#NSBCS.067 - Beyond the Lock: Integrating Access Control for Operational Resilience
Source: NSB Cyber
Beyond the Lock: Integrating Access Control for Operational Resilience
Access control is a crucial aspect of security, ensuring that only authorised individuals can access sensitive areas, data, and systems. Without effective access controls, organisations face risks such as data breaches, unauthorised access, and failure to comply with regulations. By integrating both physical and technical access control measures, businesses can effectively safeguard their assets while maintaining operational efficiency.
Implementing strong access control measures can benefit businesses in several ways:
Prevent unauthorised access to both physical locations and digital systems.
Ensure that employees, contractors, and third parties have access only to the information and resources they need.
Comply with regulatory requirements, including ISO 27001, GDPR, and NIST.
Reduce errors, security vulnerabilities, and administrative overhead.
Physical vs Technical Access Control
Effective access control includes both physical and technical measures:
Physical Access Control: Involves security measures such as key cards, biometric scanners, CCTV, PIN codes, and security personnel to prevent unauthorised individuals from entering buildings, data centres, or restricted areas.
Technical Access Control: Encompasses digital security measures, including Role-Based Access Control (RBAC), the Principle of Least Privilege (PoLP), Multi-Factor Authentication (MFA), and encryption to restrict access to networks, applications, and sensitive data.
Combining both ensures a layered security approach that protects against internal and external threats.
Role-Based Access Control (RBAC)
RBAC assigns permissions based on job roles, ensuring employees can access only what’s necessary for their duties. This simplifies administration, prevents excessive access rights, and enhances security.
For example, in a financial organisation:
A customer service representative can view account details but not approve transactions.
A finance manager can authorise payments but cannot modify IT settings.
An IT administrator can manage system settings but has no access to financial data.
By implementing RBAC, organisations reduce the risk of human error and limit the impact of compromised accounts.
Principle of Least Privilege (PoLP)
PoLP ensures users, applications, and systems operate with the minimum access necessary for their functions. This reduces the potential damage if credentials are stolen or misused.
Best practices for PoLP include:
Assigning only essential privileges.
Granting temporary access when elevated permissions are required.
Automatically revoking elevated access once tasks are complete.
Enforcing MFA for high-risk accounts.
Regular Reviews and Revocation
Access permissions should never be static. Employees frequently change roles, and contractors may no longer require access after completing projects. Regular reviews help prevent excessive permissions from accumulating over time.
Key steps include:
Conducting periodic access audits.
Automating account provisioning and de-provisioning.
Immediately revoking access when an employee leaves the company.
Failure to review and revoke access can result in former employees or unauthorised individuals retaining access to sensitive data, increasing the risk of insider threats and breaches.
Implementing Access Control Based on Business Size
Access control needs to be tailored to fit the unique size and complexity of each organisation. For small businesses, which often lack dedicated IT resources, implementing straightforward solutions like smart locks and key card systems can significantly boost security. Tools such as Microsoft 365 and Google Workspace also help manage user access effectively. It's vital for these businesses to enforce MFA and regularly review user permissions, especially when staff leave or change roles.
As companies grow into medium-sized enterprises, manual access management becomes impractical. This is where Identity and Access Management (IAM) solutions come into play, automating user provisioning and improving compliance while filling security gaps. In larger organisations, with their extensive employee networks and complex infrastructures, advanced IAM systems become essential. These systems offer real-time monitoring and behaviour-based access controls that adjust permissions based on user activities and context, ensuring consistent enforcement of security policies across various locations and departments.
Conclusion
Access control goes beyond merely restricting access; it is about protecting physical spaces, digital assets, and business operations. For small businesses, implementing foundational security measures such as smart locks, cloud-based access management, and MFA is essential. Medium-sized organisations can benefit from automating IAM, while large enterprises can utilise advanced AI-driven solutions for real-time monitoring.
For information on NSB Cyber’s Cyber Resilience capabilities or to book a meeting with our team, click here.
What we read this week
Oracle Denies Massive Data Breach: Australian Companies Urged to Take Action - A hacker named ‘rose87168’ (Rose) has claimed to have breached Oracle Cloud and stolen around six million credentials from 140,000 companies, including over 1,600 Australian organisations like Telstra, Optus, NBN Co, and major banks. Despite Oracle denying any breach, cybersecurity firm CloudSek believes the attacker may have exploited a known vulnerability (CVE-2021-35587) in Oracle Access Manager, citing evidence including a compromised login server running outdated Middleware. Rose is allegedly selling the stolen data and coercing companies to pay for removalwarn experts of serious risks including unauthorised access and corporate espionage.
Google Fixes Chrome Zero-Day Exploited in Espionage Campaign - Google has patched a high-severity Chrome zero-day vulnerability, CVE-2025-2783, which was being exploited in the wild to bypass the browser’s sandbox and deploy malware. Discovered by Kaspersky researchers, the flaw was used in a cyber-espionage campaign dubbed Operation ForumTroll, targeting Russian media, education, and government entities via phishing emails. The vulnerability allowed attackers to compromise systems without triggering obvious malicious behaviour and was linked to the domain primakovreadings[.]info. Updating Chrome to version 134.0.6998.178 addresses the issue and disables the full exploit chain used in the attacks.
New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials - A newly discovered Windows zero-day vulnerability allows attackers to steal NTLM credentials simply by having a user view a malicious file in Windows Explorer, affecting systems from Windows 7 to Windows 11 v24H2 and Server 2025. The flaw can be triggered through shared folders, USB drives, or downloaded files, and has already been exploited in real-world attacks. While Microsoft has yet to release an official fix, 0patch has provided free micropatches to temporarily protect affected systems without requiring reboots.
ClearFake Infects 9,300 Sites, Uses Fake reCAPTCHA and Turnstile to Spread Info-Stealers - The ClearFake campaign, active since mid-2023, uses fake reCAPTCHA and Cloudflare Turnstile verifications to trick users into downloading malware like Lumma Stealer and Vidar Stealer via compromised WordPress sites and deceptive ClickFix tactics. As of early 2025, over 9,300 websites have been compromised, with an estimated 200,000 users exposed, including via a supply chain compromise of a third-party video service used by auto dealerships. Alongside ClearFake, other phishing campaigns are distributing RATs such as Venom, AsyncRAT, and Remcos by exploiting file attachments, M365 misconfigurations, and advanced Browser-in-the-Middle (BitM) techniques to bypass security and hijack user sessions.
New VanHelsing Ransomware Targets Windows, ARM, ESXi Systems - VanHelsing is a newly emerged ransomware-as-a-service (RaaS) operation targeting multiple platforms, including Windows, Linux, BSD, ARM, and ESXi, and was first promoted on cybercrime forums in March 2025. Affiliates can join for free if experienced, while others must pay a $5,000 deposit, keeping 80% of ransom profits via an automated blockchain-based escrow system. Written in C++, the ransomware uses ChaCha20 encryption and supports features like stealth mode, partial encryption for large files, and extensive command-line customisation to tailor attacks. As of now, its dark web extortion site lists three victims and demands ransoms of up to $500,000, indicating the threat is growing quickly.
References
https://ia.acs.org.au/article/2025/oracle-denies-massive-data-breach.html
https://www.bleepingcomputer.com/news/security/google-fixes-chrome-zero-day-exploited-in-espionage-campaign/
https://cybersecuritynews.com/new-windows-zero-day-vulnerability/
https://thehackernews.com/2025/03/clearfake-infects-9300-sites-uses-fake.html
https://www.bleepingcomputer.com/news/security/new-vanhelsing-ransomware-targets-windows-arm-esxi-systems/