Door Held Open Alert

What is a Door Held Open Alert?

`

A door held open alert is a security system that sends a warning when a door is left open for longer than a programmed time, even if it was opened legitimately. It is a component of access control systems designed to prevent security risks, such as unauthorized entry or the risk of intrusion in sensitive areas like server rooms, by notifying designated personnel. Integrating with a video system to capture an image or video clip of the event.

Even if your employees use the correct credentials to gain access to restricted areas, holding or propping the door open can create a security risk. This is why Door Held Open Alerts were created. This feature is part of an advanced physical access control system.

With this feature, when a door is held open longer than a preset time, an alert will be sent to either a designated responsible party or a monitoring center which will alert a list of contacts.

With integration into a video surveillance system, a Door Held Open Alert can also automatically send an image or video clip from the security cameras nearest the door that caused the alert.  It combines a physical access control sensor with cameras, so if someone props a door open, an alert is sent to security personnel, and the system automatically records the incident for later review. 

How it works

·        Sensing the door state: A sensor, often a magnetic contact sensor, is used to detect when the door is open or closed.

·        Timing the duration: The system is programmed with a specific "held open" time. When the door is opened, the timer starts.

·        Triggering the alert: If the door remains open past the preset time limit, the system triggers an alert.

·        Sending the notification: The alert can be a siren, a chime, a light, or a notification sent to a security team or a monitoring center.

·        Integrated security: For enhanced security, the alert can also trigger the capture of a video clip from a nearby camera to provide a visual record of the event.

·        Integration with video: When the alarm is triggered, the connected video surveillance system automatically records or takes a snapshot from the camera nearest the door.

·        Notification: The alert, along with the associated video evidence, is sent to a security monitoring center, a designated responsible party, or a list of contacts.

What happens when an alert is triggered

·        An alert is sent to a designated party, such as security personnel or a monitoring center.

·        The alert can be a visual cue, an audible alarm, or a notification sent to a smartphone.

·        The system can be configured to automatically send a video clip from nearby cameras along with the alert.

·        The alert can be reset once the door is properly closed.

Why it is important

·        Prevents unauthorized access: It stops people from propping a door open after they've used their credential to enter a secure area.

·        Enhances security: It helps monitor critical areas like server rooms or security offices to prevent intrusion.

·        Can be integrated with other systems: It can be combined with video surveillance for a more comprehensive security response. 

Why it's used

·        Preventing security breaches: It stops people from propping doors open for unauthorized access, which is a common security risk.

·        Monitoring critical areas: It is particularly useful for securing sensitive areas like server rooms, labs, or restricted zones, where unauthorized access is a major concern.

·        Providing evidence: The video recording serves as evidence for security investigations.

·        Automating security: It automates the process of monitoring and responding to a potential security issue, reducing the need for constant manual surveillance. 

Door Open Too Long Alarm

A "door open too long alarm" is a system that alerts you if a door is left ajar for a set period, and it can be implemented with simple magnetic sensors for home use or more advanced systems for commercial applications. These alarms can be wireless, battery-powered, or wired, and some offer features like app notifications, different alarm modes, and adjustable time delays. 

Types of door open too long alarms:

·        Simple magnetic sensors: These are often battery-powered and easy to install with adhesive. They trigger an alarm when the two magnetic parts of the sensor are separated for too long. 

·        Wired alarms: These are typically used for commercial and industrial applications and are connected to a power source and control panel. 

·        Smart/Wi-Fi alarms: These connect to your home network and can send real-time alerts to your smartphone via an app. Some are hub-less and compatible with both Android and iOS devices.

Features and functions:

·        Adjustable time delay: Many alarms allow you to set how long the door must be open before the alarm triggers, with some adjustable from seconds to minutes. 

·        Multiple alarm modes: Some systems have different settings, such as a simple alarm that stops when the door closes, a doorbell mode, or a door closing reminder. 

·        App and remote notifications: Smart alarms can provide instant alerts to your phone, which is useful for monitoring doors remotely. 

