Access Control-Your Ultimate Security Bouncer by Ruchira Pokhriyal


Video Transcription

So today, we have a very interesting topic. Um If you are just starting to learn more about cybersecurity or just getting started with granting access to people in your group or organization, this topic is for you.So access control, as you know, is a part of our everyday life. And uh it is also very integral component of it, data security for your business. So you can essentially make a very strong argument that the entire field of cybersecurity rests completely on identity verification and access control. And without these two functions, almost no other security technique matters. So every other element of security essentially depends system identifying the user and then validating their permission to various objects uh and access controlled apologies and information technology. Uh the digital and physical realms, meaning it is as important to secure a server room dot With a log as it is to secure the server itself for the password. Uh So if you are someone who is interested in learning more about this, this is the session for you. So before we dive deep into this, um just a little introduction and uh information on how you can reach me Uh My name is Ruchira Boreal.

I prefer the pronouns Sheene. My educational qualifications include a bachelor's degree and a master's degree in computer science. And I have another master's degree in cybersecurity. Uh I started my career as a web application pen tester and now I work as a cloud security specialist and volunteer incident responder at Amazon web services. Uh You would often hear and see me advocate for diversity and inclusion and uh specifically LGBT Q visibility in tech as well as women of color and technology. Um I uh really like to give back to the community as much as I can. So I am associated with a few organizations. I have been a speaker and a member at WES I which is women in cybersecurity. Uh If you have not heard of this before, definitely uh recommend that you check it out uh breaking barriers, women in cybersecurity, uh and uh OS women in A E these are all the organizations that focus on empowering women in tech and those looking to change their career path and migrating to tech.

So, um my uh social media handles are on my screen. Feel free to take a note a screenshot and yeah, reach out to me whenever with any questions that you have. All right. So let's get started. So what exactly is access control? Uh a very basic and technical definition of access control would be that it is a process or system that governs how and who has access to enterprise resources uh and its physical settings, data applications and communications channel. So what it means is that access control is a fundament component of data security, which dictates, which dictates who is allowed to access and use certain information and resources. Um So it is a method of guaranteeing that users are who they say they are and that they have the appropriate access to the company data on need basis though. So, through authentication and authorization, these are the two techniques which we will see in the next slide. Um So through authentication and authorization, certain access control policies will make sure that users are who they say they are and they have the required access to the data that they need. It is very important to know that access control does not just apply uh to securing uh access to our digital assets. It is literally all around us.

Um You know that if you live in an apartment, you'll, you'll be the only one with the main key to your apartment. Uh Your management has a backup key in case you lose access to yours. And you are the main entity granting temporary access to people like friends and relatives. Um Now how, how, how would you feel if a relative, let's say your aunt Karen has a key to your apartment and she comes over and decides to never leave. Um She is slowly now taking all over all of your assets, calling your parents behind your back and trash talking about you. What would you do? So I hope this analogy helped you get a little idea on why access control is so important and why it is important to secure your data such as your keys. So what are the main components of access control at a very high level? Access control is about restricting access to a resource and any access control system, whether physical or logical has these five main components. The first one is authentication, which means that it's an act of providing a kind of assertion um such as the identity of the person or computer user.

So it might involve validating somebody's personal identity, such as personal documents and verifying the authenticity of a website with a digital certificate. It could also mean checking login credentials against the store details of a user. The next component is authorization, which is the function of specifying access rights or privileges to a particular user or resource. Um For example, if I am in an organization, it will have several different departments and someone from human resources staff are normally or would be normally authorized to access employee records. And this policy is usually formalized as access control rule in a computer system.

Now, if there is somebody from the finance department, they might have access to you the organization's financial document. But if I'm not a part of that organization, if I'm just a regular user logging into looking at the company website. I will neither have uh authorized access to employee records nor will I have any access to financial records of the organization. Um So that is um dividing or prioritizing access based on your role in the organization. The next component is access, which means once you're authenticated as well as authorized, uh the user or the computer system can access that particular resource. The next component is called manage, which means managing an access control system and it includes adding as well as revoking authentication and authorization of users or systems. So some systems will sync with G suite or a your active directly and any other streamlining the management process.

Um The final one is called audit um and it's frequently used as part of access control to ensure the principle of least privilege and over time users can end up access, they no longer need. Um Example, once they change their rules or uh when a user decides to move to another company, in those cases, all the audits are really required uh to minimize the risk of granting any unauthorized access or privileged access to the user who is no longer in the organization.

