Three Additional Access Control Strategies

Below are some some additional access control strategies that are commonly in use.

  1. Limit access to networked systems by IP. Example would be if you have a database server online, does all of the internet have a need to access that system? Or does really only your webserver(s) need access to it?
  2. In the case you don’t limit access by IP, you should at least have a system to block brute force attacks. If you have a system online and don’t restrict access after x attempts, then an attacker can spend an unlimited amount of time trying to break into your system by brute force guessing an account.
  3. Log out of the system when you are done and don’t just close the browser window. If an attacker had access to your machine for whatever reason, they would be able to instantly gain access to those same systems without even knowing your password because you were still logged into it!

What is Least Privilege?

Best practice when using a system that has multiple levels of permissions or roles, is to use the account with the least amount of privileges to perform the action required.

You see this in Windows and Apple OSX machines by default now where you have a regular user account, and then when you want to perform an administrative function, you will get prompted for a password to temporarily gain higher privileges to perform that action.

For systems that you are building that don’t have this model built in, you will want to replicate it. Most of the times I will see the application be installed as an admin, and that is all. You should create a lower level user account that gives you most of the function you need outside of administrative functions, and use this account the majority of the time.

Why Should I Care About Access Control?

Acccess control is about who can access your data or resources, and the act of accessing may mean consuming, entering, or using. A couple common examples of access control is a physical lock such as a house lock, and a login prompt to a website. If anyone could gain access to your private data or systems, then that won’t be good would it? This is why access control in all your systems (desktop, website, car, house, etc) is important just like any other cyber security fundamental.



Access Control Post Series

Coming up is a post series about access control. As usual I will cover fundamentals first, and then have specific tactical information when it comes to your own systems and WordPress sites. The post series will contain the following:

  • Why Should I Care About Access Control?
  • What is Least Privilege?
  • Three Additional Access Control Strategies
  • How to Restrict WordPress Access

Validate Your Backup Integrity With Restore

The whole point of a backup system is to have the ability to restore important files that were lost. An important step in your backup system is to ensure that you can recover the files and that the backup data is not corrupted. There is no point of a backup if you can’t access your data or if the backup itself was corrupt!

This is why it is just as important to do a test restore even if you don’t need to just to make sure your process is working.

Hopefully you have a backup system in place, so go spend some time now to test out that restore process if you haven’t already.