor components (a 2018 update on the Model 3 to adjust the anti-lock algorithm which helped with braking distance).  

Consumer technologies aren’t alone when it comes to utilizing the Internet of Everything. Industries such as healthcare have their own use case. Internet of Medical Things (IoMT) such as smart sensors for monitoring patients’ vitals are an essential piece of equipment in modern healthcare facilities.  

The statistics back this growth: there are already more active IoT devices (10 billion) than people on earth. It’s expected that there will be over 30 billion total IoT devices by 2025, with the market value projected to reach $875 billion by that time. Every second over 100 new IoT appliances connect to the public internet. It’s so widely adopted that almost a third of the US population own a smartwatch. This sharp increase in devices has a clear effect on the global volume of data being transported, the graph below shows year to year growth.  

Cyber Threats & Vulnerabilities of IoT

As the Internet of Things rapidly grows, the cyber threats and associated risks continue to evolve and become increasingly complex with hackers coming up with new ways to breach devices and networks. Every organization should be aware of their own network attack surface, which is the totality of all vulnerabilities from connected devices and hardware. Each device poses a possible point of entry for an unauthorized user to gain access. Ideally you keep your attack surface as small as possible, making it easier to protect. But for some organizations, this simply isn’t a possibility, as there might be a need for thousands, if not hundreds of thousands of IoT sensors to report on key analytics.  

As mentioned earlier, the healthcare industry has a sizable use case when it comes to IoT devices. An issue with this is the cost associated with these complex pieces of equipment such as MRI scanners and X-ray machines. It simply isn’t feasible for these items to be upgraded regularly, which in turn leads to outdated and unsupported systems still playing a key role in the infrastructure. As an example, Windows 7 support was discontinued in January of 2020 after 10 years in operation, creating an untold number of vulnerabilities for organizations around the globe. According to a report from Palo Alto Networks cybersecurity division Unit 42, 83% of medical imaging devices are running unsupported operating systems.  

IoT devices suffer from a range of other vulnerabilities, including: 

• Weak/default passwords and settings: Back in 2016, the largest DDoS attack ever at the time was launched against the service provider Dyn using a botnet powered by IoT devices. Hackers used a piece of malware called Mirai, which after initially infecting a computer would continue searching for vulnerable IoT devices and use default usernames and passwords to login. These credentials can be found online easily, and if the network operator doesn’t change them, anyone can gain access. 

• Poor device security from the manufacturer: When a device communicates in plain text, all information that is being transferred can easily be intercepted via a Man-in-the-Middle attack. 

• Outdated IoT firmware: A large percentage of IoT devices use third-party libraries for their firmware, these can easily become outdated and with the lack of ability to update the firmware on some devices, this poses an issue. 

• Protecting your IoT Devices and Network: Network administrators need to realise that with these new devices they need to ensure they are keeping up with the essential security solutions. Strong passwords, firewalls and anti-virus software simply isn’t sufficient. The first step in protecting your IoT devices is to learn and understand what the most likely cyber threats are. Create a threat model which identifies, evaluates, and prioritizes potential vulnerabilities. Having a documented network is essential, a well-maintained network management system with advanced monitoring will massively help identify weak spots in the network.  

Basic IoT network security measures include:

• VLANs: Placing the IoT devices in their own VLAN with total segregation from the rest of the network. This doesn’t have to be anything overly complicated, just set some simple rules such as trusted and untrusted depending on how much faith you have in the device. E.g. A Nest smoke alarm can be placed in the trusted VLAN and have access to the internet but a cheap Chinese thermometer would go in the untrusted VLAN and not have access to anything else.  

• Static IPs: If it is possible to assign a static IP, definitely do so. This helps you to keep track of the device and can make troubleshooting a whole lot easier. Another benefit of this is helping with identifying new devices on the network. 

• MAC Address whitelisting: An easy way of ensuring only authorized devices can access your company network. But it is important to note that these can be easily spoofed. 

Advanced IoT security measures include:

• Modern Network Access Control (NAC): Traditional NAC solutions don’t scale well when it comes to IoT. Standard IEEE 802.1x security protocols are mostly incompatible with IoT devices. As mentioned above, MAC authentication can be spoofed. With NAC, network administrators are able to configure and enforce security policies and analyze device risk postures. 

• Automated configuration: Having an automated onboarding system in place for new devices is a smart idea. If your company has a large number of IoT devices, it can be easy for some to slip through the security configuration if done manually.  

• Device certificates: Using X.509 device certificates to manage the identity and security of devices adds another layer of security. These certificates play a key role in PKI-based security and serve as proof of device authenticity by authentication, encryption, and data integrity. 

• Secure API connections: APIs are commonly used to transfer data between applications and devices. This can give way to a whole host of cyber threats. It is essential that only authorized systems can communicate with the API. The use of tokens to establish trusted identities and provide access to the appropriate services is highly recommended.