Showing posts with label SYRIS. Show all posts

Friday, August 15, 2025

Privileged Access Management

Privileged access management (PAM) is defined as the provisioning of tools that help organizations manage and secure accounts that have access to critical data and operations. Any compromise in these ‘privileged’ accounts can lead to financial losses and reputational damage for the organization.

Every organization’s infrastructure is built with multiple levels of deployments, data stores, applications, and third-party services. Some of these components are critical for operations, while some may be as mundane as email.

But each of these is accessed by user accounts, which are of two types:

Human users: They are typically employee accounts, encompassing all departments, including HR, DevOps, and network administrators.

Automated non-human users: These are third-party applications and services that require an account to integrate with the organization’s systems.

‘Privilege’ is defined as the authority that an account has to modify any part of the company’s technology architecture, starting from individual devices to the office network. This privilege allows the bypassing of security restraints that are normally applied across all accounts.

A standard account is a norm among employees, with the least privileges attached to it. These accounts are used to access and operate limited resources such as internet browsing, emails, and office suites. A privileged account possesses more capabilities than a standard account. This elevated access is gained using privileged credentials.

Despite the numerous headline-making incidents in recent years, cybercrime continues to rise with reported data breaches increasing by 75% over the past two years. For those that suffer a breach, the repercussions can be costly:

increased public scrutiny, costly fines, decreased customer loyalty and reduced revenues. It is no wonder that cybercrime has risen towards the top of the concern list for many organisations and the customers with whom they do business.

You’ve heard many of the stories. Equifax, Uber, Facebook, My Heritage, Under Armor, and Marriott. Personal data from millions of their customers was stolen. Even though the number of breaches went down in the first half of 2018, the number of records stolen increased by 133 percent to almost 4,5 billion records

worldwide. Unfortunately things are only likely to get worse. According to a 2018 study from Juniper Research, an estimated 33 billion records will be stolen in 2023 – this represents a 275 percent increase from the 12 billion records

that are estimated to have been stolen in 2018.

Are you ready for more bad news? Thanks to the demands of the application economy, the threat landscape has expanded and protecting against these threats has only gotten more challenging.

Victims of the future

Digital transformation is a necessity for organisations to not only survive, but thrive in the application economy. But these transformations are creating an expanding set of new attack surfaces that must be defended, in addition to the

existing infrastructure that you’ve been protecting for years. These new points of vulnerability include:

DevOps adoption: In more sophisticated IT shops, continuous delivery/ continuous testing practices have introduced automated processes that see no human intervention at all. In many cases, these scripts or tools are often using hard-coded administrative credentials that are ripe for theft and misuse.

Hybrid environments: As your IT environment has evolved to include

software-defined data centres and networks, and expanded outside of your four walls to incorporate public cloud resources and software-as-a-service (SaaS) applications, the traditional way of approaching administration and management quickly falls apart – mainly because it fails to protect new attack surfaces like management consoles and APIs.

Internet of Things: Smart devices are proliferating in our lives, from phones to watches, from refrigerators and cars to medical implants and industrial machinery. And because these devices have connectivity, not only can they be hacked, but they are already being compromised where security is inadequate or non-existent.

Third-party access: Outsourcing development or IT operations has become the

norm. In addition, many companies are sharing information with partners. However, many of these third-party employees are being granted ‘concentrated power’ via administrative access. Who is watching how they are using or potentially misusing that access?

Take hold of the flame

Stealing and exploiting privileged accounts is a critical success factor for types of attacks. This is not surprising when one considers that privileged identities have access to the most sensitive resources and data in your environment; they literally hold the keys to the kingdom.

Thankfully, there is a positive angle you can take on this fact. If privileged accounts are the common thread amongst the innumerable attack types and vulnerability points, then these accounts – and the credentials associated with them – are exactly where you should focus your protection efforts.

For many, focusing on ‘privileged users’ is difficult because its population can be so diverse. Privileged accounts and access are not just granted to employees with direct, hands-on responsibility for system administration, but also to contractors and business partners. You may even have privileged unknowns who are securing ‘shadow IT’ resources without your knowledge. And finally, in many cases, privileged accounts aren’t even people – they may be applications or configuration files empowered by hard-coded administrative credentials.

This begs the question, if you can’t even get a clear tally of who represents your privileged user population, how can you hope to protect these accounts?

By securing those accounts at each stop along the breach kill chain.

Breaking the chains

What is a kill chain? It’s the series of steps an attacker typically follows when carrying out a breach. While the chain can comprise numerous steps, there are four key ones in which privileged credentials represent the cornerstone of an attack. These include:

1. Gain access and expand: To access the network, insiders might exploit the credentials they already have, while outsiders will exploit a vulnerability in the system to steal the necessary credentials.

