OWASP Top 10 2017 – A5 Broken Access Control

Understanding Authorization To Resolve Broken Access Control

Access control (authorization) determines what users communicate with what systems and resources within your company.When access control is broken, anyone can send requests to one of your network applications. Broken access means that unauthorized access to system functionality and resources has created exploitable weakness that opens your company to harmful and potentially expensive outcomes.

The 4 Main Computer System Assets

Knowing what your assets are will help you decide on what kind of controls to assign to them. Assets are company information, system, and hardware that is used within your business. If you do not understand what your company’s most important assets are, how will you know what kinds of access controls to apply?

Informational assets: databases, current and archived files, policies and procedures
Physical assets: computers, servers, routers–anything physically visible relating to your system
Software assets: system and application software
Services assets: how your system serves by its operations, such as serving consumer and communications
What value do you give these assets? That is, what assets need the most security to protect them? Once you have identified the critical assets within your company infrastructure, you can assign access control dependent on the value given to those assets.

The CIA Triad and the 3 Primary Types of Access Control

The CIA triad is the base principle of all access control to information. Its meaning is pretty straightforward:

Confidentiality: rules that limit access to information
Integrity: surety of information trustworthiness and accuracy over its life cycle
Availability: the information must be available to access
Access defines the flow of information from its user to its requested resources, such as a selected computer file. The security of that resource depends on 3 primary types of access control: administrative, technical and physical.

Administrative access control involves all company employees and their secure access to particular company resources. This involves security policy, administrative and personnel controls and their time limits. Examples of administrative controls are: personnel administration, security training, and testing. This incorporates determining the principle of least privilege–giving access only for what is needed to get the job done.
Technical (logical) access control uses technology to keep sensitive company data secure over networks and systems. Examples include: antivirus software, firewalls, auditing, and encryption. Keeping access control lists, setting up alerts.
Physical access control are non-technical access controls to secure a company and their resources like dead-bolt locks, cameras and security guards. Examples include keeping user computers from the server areas and data backups.
The main focus of the file example involves mainly the administrative and technical controls, but includes the physical control: the file is on your computer system and now it has to be determined who gets access to it (administrative), and the type or manner of their access (technical) and where (physical). Broader scope concerns include access control in the cloud, the IoT, and the sheer volumes of data that many enterprises carry out daily.

SOP: How is Access Control Carried Out?

There are 3 types of file access modes: files will be read only, read and write, and execute. Each type of file will have its own particular types of access control. These access controls should be carried out throughout the system and be standard operating procedure for your company. Carrying out access control follows a multi-layered protocol:

Subject ID: know who wants the request for access
Authentication: verify who wants the request for access resulting in allotting user accounts, password allocation and usage
Privilege ACLs: once authenticated, the request is checked against the access control list to see what privileges can be granted to the requestor
Audits: checks for vulnerabilities and flaws in the system
Once authentication is validated and privilege is granted, access authorization is based on the following:

Role based: limited, hybrid, full roles
Rule based: access is granted only if it follows a rule
Mandatory: self-managing system that allows access on a need-to-know-basis
Discretionary: access is owner-granted
Even with such protocols, files with improper access control happen. Access control is on on-going process, not a one-off, set-up-and-be-done-with-it event.

How Do Access Controls Become Vulnerable?

Access controls become vulnerable when functionality and resources are compromised due to users who do not have proper authorization to access files. Verifying function level access on every level is the best way to find vulnerabilities like navigation to unauthorized functions and missing authorization checks and balances.

Weaknesses can be found in the URL, old directories, cached pages, passwords that are not strong enough or that have not been changed when employees or employee roles change. Many times users are afraid to forget information like passwords and save them in their computer, making them easy to infiltrate.

Access can also be compromised when users fail to follow strict pathways to needed information using company protocols for retrieval. Back-door pathways can cause loss of system functionality because authorized access controls are bypassed. Users may try to manipulate access controls such as firewalls to gain access to needed information.

It is important to note that passwords are the weakest link in access control, subject to guessing and easy to create an attack from both within a company and from outside invaders.

Passwords should be 8 to 15 characters using no words, utilizing upper- and lower-case letters, numbers and company-designated special characters.

There are many ways to break access into a system, including “dictionary” attacks that scan for password matches, “brute-force” attacks run password combinations until they find a way to match one, and “birthday” attacks use “colliding” hashtags. Other attacks that can happen once access controls are breached are spoofing and phishing attacks.

Broken access controls leave the door open for such attacks. Impacts include broken day-to-day operations (denied access, downtime), data breaches, and bad PR if such breaches are publicized.

Resolving Broken Access Controls

Company application access can be broken when functional level access is misconfigured by developers resulting in access vulnerabilities.

Denied access is arguably the most common result of broken access controls. Access can be denied in applications, networks, servers, individual files, data fields, and memory. Denied access not only causes inaccessible requested files, it can cause other security mechanisms to fail. For instance, if the access is broken on one control, other controls may be affected in the file hierarchy.

IT teams have to resolve broken access controls by fixing not only what is broken, like a bad password leading to denied access; but, they must look wherever that access control had functionality in the first place, including controllers and business logic.

Preventing broken access control should come from a central entity that ensures all company access functionality is maintained and managed.

Mitigating Risk and Managing Access Control

There are many ways to enforce and manage access usability within your company. Close tabs on employee identification and credentials, having employees sign non-disclosure agreements, activity monitoring for unauthorized personal-use web sites, telephone usage, and software installation, as well as creating multi-layered login-in processes and workflow accessibility, monitoring password resets, reuse and expiration, and daily issue logging help track functionality and any broken access controls.

Access control is a proactive process. Understanding what it is, how it works and following company protocol keeps broken controls in check and your company running smoothly.

Have a look at our OWASP Top 10 2017 posts:

OWASP Top 10 2017 – A1 Injection

OWASP Top 10 2017 – A2 Broken Authentication and Session Management

OWASP Top 10 2017 – A3 Cross Site Scripting (XSS)