So these were the few components of uh access control that uh function all together. So, authentication, authorization, access, manage and audit. These are all the components of access control that we have to keep in mind while we are defining policies for an organization uh Even if one of these components is missing, uh your access control policies are not super secure. So how does access control even work? Uh Like I mentioned in the previous uh slide, uh access control is not just limited to securing your digital assets. It's also very important, but al almost always forgotten that physical access control also plays a big role into securing your um organization. So uh let's start with that.

Uh So access control uh uh is split into these two groups which is uh designated to improve your physical security or your cybersecurity. Um So a logical access control would essentially mean that that uh access control system has the ability and means to allow or deny logical or computer based access to your data of one kind or another. So logical access control typically pertains to confidentiality, part of a CIA triad and it makes sure that only the people who should have access to something are the ones who actually have access to that data set. And one example of logical access control would be, let's take a simple example, it's a firewall. So firewall is a network security device that would monitor incoming and outgoing traffic and decides whether to allow or block specific traffic based on a very defined set of security rules.

And these security rules are often defined by the admin which would be you in that case. Uh Moving on to physical access control. A physical access control system will have the ability to ability and the processes to grant and deny physical access to locations within a building a company or even within a room at a company. So techniques for physical access control can include things like RF ID picture ID badges, badges that must be worn and displayed by employees through out your office. Um And this is required to separate control entity points from server room. So I know that if I have to uh visit my office physically, I have to always carry my badge with me. That is the way I authenticate. And I get authorized as a user to enter the building without my ID. I don't get access and that is very required to prevent any kind of unauthorized user to enter uh the office premises. Uh because if they do at that risk, uh not just um the uh uh security of the employees, but also the resources within that building. Um And while historically, all the methods of a physical access control system consisted of uh uh key, uh keys and log doors. Today, we have much more high tech options. Um And you'll probably notice password protected doors and any public places like Air BN BS.

Um And the door restricts access to only those with the correct password, uh which is an effective means of safeguarding a location um that uh that contains or houses any sensitive information.

So,

so what are some examples of access control. Um Access control examples are why do you exactly need it? You need it for account management for mapping certain user rights to business and process requirements. Access control mechanisms are required to enforce policies over the flow of information.

It limits the number of concurrent sessions. Uh It locks your sessions and terminates your session after a period of inactivity. And another example would be restriction of access after a certain time of the day. You've noticed that if you uh enter an incorrect password, let's say more than three times, you are logged out of that system. So that, that is nothing but your access control. Um Now, there are various type of access control. We access control mechanisms uh uh because we are running short on time, we will just be discussing a few. Uh And these are the ones which are most popular and used a lot, but there are definitely more access control mechanisms than this. So the first one is role based access control or RB A. So RB A is one of the most widely used access control mechanisms. And as the team suggests in this uh access control mechanism, access as well as permissions are granted based on an individuals or based on individuals and groups with a particular prescribed rule or but very well defined specific business functions. So by doing this, uh you don't have to specify permission to each person in an organization individually.

So for instance, uh with this approach, you can uh make it so that only those let's say in admin and hr have access to customer records while other groups such as finance or the cyber security team, uh incident response team won't. Uh The next one is rule based access control, uh which manages accesses to areas, devices or databases or any kind of sensitive data according to a predetermined set of rules or access permissions. And these rules are also defined by the admin and these rules are defined regardless of their role or position in the organization. So this is how it's different from role based access control. Rule based. Access control is based on certain set predetermined rules and not rules.

For example, in a rule based access control setting, an admin mindset access hours for regular business days, for example, a person or an employee cannot gain entry into your building outside of office hours, let's say 9 a.m. to 5 p.m. So after 5 p.m. if you try to access the office building, even if you have all the means to authorize yourself like a card to enter the building, you won't be able to or the next one is discretionary access control or D AC. So D is a type of access control in which the owner or admin of a file or a system chooses who has access and what kind of access to this object on an individual basis. So in other words, it's up to the owner's discretion. Uh and that can be used uh but is not always in conjunction with our back. The next one is mandatory access control. Uh It is a non discretionary type of access control where a central security authority controls access to resources based on security classifications. So in this kind of system, a user may not have any power to modify a file or resource. And even if they are technically the owner, they will not have the authority to modify a file. So this kind of system is typically used by government or military organizations that deal with a really, really sensitive or top secret data.