·        High-decibel sirens: Many alarms include a loud siren to deter intruders or to get the attention of people in the building. 

·        Indicator lights: Some commercial systems may include a visual indicator, such as a flashing red LED strobe, in addition to an audible buzzer. 

Applications:

·        Home security: Prevents doors from being left open for extended periods, which can be useful for security, child safety, or keeping pets from sneaking out. 

·        Commercial security: Monitors critical areas like server rooms, conference rooms, or storage areas, and can be integrated with card reader systems. 

·        Industrial settings: Wired alarms are often used for industrial doors and are designed to withstand harsh environments. 

·        Refrigerator alarms: Small, battery-powered alarms with a short delay can be used to remind you to close the refrigerator door.

How to choose an alarm:

·        The environment: A simple magnetic sensor might be enough for a home, while a wired or commercial system may be better for a business. 

·        Connectivity: Choose between a simple standalone alarm or a smart alarm that connects to Wi-Fi and sends app notifications. 

·        Features: Decide if you need adjustable delays, multiple modes, or a specific decibel level. 

Purpose of Door Alarm Monitoring

Most businesses and organizations use some form of card access control system to control entry into their buildings and other facilities. These systems allow authorized employees to conveniently enter through secured doors without needing to use a key.

In addition to controlling access, most card access control systems also provide a door alarm monitoring feature. The purpose of door alarm monitoring is to detect improper use of the card access controlled door. Two types of door monitoring are commonly provided:

"Door-Forced-Open" Monitoring

In the event that any card reader door is opened from outside without the use of a valid access card, the system will cause a "Door-Forced-Open" (DFO) condition to occur. For example, if an intruder were to pry the door open from the outside, this would cause a DFO condition to occur.

"Door-Open-Too-Long" Monitoring

In the event that any card reader door is propped or held open, the system will cause a "Door-Open-Too-Long" (OTL) condition to occur. For example, if an employee were to wedge a door open, this would cause a OTL condition to occur.

In most cases, the access control system is designed so that a security monitoring center is notified whenever a DFO or OTL condition occurs, allowing an appropriate security response to be made. In some cases this may involve dispatching a security officer to the door to investigate; in other cases, an employee working near the door may be called and asked to see what is going on at the door. If the facility has a video surveillance system, the monitoring center may also use a video camera to observe activity at the door.

The Problem

Unfortunately, the door alarm monitoring feature is a major source of of grief at many facilities. The problem: false DFO alarms. In most cases, these false alarms occur even though employees have done nothing wrong; they simply used the access controlled door in normal manner, yet the system triggered a false DFO alarm. In larger facilities, this can occur hundreds or even thousands of times per day. These alarms can flood the security monitoring center, overwhelming the monitoring staff.

Eventually, monitoring staff may become complacent about DFO alarms, or choose to ignore them completely. At some facilities, false DFO alarms can be such a problem that management becomes frustrated, and chooses to permanently disable the door alarm monitoring feature. Neither of these responses is appropriate as they decrease the overall level of security at the facility and turn the access control system into just an electronic locking system.

Is There a Solution?

Many end-users (and even security systems integrators) have come to accept the false DFO problem as unsolvable. These people have given up on trying to find a solution and consider false DFO alarms to be a fact of life when using a access control system.

Is there a solution? Yes! While false DFO alarms can never be entirely eliminated, Silva Consultants believes that they can be reduced by 95% or more through effective system design.

At facilities that already have systems installed, modifications can be made to existing equipment that will eliminate most false DFO alarms. Fixing false DFO problems on existing systems requires work, but can be done with some knowledge of basic design principles and a little patience.

How Door Monitoring Works

Before discussing specific solutions to the false DFO problem, it is helpful to understand how the door monitoring feature works on the typical access control system.

The typical access controlled door has the following devices:

·        Card reader on outside (non-secured) side of door. Common types of card readers include proximity readers, smartcard readers, and magnetic stripe readers.

