Knowledge is power when it comes to truly understanding the types of unauthorised access that occur and how to prevent each one uniquely. From succumbing to “politeness pressure” by holding the door for an assumed colleague or being so bold as to forge building credentials, the learned responses of your building occupants are crucial to preventing the dangers of unauthorised access.
Before you evaluate or purchase an access control system, it is critical to have a good understanding of what you need such a system to do. For starters, you have to be clear about what “unauthorised access” means and how it may happen within your organisation. There are some ways a building can be accessed by an unauthorised individual, which may occur daily at a particular location.
From doors that are left open when they should be closed to easily forged credentials, there are many types of unauthorised access that can leave an organisation at risk. In some cases, the same technologies that have been deployed to control access can introduce risk. All possibilities need to be considered when thinking about an access system because once you have an idea of how unauthorised access can occur at your business, you’ll have an easier time determining whether the access control solution you’re considering will meet your actual needs.
Let’s begin by breaking down the six core types of unauthorised access, what each one looks like and measures that your employees, contractors and staff can take to contribute to a more security-focused environment.
Know And Prevent The 6 Types Of Unauthorised Access
Here are six of the most common ways unauthorised access can occur, along with some methods and technologies for combatting them.
One of the most common types of unauthorised access is tailgating, which occurs when one or more people follow an authorised user through a door. Often the user will hold the door for an unauthorised individual out of common courtesy, unwittingly exposing the building to risk. One way to decrease the likelihood of tailgating is by training all credentialed users on security and awareness. An even more effective reduction technique is to implement turnstiles, mantraps or another solution that restricts entry to one individual at a time and generates an alarm if someone tries to circumvent it.
Like tailgating, propping doors open, most often for convenience, is another common way unauthorised individuals gain access to a location and potentially create a dangerous situation for the people and assets within. Some access control systems include detecting when doors are propped and alert security personnel, who can respond and investigate the case as needed.
You might be surprised to know how easily many doors can be levered open using something as small as a screwdriver or as large as a crowbar. Advanced access control systems include forced-door monitoring and will generate alarms if a door is forced. The effectiveness of these systems varies, with many systems prone to a high rate of false positives, poor database configuration or lack of active intrusion monitoring. With these tools and tactics in place, however, they are highly effective at detecting door levering.
Whether stolen, lost or loaned out, keys pose a significant problem. They are often impossible to track when lost, forgotten, stolen or loaned to someone else, and if an individual tends to tailgate to enter the building, they may not notice missing keys for several days. During that time, there is a considerable risk, and the only way to ensure the continued security is to re-core locks on multiple doors, which can be very expensive. Electronic critical management solutions can be deployed to track keys, with the added benefit that many of these systems can be integrated with access control for an added layer of security.
With the added advantage of identifying authorised users who swipe in with an access control reader, electronic key cards are a more high-tech alternative to traditional keys. However, they are prone to the same risks associated with keys, namely the potential to be lost, stolen or shared with an authorised or unauthorised person.
From a technology perspective, there are four main categories of access cards: Magnetic stripe, proximity, proximity smart cards and smart contact cards. Each has its pros and cons, with some more susceptible to risk than the others. Magnetic stripe cards are the easiest to duplicate and are exposed to wear and tear or damage from magnetic fields. Proximity cards and smart cards are much less susceptible to duplication, and smart proximity cards can be programmed with much more information than access cards, allowing them to be used for a variety of interactive applications in addition to physical access, including network access. Some proximity smart cards, however, require a small battery, which can diminish their lifespan.
The effectiveness of access control cards can be improved if they also serve as photo identification cards, which decreases the likelihood that individuals will forget them at home. Complementary technologies and solutions, such as individual identification cards and biometrics, bring even greater reliability and effectiveness to access cards.
Unauthorised access can create dangerous situations for any business or organisation, so it’s vital to choose access control technologies to combat this risk. To make the most informed choice, it’s critical not only to consider but to understand these five most widespread types of unauthorised access. If your organisation is susceptible to any or all of these risks, it’s essential to seek an access solution to address those specific risks to reduce or even eliminate the possibility of unauthorised access and ensure the highest level of security for your facility.
Passback can also be considered a “double-dipping” of credentials as they are passed from one user to the next. Presenting serious security and population counting concerns, pass backs are similar to tailgating and collusion. The intention of the person allowing the unauthorised access to happen generally does not have malicious activity in mind.
How To Prevent Unauthorised Access
Here’s what you can do to reduce the likelihood of anyone getting unauthorised access to your computer system or network.
- Be aware of social engineering. Would you mind not giving out personal information unless you know exactly who’s asking for it and why they want it? If you’re not sure, ask.
- Choose unique passwords for your online accounts — don’t use the same password for every account you have. Consider using a password manager like KeePass to manage them.
- Turn on multi-factor authentication for your online accounts.
- Constantly update your operating system and your apps when new versions are available. You can set this up to happen automatically with Windows and a lot of other applications like Office.
- Install antivirus and anti-ransomware software on your computer if you don’t already have it, and update it regularly.
- Scan for viruses regularly and clean up any infections straight away.
- Make sure that the answers to your account recovery questions aren’t easy to guess. Your answers don’t need to be factual, just something that you can remember.
- Be cautious when connecting your computer to unsecured networks like free WiFi or internet cafés.
If you have your own business, there are a few extra things you can consider.
- Limit your employees’ access to the systems and processes they need to do their job and no more. This is known as the principle of least privilege.
- Only give remote access to people within the business who need it. Put some controls around who can and can’t have it.
- Monitor your business network and systems for any unexpected login attempts.
- Keep an inventory of the devices on your network and make sure they’re secure.