So mandatory access control is the strictest of all access control mechanisms and it is basically required where alteration and modification of information is not tolerated at all. The next access control mechanism is a back or attribute is access control. It is an authorization model which will evaluate attributes and by attributes, I mean characters and it will evaluate characters or attributes rather than rules to determine what kind of access is supposed to be granted. So the person purpose of attribute based access control is to protect resources or objects such as network devices, um data and any kind of it resources from unauthorized users as well as actions. So any actions that do not have an approved characteristic defined by the organization security policy uh will be denied by an ABAC control system. So an example of ABAC would be allowing only users who are, let's say, type equal to employee and have the equal to hr to access the HR payroll system and only during business hours within the same time zone as the company. So let's say if I have in my policy um type equal to employees, but I do not have type equal to hr I will have, I will not have access to the hr payroll system.

The final uh access control system that I want to discuss is a little different and contradictory to we have discussed. It is called a break glass access control. So in computing base, a break glass is the act of checking out a system account password to bypass the normal access controls and procedures. But this is done only in an emergency or a very critical situation and this would provide the user immediate access to an account that may not normally be authorized to access. Um This method is generally used for highest level system accounts such as root accounts for uni um or um uh any kind of database. So break glass is a very quick means for extending a person's access rights in exceptional cases. And this should only be used when uh normal processes are insufficient to get you the right kind of exact uh access. Uh For example, it's a emergency but the help desk or system administer is unavailable and there is a data breach or in case of healthcare systems where inability to access a patient's records can have serious problem uh uh can cause serious pro problems to the patient.

Um These are the different types of access control. I'll quickly minimize my screen to see if we have any questions.

Yeah. Yeah. Ok. No questions yet.

All right. So I think we have discussed it in brief, but why is access control so important? Um It's very, uh I would always recommend everyone to keep in mind that access control does not just pertain to securing your digital access. Your physical access control is very important to a small analogy to this is when we leave our apart to go to our office. Uh We don't unlock our doors, right? We do, we do lock our doors, we make sure that the gas is not turned on or the lights are not turned on, the windows are all shut down. Um And we make sure that everything is secure before we leave our apartment or our house. Uh We make sure that our digital assets are secure by not sharing our laptop, our work laptop or work computer with anybody else or um protecting all the fi sensitive files that are in there. Um Which is why it's always equivalent to your own safety and uh securing um devices and any other resources that belong to your company. So always keep in mind that uh physical access control is as important as um uh digital access control and uh physical access control, like I said, is very important to important for organizations specifically because that enables them to protect the employees and provide a safe working environment.

Um This is done by restricting unauthorized access and it also helps reduce theft. Um A combination of physical and digital control methods uh is preferred or is always better because it eliminates the problem of keys, no more keys. All right. So you don't have to use any kind of physical keys anymore if you have a digital access control system in place. So biometrics or you know, just scanning your card, which is RF ID, those make uh carrying a key not important. So you can just swipe your cards tags, fingerprints, even your mobile phone and every access is logged and protected and recorded in a good physical uh cal digital access control systems. Uh a good physical or a physical access control system will also have the provision to report certain things such as allowing you to see who is where in your building in case of an emergency. Uh If you need to check the logs again, uh access control keeps confidential information such as your customer data pi I and intellectual property from falling into the wrong hands. And access control is particularly important for organizations with a hybrid cloud or multi cloud environment where resources uh your data and apps reside both on premise and in the cloud So a solid access control strategy will provide such hybrid organizations with seamless on premise to cloud migration, keeping all the resources protected.

And depending on your organization, access control may be a regulatory compliance requirement. So you have to make sure that you comply with PC I DS S which is the ninth requirement under and under this regulation you, your organization is required to control physical access to visitors, media any on site personnels um to the building and organizations are the PC I DS S.

Uh requirements must use decent logical access controls to reduce cybersecurity risk. Uh And uh uh risk of any data or sensitive data getting stolen. You have to comply to HP A which means that any covered entities plus relevant business associates must prohibit unauthorized access to protect any kind of health information. Uh I think that's the one which everybody knows that health, health information is private and should not be shared.

Some others are so too, which is third party vendors and service providers. Um And they must protect customer employee privacy by preventing data breaches, breaches. And this can be done via encryption iso 27 001 is an information security standards which mandates management to audit all of their organization vulnerabilities and cyber threats. So these are all the regulatory compliance requirements. Uh If your organization uh falls into any of these categories, let's say health care, you have to comply with these standards which all recommend access control as a mandatory requirement. So now that we have learned a lot about basics of access control systems. Let's see, uh the type of attacks that uh um you can face if your access control policy is not strong enough. So honestly, there are several attacks that fall under this category of access control attacks. I have uh picked up a few access control attacks that are most common and are seen in the system. But there are definitely much more than this. Um Let's talk about exposure of unauthorized content. Um Again, with an exposure of unauthorized contact uh content, there are different categories of attacks. So this makes it very complicated.