·        Request-to-exit (REX) / Egress Switch device on inside (secured) side of door. Common types of REX devices include REX motion detectors, REX switches in lock hardware, and manual REX buttons.

·        Electric lock hardware. Common types of electric lock hardware include electric strikes, electric locks, and electromagnetic locks.

·        Door position switch. The most common type of door position switch is the magnetic contact switch.

All of the devices at the door are connected to the access control system, usually through some type of intelligent control panel which may be located at the door, or in a nearby electrical closet.

Here is how the access control system door monitoring feature works:

Entering through the door from the outside:

When a user presents his or her card at the card reader, the reader sends a signal to the access control system. If the card is valid, the access control systems sends a signal back to the electric lock hardware, causing the door to unlock. As the user opens the door, the door position switch sends a signal to the access control system, but because a valid card has just been used at the reader, the access control system does not cause a DFO alarm to occur.

Exiting through the door from the inside:

When a user approaches the door to exit, he or she activates the REX device. In the case of a REX motion detector, this occurs when the user steps into the detector's coverage area. In the case of a REX switch inside of hardware, this occurs when the user turns the door handle or presses the exit bar. When using a manual REX button, this occurs when the user presses the button to leave. As the user opens the door, the door position switch sends a signal to the access control system, but because a REX device was just activated, the access control system does not cause a DFO alarm to occur.

If an access controlled door is opened without either the use of a valid access card or the activation of a REX device, a door-forced-open (DFO) alarm will occur. This occurs because the access control system has received a signal from the door position switch telling it that the door has been opened, and without having received a previous signal from either the card reader or REX device, it assumes that the door is being forced open.

So, in summary, if a door is opened without using either the card reader or activating a REX device, a DFO alarm will occur.

Common Causes of False DFO Alarms

The following are some common causes of false DFO alarms:

Improper REX Motion Detector Coverage

REX motion detectors need to detect people just as they are ready to open the door. Too often, REX motion detectors are placed where they detect people approaching the door rather than at the door itself. This is sometimes done with good intentions ("I will detect them long before they get to the door") but can create a "blind spot" in front of the door itself. (See Figure #1 below).

Users can pass through the detector's coverage area and pause before opening the door, often long enough to allow the REX detector to reset. The user then opens the door, causing a DFO alarm to occur.

The solution: Carefully test each REX motion detector to determine its coverage area. Ideally, motion detectors should be pointed at the door knob or handle and provide detection before a person can open the door (See Figure #2 below). Relocate and/or readjust detector to provide positive coverage at the door and to avoid unwanted coverage elsewhere.

Improper REX Motion Detector Settings

Different brands of access control systems process door position switch and REX device inputs differently. Some systems require that the REX input signal be reset after each opening and closing of the door. Often, the time delay settings on REX motion detectors are set for too long a period. This allows the door to be closed and then reopened again before the detector has had a chance to reset. This causes a DFO alarm to occur when the door is opened the second time.

The solution: Learn specifically how your access control system processes door position switch and REX input signals. Adjust the settings on your REX detectors so that they provide a signal of an appropriate duration. On many systems, the REX detector should be adjusted to reset as quickly as possible after each activation, so that the system receives a series of pulses rather than a continuous activation.

Improper Lock Hardware Function

When a door is controlled by an access control system, the lock hardware on that door should not allow it to be left in the unlocked position manually. Lock hardware that allows this can be be a source of DFO alarms when users open the door manually from the outside without using their access card.

The solution: Examine all doors and replace any lock hardware that allows a door to be left in a manually unlocked state. If a door must be left open during certain times of the day, this should be done through programming of the access control system - not by manual operation of the lock.

Door Doesn't Latch Properly

Doors that don't close and latch properly are a major source of DFO alarms. These occur when a user is able to pull a door open from the outside without using a card, or when a gust of wind blows the door open. Failure of a door to properly close and latch can be caused by many things, including defective doors and frames, defective door lock hardware, defective door closer, improper HVAC system air balancing, and obstructions at the doorway.

