WootCloud Blog

Back to Basics: Access Control Best Practices – The T-Mobile Breach Examined

T-Mobile Logo

T-Mobile Has Another Major Breach

Another massive enterprise data breach happened last week, this time to T-Mobile, exposing 54 million PII records. The 21-year hacker said their security was awful, accurate as this is the third breach in two years.

If you are a customer or have submitted your personal information to T-Mobile in the past, please visit their help pages to protect yourself now.

The hacker managed to break through T-Mobile’s defenses after discovering an unprotected router exposed. Where shall we start…

While successful security is a combined effort of people, process, and technology, the press indictment of the state of enterprise security being completely broken is clearly a sign they don’t know security, you can’t say they are entirely wrong. 

Solution: Review your people, processes, and technology, starting with the basics, early and often

We will start at the beginning, covering basic best practices in our areas of expertise, access control, network microsegmentation, and device security. We are not inserting the subtle and not-so-subtle self promotion in this series of posts.

As with most large organizational undertakings, the first step of the process is to imagine where you want to end up. This could take the form of many types of goals you want your organization to achieve, but they generally encompass saving time and money. Gain executive sponsorship and work through the politics with small wins, no big bang. 

You can’t after all know how to get there if you don’t know where you’re going.

The general guidance is to Remove risk across people, processes, and technology with regular meetings, automation, internal and external auditing and testing.

Access Control Basics and Best Practices

Least Privilege and Zero Trust

Consider who is in the kitchen, how often, and why. The marketing team may need finance access for ROI reports but can certainly service being emailed a report once a month or quarter. Given the type of business maybe weekly, but probably don’t need to create an API in to a third party SaaS product of ALL customer data.

This is a simple example of least privilege access, a core tenet to Zero Trust. Only give what employees need, when they need it. Your early employees will bicker about loss of control and visibility, but will thank you once a mishap happens at your organization.

Who is managing the managers? Admin controls are highly-unpopular among Admins but necessary. In several companies selling access control I have seen time and time again, audits of admins revealing root password use, shared passwords, orphaned accounts, and worse.

Role-based access control (RBAC)

Not everyone needs access to all areas of your organization. 

Examples of role-based access are the network administrator who gets access to the server room or the accountant who can unlock the company safe, and not vice versa. Two-man rule implementations of this are also possible. 

Routine reviews of these roles are important, making adjustments as companies grow, teams develop, mergers and acquisitions happen etc. When you create roles, make sure to check regulatory compliance practices specific to your industry and locale for each of these roles (GDPR and CCPA are major recent ones). Consider a layered approach with one team managing access, and another auditing it, and/or one team managing the app, and IT managing an app that audits them, and so on.

Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA)

Two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account, ie an ATM card and your password. 

There are three distinct categories to this:

  • something you know (your password or PIN)
  • something you have (like a phone or ATM card)
  • something you are (like your fingerprint)

For Multi-Factor Authentication (MFA)our credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.

As mobile and web based identification becomes more prevalent, the effectiveness of MFA will increasingly be called into question.

Automated provisioning, Password Management, Auditing 

Automated provisioning around security means having the ability to deploy information technology or telecommunications services using predefined automated procedures without requiring human interventions.

Automated provisioning significantly increases accuracy and efficiency, and thus reducing risk and OPEX cost, especially at scale.

Many IAM and IDM solutions automate this, the password management and auditing, as well as offboarding processes. WootCloud integrates with several of them, and gives our customers 

Automate Onboarding and Offboarding and orphan mgmt

Even basic identity and/or access management systems can solve major onboarding and offboarding challenges when onboarding a new employee/contractor/vendor can automatically assess which privileges to grant based on department/role. 

Having finer-grained controls can give your identity and/or access management solution superpowers Not only can you quickly automate onboard and offboard new users, you can alert teams and/or require reauthentication whenever anomalous behavior arises, ie when a user based in one geography logs in from another unknown location – possibly outside of baselined behavior, or logs in simultaneously from two different machines – again outside of baselined behavior.

Throwback – this practice is not new – this 2007 post has many of these basic access control measures outlined, well beyond just basic management – baselining, managing, and precursors to zero trust, RBAC, and the need for auto provisioning

Modern security systems can identify, understand, and block: 

  • Infiltration – from new and existing users
  • Persistence – from both unknown users, but also known users with compromised credentials
  • Exfiltration – my first security job was in ‘97 sending alerts on large email attachments being sent outside the company, and calls made to competitor numbers. This is as important as ever and is much more sophisticated now. Files are parsed and sent over time, during business hours, often to known and trusted customer and partner recipients with compromised credentials.

Understanding and acting on odd behavior by both known and unknown users in the moment of compromise is key.

Even when you review/tighten/execute these Access Controls, you will likely get breached, and likely within the coming months. These are basics and many cybercriminals are highly skilled professionals. Keep reading our blogs for the latest on device security, 

Request a 20-minute demo, specific to your environment today. 

Share this post with your network.

Share on linkedin
Share on twitter
Share on facebook
Contributing Authors:

Andreas Stenzel

Share this post with your network.

Share on linkedin
Share on twitter
Share on facebook

This website uses cookies to ensure you get the best experience on our website.