But in a general sense, under the basic definition of this exposure of unauthorized content attack would mean that uh an adversary can cause error to occur by submitting unusual requests to the web application. And if you do not have a properly configured access control policy in place, the responses to these errors can reveal detailed system information such as technologies and use operating systems and product versions to tune the attack against known vulnerabilities in this technology.

So by gaining access to any kind of sensitive information on error messages, an attacker can deny services um and cause security mechanisms to fail and even may crash your system. Um And again, there are several different categories of attacks under exposure of unauthorized content, uh network sniffing, um and particularly capturing user credentials and keystroke monitoring. So sniffing is when packets passing through a network are monitored, they are captured and sometimes analyzed.

So it can be used for both good and evil. For example, your system administrator might use sniffing to troubleshoot or analyze the network or to perform res defense. On the other hand, hackers will use the same technique to perform man in the middle attacks and man in the middle attacks are the attacks that aim to steal your sensitive information by monitoring the flow of your packet. So bank details, account credentials or other personally identified data that could lead to potentially maybe even identity theft. So an example of this would be a hacker or adversary injecting a piece of malicious code on a checkout page and they can simply create the code themselves or even buy it from underground hacking forum. They can very easily Google it. Um And if a user logs into their bank account types their credit card details on the checkout page, the script can secretly listen in because it could be a keylogger and then send this information straight to the adversary. And then the adversary can use the victim's card details which they have captured using a keystroke monitoring uh to steal their money and not just steal their money, but they can sell this data on the dark web which can be used by other adversaries or, or or money launderers.

Um The most well known access control uh attack type is fishing as well as privilege escalation. So let's say a well crafted email with the subject line 2011 or 2012 recruitment plan. Um I believe you all have heard of this uh attack. If not, let's go into the details. So uh this very subject line caused a massive breach at uh um to an R to several RS A employees. And uh it was essentially retrieved from a junk mail folder. And uh upon opening this message or email title 2011 recruitment plan, uh it actually contained a virus that led to a very sophisticated attack on the computer's information system. So this email had an Excel sheet attached and the Excel sheet contained a zero day exploit that led to the installation of a backdoor virus which exploited an Adobe flash vulnerability and Adobe has since passed it. Um But in this case, the attacker initially was able to harvest access credentials from the compromised employee or employees and then perform privilege escalation on non administrative users in the targeted and captured system. And then this attack moved on to gain access to key high value targets um which included process experts and it and non it specific server administrator.

So this is a very critical attack which only targeted um uh It did not actually target any high level employees in the system. It started with uh regular employees and then uh uh slowly built up and gained all the privileged uh to reach the high level employees and damaged them. Um The next one I want to discuss here is a denial of service attack. Uh And it is an attack which is meant to shut down a machine or network making it inaccessible to its intended user, which is why this falls into the category of access control as well because the attack is trying to not grant or shut down access to everybody who needs access to it.

And a denial of service or D OS attack accomplishes this by flooding the target with traffic or sending it information that triggers a crash. So in both these instances, the D OS attack deprives legitimate users of access to the service or that they are expected to access. Uh A buffer flow overflow attack is also the most common type of D OS attack. Um And the concept in buffer overflow attack is to send more tra traffic to a network address than the programmers have built the system to handle. And it includes the attacks um uh uh that we will discuss now um uh in addition to others that are designed to exploit uh bug specific to certain applications or network. Um A S flood attack is a TCP S uh So a TCP S flood uh D OS attack occurs when an attacker floods the system with send requests in order to again, just like uh denial of service attacks because this is a subtype to overwhelm the target and it will make it unable to respond to a new and real connection request.