The solution: Carefully inspect all doors to make sure that they close and lock perfectly. Doors that must be "given a shove" to close won't work well with a card access control system. Identify sources of problems and take corrective action. Check doors at various times throughout the day and year as certain problems (such as air balancing issues) may only happen at certain times.

Users are Using Brass Key Instead of Access Card

Most access controlled doors are equipped with lock cylinders that allow the door to be opened using a key in the event that the access control system fails. This works fine if keys are used strictly during emergencies, but causes chronic DFO alarms if users routinely use their key rather than a card to open the door. This not only creates false alarms, but also defeats the accountability provided by the access control systems audit trail feature.

The solution: Brass keys should be used on card reader controlled doors only in the event of an emergency. All lock cylinders on card reader controlled doors should be keyed to a special "emergency key" that is not routinely carried by employees, but instead handed out only during emergencies. If necessary, a break-glass box containing emergency keys can be providing in an area where it is accessible by authorized employees during a true emergency. The emergency key should not be part of the facilities master key system.

Users Forget to Use Manual REX Button

At facilities which use manual REX buttons, users sometimes forget to press the button on their way out, causing a DFO alarm.

The solution: Manual REX buttons are counterintuitive and not very user-friendly. In our opinion, they should only be used as a last resort or as a backup to another REX device. Consider replacing existing manual REX buttons with REX motion detectors or REX switches in the door lock hardware.

Users are Taping or Jamming the Latch Open

Users of the door sometimes tape or otherwise jam open the door latch so they can re-enter the door without using an access card. In some cases, this is because the person needs to go in and out of the door frequently and doesn't want to have to use their access card each time. In other cases, the person has gained access to the inside of the door but doesn't have a card (or access privileges) that would allow them to re-enter. Each time the door is opened from the outside without the use of a card, it causes a DFO alarm to occur.

The solution: Provide ongoing security awareness training to all users of the system. Make sure that users have been assigned appropriate access privileges so that they can do their jobs. If doors must be left unlocked during certain times of the day, educate users on the right way of doing this (through programming of the access control system) versus the wrong way of doing this (taping the latch open). If necessary, provide signage at each door that reminds users of the proper procedures. Take disciplinary action against users who continue to violate policies despite repeated warnings.

Door is Not Interfaced with Automatic Door Opener

When a card reader door is also equipped with an automatic door opener, there is a potential for DFO alarms to occur when the opener opens the door before a REX device is activated. There are two ways in which this can occur:

·        The inside door opener actuator button is located beyond the range of the REX motion detector at the door. When the user presses the actuator button, it opens the door, but since the user has not yet activated the REX detector, it causes a DFO alarm. (See Figure #3 below)

 ·        The door opener's motion detector has a greater range than the REX motion detector. When a user approaches the door, he activates the door opener's detector prior to activating the REX detector, causing a DFO alarm. (See Figure #4 below)

The solution: Provide an interface between automatic door opener devices and the access control system. Outputs from door opener actuator buttons and door opener motion detectors should be connected as REX inputs to the access control system. This can be done by using devices that have double-pole switch contacts (one pole for the opener and one pole for the access control system), or by providing an external relay that provides double-pole contacts.

Tips for Solving False DFO Alarm Problems

·        Troubleshooting of DFO alarms should be done carefully and methodically. At most facilities, you will find that 20% of your doors will be responsible for 80% of your DFO alarms. Run a report that shows all DFO alarms for a 24 hour period to identify those doors with the most problems. Begin attacking the problem by fixing the doors with the most false alarms first, then move on to the other doors.

·        The most reliable type of REX device is a REX switch built into the lock hardware. This switch provides a positive indication when someone is exiting and is the least prone to problems. When installing hardware on a new door, this should be your first choice when the option is available. Also consider retrofitting existing hardware with REX switches, especially at doors that have been particularly troublesome in terms of false alarms.