- Don’t use generic passwords and logins — have a unique login for every user and update your passwords regularly.
If Someone’s Had Unauthorised Access To Your System Or Network
What to do if your system or network has been accessed without your authorisation.
- Change the password for anything that was accessed without your permission.
- Contact the service provider for your online accounts — like your bank or your email provider. Let them know what’s happened and ask what they can do to help.
- Make sure you backup your files regularly. This includes the files on your computers, phones and any other devices you have. You can:
- Do an 'offline' or 'cold' backup. Back up the data to an external hard drive and then remove the hard drive from your device
- Do a cloud backup to Dropbox or a similar online hosting service.
Unauthorised Access To Computer Systems
There are two types of cases related to unauthorised access to computer systems, which are “Intrusion into a computer system” and “Internet or online account-take-over”.
- Hackers intrude into the computer systems of some companies to illegally alter the contents of the websites.
- Hacker intrudes into the computer system of a specific company to use the Internet for long-distance calls. As a result, the victim company suffers loss from vast amounts of bills.
- Victims logged into bogus/ phishing websites via phishing emails and were asked to enter their email addresses and passwords, which could result in the following scams:
Email Scam (Corporate Level)
After understanding the business transactions between the victim and the client, the fraudster uses fictitious emails to induce the victim to make remittances to some local and overseas designated bank accounts.
Email Scam (Personal Level)
After hacking into a personal email account, the fraudster sent out deceptive emails to the victim’s relatives and friends on the contact list. The email defrauded that the sender had encountered an accident overseas and urgently needed money. The victim was requested to remit money to the fraudster’s account as a matter of emergency.
We represent people accused of gaining unauthorised access to computers throughout the state of Massachusetts and in federal courts.
The federal Computer Fraud and Abuse Act (CFAA) prohibits (1) accessing a computer without authorisation or exceeding one’s authorisation and thereby accessing information the government has deemed needs to be protected against unauthorised disclosure; and (2) intentionally accessing a computer or intentionally exceeding authorisation and thereby accessing financial information, information from any department or agency of the government, or information from any “protected computer.” While this statute appears to limit the computers to which it applies, in reality, “protected computer” is defined by the law to be any “electronic, magnetic, optical, electrochemical, or other high-speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device” that “is used in or affecting interstate or foreign commerce or communication.” In other words, the term “protected computer” covers any computer, tablet, or smartphone that is connected to the internet.
In addition to prohibiting unauthorised access of a computer, the CFAA prohibits: computer espionage, trespassing on a government computer, committing fraud using a computer, damaging a protected computer (such as with viruses and worms), trafficking in passwords of a government or commerce computer, and threatening to harm a computer.
The Federal Stored Communications Act (SCA), passed in 1986, prohibits “intentionally access[ing] without authorisation a facility through which an electronic communication service is provided; or intentionally exceed[ing] an authorisation to access that facility” and thereby obtaining access to electronic communications in electronic storage. The federal circuit courts have split whether accessing someone else’s cloud-based email account violates the SCA. Neither the Supreme Court nor the First Circuit Court of Appeals has addressed the issue, leaving it an open question as to whether if someone in Massachusetts logs in to another person’s cloud-based account without authorisation, they will be found to have violated this federal law.
Computer system without authorisation, or to remain to access a computer system after knowing that the access is unauthorised. This statute may cover actions such as: logging into someone else’s computer without permission, sending or reviewing emails in someone else’s email account, and creating unauthorised online charges. It is important to note that the term “computer system” does not just mean the computer of another person; accessing someone’s internet accounts, such as email, even if from your computer, may be prosecuted as a violation of this statute.
What does the prosecution have to show to prove a violation of this statute? The prosecutor must show (1) that you accessed a computer system; (2) that you knew the computer system required authorisation; and (3) and that you knew you did not have that authorisation. The law explicitly states that “the requirement of a password or authentication to gain access” puts a person on notice that the computer system requires authorisation.
The courts have not had much cause to examine and interpret this law, meaning it is not clear what situations it might apply. One of the few cases to address this law made clear that while looking at multiple web pages or documents during one unauthorised login is not grounds for various charges of violation of this section, repeated unauthorised logins to the same computer system can give rise to multiple accounts of unauthorised computer use.
Other than that held by the court, the scope of the law’s application has yet to be defined. One superior court found that although the statute does not represent the word “access,” that term was clear enough in the law to withstand constitutional challenge.
This decision was unpublished and is not binding on other courts. The law similarly does not define the term “computer system,” and the relevant federal laws do not use this term, leaving room for defendants to challenge prosecutions for actions other than simply logging into someone else’s computer. While we have seen the police bring these charges against people for accessing, for example, someone else’s email accounts, it is not clear that an email account is a “computer system” under the law.
The law was passed in 1994 and likely did not contemplate the various electronic systems people routinely use today. For example, courts do not yet appear to have taken up the question of whether accessing another person’s smartphone constitutes a violation of this statute, i.e. whether a smartphone is a “computer system.” These are some areas we explore in defending our clients against charges of unauthorised use of a computer.
Preventing Unauthorised Access
This section describes the security measures on how to prevent unauthorised access from the external network. This is a must-read for all users and administrators before using this machine, other printers, and multifunction devices connected to the network. In recent years, a printer/multifunction machine connected to the network can offer you various useful functions, such as printing from a computer, operating from a computer using remote operation, and sending scanned documents via the Internet. On the other hand, it is essential to take security measures to reduce the security risk for information leakage, as a printer/multifunction machine has become more exposed to threats, such as unauthorised access and theft, when it is connected to the network. This section explains the necessary settings you need to specify to prevent unauthorised entry before using a printer/multifunction machine connected to the network.