2. Elevate privileges: Once inside, attackers will often try to elevate their privileges, so they can issue commands and gain access to whatever resources they’re after.

3. Investigate and move laterally: Attackers rarely land in the exact spot where the data they’re seeking is located, so they’ll investigate and move around in the network to get closer to their ultimate goal.

4. Wreak havoc: Once they have the credentials they need and have found exactly what they’re looking for, the attackers are free to wreak havoc (e.g. theft, business disruption, etc.).

If you can prevent an unauthorised user – insider or outsider – from gaining access to the system in the first place, you can stop an attack before it even starts.

To prevent unauthorised access, you must:

• Store all privileged credentials in an encrypted vault and rotate these credentials on a periodic basis.

• Authenticate all users, applications, and services before granting access to any

privileged credential.

• Employ automatic login and single sign-on so users never know the privileged credential.

Limiting privilege escalation

In many networks, it’s common for users to have access to more resources than they actually need – which means attackers can cause maximum damage quickly and even benign users can cause problems inadvertently. This is why granular access controls are so important.

To limit privilege escalation, you must:

• Adopt a ‘zero trust’ policy that only grants access to the systems people need for work.

• Implement filters and white/black lists to enable fine-grained access controls.

• Proactively shut down attempts to move laterally between unauthorised systems.

Monitoring privileged activity

Whether it’s a trusted insider who wandered into the wrong area or an attacker with malicious intent, there’s a very good chance that at some point users will gain access they shouldn’t have.

The challenge, then, is to improve visibility and forensics around user activity within sensitive systems. To deter violations at this late stage of the kill chain, you must:

• Ensure that all privileged access and activity is attributed to a specific user.

• Monitor all privileged activity to proactively detect unusual behaviour and trigger automatic mitigations.

• Record all user sessions so that all privileged activities can be played back in DVR-like fashion.

• Review and certify privileged access on a periodic basis to ensure that it is still required.

Tuesday, October 15, 2024

Risk Assessment & Quality Control Procedure For Access Control System

A security risk assessment plays a critical role in evaluating the vulnerabilities and potential risks associated with access control systems. Our expertise in premises security allows us to assist organizations in identifying, analyzing, and implementing effective security controls to safeguard their assets.

When conducting a risk assessment, several factors come into play, including the size of the organization, its growth rate, available resources, and the nature of its asset portfolio. By conducting a comprehensive security assessment, we help organizations identify their critical assets, assess potential risks, implement mitigating controls, and proactively prevent threats and vulnerabilities.

Industries such as healthcare, finance, and government have specific regulatory requirements, such as HIPAA, PCI-DSS, and Sarbanes-Oxley Audit Standard 5, that mandate security risk assessments. With our expertise, we can ensure that your organization complies with these regulations while enhancing the overall security of your access control systems.

Quality Control Procedure For Access Control System

1.0 SCOPE: .

This procedure applies to all the inspection activities related to monitoring and measurement of products and Processes related for the Installation or testing of subject activity where applicable for the project and Applicable to:

· Method Statement.

· Quality Control Procedure.

· Inspection and Test Plans.

· Risk Assessments

· FORMS.

2.0 PURPOSE:

The purpose of this procedure is to :

o Identify processes / products those are to be installed before using them in intended application.

o Define the methods to verify the quality of products and ensure that products that meet the stated requirements are only used in the intended application.

o Define the responsibilities of concerned personnel related to quality control processes.

3.0 REFERENCES

Project Quality Plan

Material Approvals

4.0 DEFINITIONS:

PQP : Project Quality Plan.

PSP : Project Safety Plan.

QCP : Quality Control Procedure.

HSE : Health, Safety and Environment

MS : Method Statement

ITP : Inspection Test Plan

QA/QC : Quality Assurance / Quality Control Engineer.

SK : Store Keeper

WIR : Work Inspection Request

MIR : Material Inspection Request.

MAR : Material Approval Request

5.0 RESPONSIBILITIES:

5.1 Project Manager

- Project Manager is the overall responsible for the project in terms of work execution, safety, planning & quality. The Project Manager will maintain the planning progress and coordination of works with the main contractor.

- The work progress shall be carried out as per planned program and all the equipment’s required to execute the works shall be available and in good condition as per project planned.

- Specific attention is paid to all safety measures and quality control in coordination with Safety Engineer and QA/QC Engineer and in line with PSP and PQP.

5.2 Construction Manager

- Construction Manager is responsible to supervise and control the work on site.

- Coordinating with QA/QC Engineer and site Team and foremen for all activities on site.

- Control and sign all WIR’s before issuing to Consultant approval.