·        Sometimes, more than one REX device will be required at a door. For example, obstructions may prevent a single REX detector from detecting people approaching the door from different directions. Adding a second REX detector may be able to solve this.

·        If you are pulling your hair out trying to solve false alarm problems at a particular door, consider temporarily installing a camera and video recorder specifically for the purposes of troubleshooting. This camera should be pointed at the inside of the door and allow you to observe activity coming and going. For improved diagnostics, provide indicator lights visible by the camera connected to the door position switch and REX device. These lights should illuminate when each device is activated, allowing you to observe the sequence of events as people pass through the door.

If you have questions about the false DFO alarm problem, or need help in reducing DFO alarms at your facility, please contact us.

ONVIF Ending Support for Profile S

ONVIF Ending Support for Profile S  

A commonly asked question is ​“what is ONVIF protocol?” This question confuses two different concepts: a standard and a protocol. ONVIF is a security standard, whereas RTSP — a key element of video and audio streaming — is a protocol.

For the avoidance of doubt, ​“ONVIF protocol” is an incorrect term, because it is a standard. The ONVIF standards are defined by several manufacturers in the video security industry, including Pelco, enabling products across brands to work together and interface seamlessly. This standard determines how a protocol like RTSP will work. 

RTSP stands for Real Time Streaming Protocol. It controls video and audio transmission between two endpoints, and enables it to happen with minimal latency (delay) over an internet connection. ONVIF IP cameras use a specific standard (known as a profile) to stream video and audio. In doing so, the standard defines certain rules about how RTSP should work and which ONVIF specifications it should follow.

Over a larger ONVIF security camera system, this means that all devices are using the same streaming protocol to transmit video to network recording devices, which are primed to receive it in that specific format.

ONVIF stands for Open Network Video Interface Forum. Its aim is to provide a standard for the interface between different IP-based physical security devices. In simple  terms, ONVIF specifications provide a consistent way for devices from multiple manufacturers to work together, where previously they would not have been able to. These standardized ONVIF specifications are like a common language that all devices can use to communicate.

The end user benefits from this interoperability because they are no longer tied to a single brand for everything to work; now, a business can use several different brands’ systems, with a single standard to communicate. Want to use the best ONVIF camera from Brand A, but you also want Brand B’s ONVIF IP cameras, and Brand C’s ONVIF NVR? No problem — because the ONVIF standard enables them all to work together.

ONVIF is ending support for Profile S on March 31, 2027. Profile S, which was introduced in 2011, specifies authentication methods that are no longer aligned with current cybersecurity standards. 

“After 14 years, Profile S has served its purpose of enabling basic video streaming interoperability for more than 33,000 conformant devices and clients from different vendors,” said Leo Levit, Chairman of the ONVIF Steering Committee. “As ONVIF profiles do not change to preserve the interoperability of conformant products, we recognize the need to phase it out in line with today’s security recommendations.”

ONVIF recommends the use of Profile T as a replacement for Profile S. Launched in 2018, Profile T includes virtually all Profile S features plus advanced video surveillance capabilities. End users can still use Profile S for basic video streaming between Profile S conformant devices and clients, but for security reasons, ONVIF strongly encourages customers to discontinue the use of the username token authentication method and choose instead more secure authentication mechanisms like digest authentication supported in Profile T or through TLS (HTTPS mode).

Cybersecurity Best Practices for IP-based Physical Security Products

ONVIF recommends following local regulations, industry best practices, and staying on top of updates from the marketplace. ONVIF has outlined a general, non-exhaustive set of recommendations for best practices within cybersecurity. The recommendations should not be considered as the only source or guideline to combat cybersecurity threats.

In addition to the recommendations, ONVIF supports TLS (Transport Layer Security), a secure communication protocol that allows ONVIF devices with that feature to communicate with clients across a network in a way that protects against tampering and eavesdropping.

Profile S Conformant Products

After March 31, 2027, it will not be possible for manufacturers to submit new products or older products with new firmware/software versions for Profile S conformance. Products that have already achieved Profile S conformance will always remain conformant for the specified firmware version and date of conformance. Profile S conformant products will continue to be searchable in the ONVIF conformant products database.