Uh So it drives all of that our target service communication ports into a half open state. Uh and to learn more about TCP and flood attacks or to understand it better at recommend looking into TCP, handshake and what a half open connection state means. Uh moving on to tailgating and piggy, piggybacking really, really simple tasks to carry out, uh but very dangerous. So, tailgating represents a situation where an individual without access authorization closely follows another authorized person in a reserved area. Uh So in this case, an adversary takes advantage of the moment when the authorized person opens the door with their badge. Uh The adversary just sneaks inside before the door closes. Piggybacking is a very similar attack that represents the situation when someone accesses a reserved area with permission obtained by the authorized person themselves. So, uh many situations we are trying to be good people, good humans holding doors for others. Uh It's really recommended to make sure that nobody follows you while you are entering an authorized premises, even in your apartment complex, if you are holding doors for other people, uh make sure you don't do it unless you see your key in their hand. Um Just a small example the other day, I was carrying a lot of stuff in my, both my hands. Um I still had the key and somebody just opened the door for me.

Um I made sure that I showed them the key uh uh to make them more comfortable that hey, I am actually an authorized person here. Um Otherwise it could just be somebody who could cause the risk to where you live and any other authorized locations such as your workplace. So after discussing the type of access control attack, let's see how OAP rates it. So um a broken access control uh vulnerability uh moved up from the fifth position, which is 94% of applications were tested for some form of broken access control. Um And the 34 common weaknesses, enumerations mapped to broken access control had more occurrences in application than any other category.

So this is 2017 versus 2021 comparison of O A. And as you can see in this picture, um broken access control was moved to the first place uh in 2021 which is actually really scary. So let's actually look at some famous examples of broken access control. Um And there have been several instances in which this vulnerabilities has led to real world consequences. So just a popular example in August 2015, uh the a security researcher named La Mua found a Facebook vulnerability that allowed them to become the administrator of any Facebook page.

Uh note that this vulnerability has been passed already and this is just a popular example, not shaming Facebook or any other organization here. Um So this attack was carried out or done by making a post request to a vulnerable API end point of Facebook. And the request is on the screen which you can take a screenshot of and just you can just look at it. So in this case, anyone can use the graph.facebook.com/the page ID slash user permissions. And this is the API you can use this API end point to edit your own permissions for a page. So user who is not already an admin should not even have access to this ability to elevate other users privileges. However, it appears that this endpoint was not properly configured to prevent this from happening. And this is an excellent and popular real world example of broken access control. It's actually quite simple if you analyze this request. So the other example that I want to discuss is virtual privilege escalation. Um And in this broken access control vulnerabilities which results in vertical privilege escalation like we saw in the previous slide. In this particular example, we are going to discuss a settings page.

So there's a screenshot of a settings page of a lower privileged user. And this was exploited to gain administrative privilege on a web application. This was simply done by modifying request as well. And the port request was being sent to an API which was meant to be used to save any changes the users made to their profile. So as you can see, this port request contains various fields containing information about the user, including the level of access that they have. So when the request goes through, this information is safe for that particular user in the API and some of these parameters such as user role value are not able to be edited via the application's user interface. However, this request can be intercepted using a proxy such as Bob Suite and it can then be modified to have all of these values change, which is really dangerous. So the most important value that can be changed here is the use user role parameter using a proxy tool. You will then be able to send this request to API instead. And uh if you noticed I have simply modified the user role from regular user to admin. And uh this small change from user to admin has now elevated uh my role to be an admin user on the application.

And in turn, this has allowed me to be able to view and modify data that has been created previously with no act which I did not have access to. So in this case, in such attacks, a normal user should not be able to modify such a important field on the API end point. And it's instead even if an adversary tries to modify this field and save it, you should be met with an error when attempting to do so. So this field essentially was only protected on the applications user interface but not on the actually API end point which stored this information. So api secure the API end point and protecting it is also very important example of access control. Now, these are all the examples and basics of access controls which we had for these presentation before we end this, let's go through some best practices of access control that you can potentially implement. So the first and most important access control, best practice that you can probably even guess is following the principle of lease privilege and principle of lease privilege is the idea that any user program resource process, anything should have uh only the bare minimum privileges necessary to perform its function.

So for example, a user account uh is created for pulling records from a day database, right? It does not need an admin rights. Another example, a programmer whose main function is updating lines of legacy code does not need access to financial records. So always start with the bare minimum access and then grant up based on the need. Do not always grant all access and then decide to uh reduce or revoke access. Always start with the bare minimum. Um The next is developing a zero trust approach to security. Um And zero trust security is an it security model that requires very strict identity verification for every person and device which is trying to access a resource on a private network regardless of whether they are sitting within or outside the network parameter. So it's very important to identify and verify where the request this coming from. Which part of the world is there uh an authorized request or not always utilize multi factor authentication cannot stress enough. I've seen several accounts, Facebook accounts, Instagram accounts getting hacked only because people do not have multi factor authentication enabled. And most often that not uh the success of access control attacks is rooted in the lack of identity and access management or short for Im.