5.3 Site Engineer

- The method of statement to the system shall be implemented according to the Consultant project specifications and approved shop drawings.

- Provision of all necessary information and distribution of responsibilities to his Construction team.

- The work progress shall be monitored in accordance with the planned work program and he will provide reports to his superiors.

- The constant coordination with the Safety Engineer to ensure that the works are carried out in safe working atmosphere.

- The constant coordination with the QA/QC Engineer for any works to be carried out and initiate for the Inspection for the finished works.

- He will ensure the implementation of any request that might be raised by the Consultant.

- Efficient daily progress shall be obtained for all the equipment and manpower.

- He will engage in the work and check the same against the daily report received from the Foremen.

- The passage of all the revised information to the Foremen and ensure that it’s being carried out properly.

5.4 QA/QC Engineer (MEP):

- The monitoring of executions of works at site and should be as per the approved shop drawings and project specifications.

- Ensure WIRs and MIRs are being raised for activities in timely manner and inspected by the Consultant.

- Check and insure that all activities / work done / completed prior to offer for consultant inspection.

- He will follow and carried out all the relevant tests as per project specifications.

- Obtain the required clearance prior to Consultant’s inspections.

- Should acquire any necessary civil works clearances and coordination.

- Coordinate with site construction team.

- One who will assist the Consultant Engineer / Inspector during inspection.

5.5 Site Foreman

- The carrying-out of work and the proper distribution of all the available resources in coordination with the Site Engineer on a daily basis.

- Daily reports of the works are achieved and coordinated for the future planning with the Site Engineer.

- Incorporate all the QA/QC and Safety requirements as requested by the concerned Engineer.

- Meeting with any type of unforeseen incident or requirement and reporting the same to the Site Engineer immediately.

5.6 Safety Officer

- The implementation of all safety measures in accordance with the HSE plan and that the whole work force is aware of its proper implementation.

- The implementation of safety measures is adequate to maintain a safe working environment on the work activity.

- Inspection of all the site activities and training personnel in accident prevention and its proper reporting to the Construction Manager and the Project Manager.

- The site is maintained in a clean and tidy manner.

- Ensure only trained persons shall operate the power tools.

- Ensure all concerned personals shall use PPE and all other items as required.

- Ensure adequate lighting is provided in the working area at night time.

- Ensure high risk elevated areas are provided are barricade, tape, safety nets and provided with ladders.

- Ensure service area/inspection area openings are provided with barricade, tape, and safety nets.

- Ensure safe access to site work at all times.

5.8 Store Keeper (SK)

- Responsible for overall Store operations in making sure to store the material delivery to the site and keep it in suitable area that will keep the material in safe from rusty and damage.

- One who will acknowledge the receiving of materials at site in coordination with QA/QC and concerned Engineer.

5.9 Emergency Absents

- If QA/QC not available the adequate QA/QC Engineer will be responsible for quality control activities.

- If the P.M. not available the Construcion manager will be resposible for all of his activities.

- If the HSE Engineer not available the adequate HSE Engineer are resposible for safety activities.

- If Engineer not available Construction manager will assign his duties to the concerned supervisor, forman or alternate Engineer.

- Replacing staff, in case of absent, with another designation can be accepted only for a minimum period of days absent otherwise the Contractor shall replace the relevant person with same designation which required approval from CONSULTANT.

6.0 PROCEDURE:

- Check that all the following documentations have been approved by the Consultant to proceed with the installation activities:

· Quality Control Procedure

· Method Statement

· Inspection Test Plan

· Check List

· Risk Assessment

· Shop Drawing Submittals related to work

- Check all the delivered materials are inspected and approved by the Consultant’s Engineer.

- Ensure that the respective work area has been cleared by previous trades for start-up installing the system.

- Ensure that the installation of the material is as per approved shop drawings, approved method statement, Manufacturer’s recommendation, and prevailing quality standards.

- Ensure the following checks are performed during the installation progress:

- Check all materials are as per approved submittal.

- Check all Material are installed as per approved shop drawings.

- Check if coordinated with other services.

- Check installation if it is carried out as per approved method statement.

- Check that the system checked and approved by Consultant.

- Ensure WIRs are issued on time without delay. (Min. 24 Hours notice for site inspection).

- Ensure all inspection is performed as per approved Inspection Test Plan.

- Check ITP, Check List, WIR, and NCR (if any) are signed off and cleared by the Consultant Engineer.

7.0 ATTACHMENTS

7.1 Method Statement

7.2 Inspection and Testing Plan

7.3 Check List for Installations

7.4 Risk Assessment

7.5 Attachments:

7.5.1 Manufacturer recommendations.

7.5.2 Emergency Evacuation Plan.

7.5.3 Technical Details.