ONVIF conformant products and is the authoritative source for determining whether or not a product is officially ONVIF conformant and supports one or multiple ONVIF profiles. A product is registered in the database after it successfully passes the relevant ONVIF test tool and all the necessary documents have been submitted to ONVIF by the member manufacturer. Conformance is tied to a product’s specific firmware/software version and is valid indefinitely for the specific firmware/software version of that product. To ensure an existing product is conformant, the product’s firmware/software version must match the version listed for the product in the database. ONVIF releases new device and client test tools twice a year (June and December), and each test tool version is valid until a new version is released, plus a further grace period of about three months. For more information, see the Conformance FAQ page.

Note that products may use ONVIF specifications, but they may not claim to be ONVIF conformant without completing the ONVIF Conformance Process. Only ONVIF members can claim conformance, but ONVIF membership alone does not guarantee that products sold by members are ONVIF conformant.

TLS Configuration Add-on

As ONVIF adapts to new cybersecurity requirements, the specifications of the current ONVIF TLS Configuration Add-on will also be upgraded at the end of 2026. Unlike profiles, add-ons are adaptable to changing technology/specification requirements due to version handling.

Privileged Access Management

Privileged Access Management 

Privileged access management (PAM) is defined as the provisioning of tools that help organizations manage and secure accounts that have access to critical data and operations. Any compromise in these ‘privileged’ accounts can lead to financial losses and reputational damage for the organization.

Every organization’s infrastructure is built with multiple levels of deployments, data stores, applications, and third-party services. Some of these components are critical for operations, while some may be as mundane as email.

But each of these is accessed by user accounts, which are of two types:

Human users: They are typically employee accounts, encompassing all departments, including HR, DevOps, and network administrators. 

Automated non-human users: These are third-party applications and services that require an account to integrate with the organization’s systems.

‘Privilege’ is defined as the authority that an account has to modify any part of the company’s technology architecture, starting from individual devices to the office network. This privilege allows the bypassing of security restraints that are normally applied across all accounts.

A standard account is a norm among employees, with the least privileges attached to it. These accounts are used to access and operate limited resources such as internet browsing, emails, and office suites. A privileged account possesses more capabilities than a standard account. This elevated access is gained using privileged credentials.

Despite the numerous headline-making incidents in recent years, cybercrime continues to rise with reported data breaches increasing by 75% over the past two years. For those that suffer a breach, the repercussions can be costly:

increased public scrutiny, costly fines, decreased customer loyalty and reduced revenues. It is no wonder that cybercrime has risen towards the top of the concern list for many organisations and the customers with whom they do business.

You’ve heard many of the stories. Equifax, Uber, Facebook, My Heritage, Under Armor, and Marriott. Personal data from millions of their customers was stolen. Even though the number of breaches went down in the first half of 2018, the number of records stolen increased by 133 percent to almost 4,5 billion records

worldwide. Unfortunately things are only likely to get worse. According to a 2018 study from Juniper Research, an estimated 33 billion records will be stolen in 2023 – this represents a 275 percent increase from the 12 billion records

that are estimated to have been stolen in 2018.

Are you ready for more bad news? Thanks to the demands of the application economy, the threat landscape has expanded and protecting against these threats has only gotten more challenging.

Victims of the future

Digital transformation is a necessity for organisations to not only survive, but thrive in the application economy. But these transformations are creating an expanding set of new attack surfaces that must be defended, in addition to the

existing infrastructure that you’ve been protecting for years. These new points of vulnerability include:

DevOps adoption: In more sophisticated IT shops, continuous delivery/ continuous testing practices have introduced automated processes that see no human intervention at all. In many cases, these scripts or tools are often using hard-coded administrative credentials that are ripe for theft and misuse.