Uh Im is uh something that facilitates management of digital identities. Um So definitely look that up if you're not aware with what Im is. Uh one way to strengthen uh identity and access management is through the utilization of multi factor authentication system. So uh any organization or companies that use uh single authentication systems are comparatively well to security threats. And the next best factors that I have is implementing a strong password policy again, very basic but often ignored its fundamental education to employees about the importance of strong passwords.

It's organization's responsibility to enforce it as well. And this can be done easily by implementing a strong policy which will be able to direct the use of password and the regular update of password with the company. And that said it is a great strategy for deterring the occurrence of access controlled password attacks. So believe it or not, there are attacks out there such as dictionary attacks. So people will, adversaries will try to guess your password if it's the most common password which is found on the internet, your system will be compromised. So all though changing or updating passwords regularly would be a pain. Uh, it's really important if you are a person who does not remember your passwords or uses the same password for accessing multiple account, please don't do that. If your one account is compromised, all of your other accounts will go to. So I will not recommend writing passwords down on a piece of paper, but you can probably utilize some um a password management applications which are out there such as last pass, which will help you look up your passwords in a secure manner and you don't have to remember them secure, all, all your sensitive data files.

So aside from implementing a strong password policy, it's also essential for organizations to keep their password files secure. Um The best way you can do that is through encryption, utilizing, as I said, password managers, you can utilize secret manager as well. Um There are different secret managers available offered by different companies. Definitely look that up. Um And uh classification of data is very important to in order to determine how to grant access to it. So, so in different organizations, the sensitivity of data is defined or classified and one of the most common classification is defining a data as public, private or sensitive. So make sure that your organization follows a data classification strategy, automating on boarding and off boarding, very important.

So spend a large amount of time on boarding and off boarding employees. Uh And if you are doing it manually, it can lead to incorrect access for users and uh decline in productivity for the teams. So you could set up unique roles for account creations, updates as well as deactivation on each application. Uh So you could grant access when a new employees join and revoke access as soon as the employee leaves. Um and maintaining a centralized record of how a user got access to a particular resource is very important. So please make sure that you have an automated on boarding and off boarding process in place. It's very important as well to centralize your system. So um uh this is important because this will grant you a better, better uh visibility into the uh access control rules that you are defining. So you can gain perspective into who has access to what within your organization, your organization again will need to select an IM solution that brings a centralized view to your user identity, similar to off boarding employees um carry out account lockout policies. So whenever this policy is carried out, typically the account is set to lock out users after three or five consecutive failed login attempts. This strategy will really prevent brute force attacks. And a brute force attack is where an adversary is trying to guess your password multiple times.

And if they're able to guess it in, let's say, uh the 10th or 12th attempt, your system will be compromised. So it's very important to limit that number so that your system is not uh compromised. Limited to three or five, always routinely review and remove unused accounts and policies. And unused account with is not be provisioned is an account that contains all the previous user information but does not have a current user assigned. So such accounts could potentially allow Attackers to gather account credentials and masquerade as an authorized entity which can lead to security breaches and attacks. And similarly presence of an unused, overly permissive users would be unintentionally or even intentionally assigned uh privilege uh gets assigned privilege and this will again lead to privilege escalation. So even if there is an unused user entity which has not been compromised by an adversary, it's possible that you may assign certain privileges to it. And uh that would lead to an privilege escalation which is never safe. So it's very important to constantly check permissions, access rights of all your resources in the system and deny permissions of those resources which are not being used anymore.

Finally restricting physical and electronic access to system again, very basic, but it's an effective way that you can fend off attack, access control attacks um by restricting of uh by restriction of physical and electronic access, do not keep doors open for others that are unauthorized professionals only uh make sure to close the doors behind you whenever you enter a building.

Uh And that is a very basic and most important um uh access control strategy. If somebody comes up to you and says, hey, can you please buzz me and I forgot my badge. Uh It is reasonable to say no, there is no shame. Um uh People will understand because you are just doing your job. So those are all the access control based practices that I have for you. And uh there are some resources that I use to create this presentation. Um So definitely check these out and I will be more than happy to take any questions from anyone at a later point of time. Uh If you have my social media handles, please feel free to reach me and I hope you gained a little from this presentation. And uh in case of any questions, please feel free to reach out to me and I hope all of you have a pleasant day. Thank you for joining. Bye bye.