Hybrid environments: As your IT environment has evolved to include

software-defined data centres and networks, and expanded outside of your four walls to incorporate public cloud resources and software-as-a-service (SaaS) applications, the traditional way of approaching administration and management quickly falls apart – mainly because it fails to protect new attack surfaces like management consoles and APIs.

Internet of Things: Smart devices are proliferating in our lives, from phones to watches, from refrigerators and cars to medical implants and industrial machinery. And because these devices have connectivity, not only can they be hacked, but they are already being compromised where security is inadequate or non-existent.

Third-party access: Outsourcing development or IT operations has become the

norm. In addition, many companies are sharing information with partners. However, many of these third-party employees are being granted ‘concentrated power’ via administrative access. Who is watching how they are using or potentially misusing that access?

Take hold of the flame

Stealing and exploiting privileged accounts is a critical success factor for types of attacks. This is not surprising when one considers that privileged identities have access to the most sensitive resources and data in your environment; they literally hold the keys to the kingdom.

Thankfully, there is a positive angle you can take on this fact. If privileged accounts are the common thread amongst the innumerable attack types and vulnerability points, then these accounts – and the credentials associated with them – are exactly where you should focus your protection efforts.

For many, focusing on ‘privileged users’ is difficult because its population can be so diverse. Privileged accounts and access are not just granted to employees with direct, hands-on responsibility for system administration, but also to contractors and business partners. You may even have privileged unknowns who are securing ‘shadow IT’ resources without your knowledge. And finally, in many cases, privileged accounts aren’t even people – they may be applications or configuration files empowered by hard-coded administrative credentials.

This begs the question, if you can’t even get a clear tally of who represents your privileged user population, how can you hope to protect these accounts?

By securing those accounts at each stop along the breach kill chain.

Breaking the chains

What is a kill chain? It’s the series of steps an attacker typically follows when carrying out a breach. While the chain can comprise numerous steps, there are four key ones in which privileged credentials represent the cornerstone of an attack. These include:

1. Gain access and expand: To access the network, insiders might exploit the credentials they already have, while outsiders will exploit a vulnerability in the system to steal the necessary credentials.

2. Elevate privileges: Once inside, attackers will often try to elevate their privileges, so they can issue commands and gain access to whatever resources they’re after.

3. Investigate and move laterally: Attackers rarely land in the exact spot where the data they’re seeking is located, so they’ll investigate and move around in the network to get closer to their ultimate goal.

4. Wreak havoc: Once they have the credentials they need and have found exactly what they’re looking for, the attackers are free to wreak havoc (e.g. theft, business disruption, etc.).

If you can prevent an unauthorised user – insider or outsider – from gaining access to the system in the first place, you can stop an attack before it even starts.

To prevent unauthorised access, you must:

• Store all privileged credentials in an encrypted vault and rotate these credentials on a periodic basis.

• Authenticate all users, applications, and services before granting access to any

privileged credential.

• Employ automatic login and single sign-on so users never know the privileged credential.

Limiting privilege escalation

In many networks, it’s common for users to have access to more resources than they actually need – which means attackers can cause maximum damage quickly and even benign users can cause problems inadvertently. This is why granular access controls are so important.

To limit privilege escalation, you must:

• Adopt a ‘zero trust’ policy that only grants access to the systems people need for work.

• Implement filters and white/black lists to enable fine-grained access controls.

• Proactively shut down attempts to move laterally between unauthorised systems.

Monitoring privileged activity

Whether it’s a trusted insider who wandered into the wrong area or an attacker with malicious intent, there’s a very good chance that at some point users will gain access they shouldn’t have.

The challenge, then, is to improve visibility and forensics around user activity within sensitive systems. To deter violations at this late stage of the kill chain, you must:

• Ensure that all privileged access and activity is attributed to a specific user.

• Monitor all privileged activity to proactively detect unusual behaviour and trigger automatic mitigations.

• Record all user sessions so that all privileged activities can be played back in DVR-like fashion.

• Review and certify privileged access on a periodic basis to ensure that it is still required.