OWASP Top 10 2017: A5 Broken Access Control

July 30th, 2019

What is Access Control?

Access control (authorization) determines which users can interact with what systems and resources within your company. When access control is broken, users could send unauthorized requests to your applications. Unauthorized access to system functionality and resources creates an exploitable weakness that opens your company to harmful and potentially expensive outcomes.

The 4 Main Computer System Assets

Your business has several types of computer system assets, including applications, data, and hardware. Knowing your assets helps you decide on the types of controls to assign to them.

Assets can be divided into four categories:

Informational assets: databases, current and archived files, policies and procedures.
Physical assets: computers, servers, routers — anything physically visible relating to your system.
Software assets: system and application software.
Services assets: how your system serves by its operations, such as serving consumer and communications.

What value do you give these assets? Which assets need the most security to protect them? Once you have identified the critical assets within your company infrastructure, you can assign access control depending on the value given to those assets.

The CIA Triad and the 3 Primary Types of Access Control

The CIA triad is the key principle underlying the use of access control for information. As its name implies, the CIA triad includes three key aspects:

Confidentiality: rules that limit access to information.
Integrity: surety of information trustworthiness and accuracy over its life cycle.
Availability: the information must be available to access.

Access defines the flow of information from its user to its requested resources, such as a selected computer file. The security of that resource depends on three primary types of access control: administrative, technical and physical.

Administrative access control involves all company employees and their secure access to particular company resources. This involves security policy, administrative and personnel controls, and their time limits. Examples of administrative controls are personnel administration, security training, and testing. This incorporates determining the principle of least privilege — giving access only for what is needed to get the job done.
Technical (logical) access control uses technology to keep sensitive company data secure over networks and systems. Examples include antivirus software, firewalls, auditing, and encryption. Keeping access control lists, setting up alerts.
Physical access control includes non-technical access controls to secure a company and resources like dead-bolt locks, cameras, and security guards. Examples include keeping user computers from the server areas and data backups.

Securing computer files involves administrative and technical controls as well as physical controls. For each file on your computer system, it must be determined who gets access to it (administrative), the type or manner of their access (technical) and where access is granted (physical). Additional concerns include access control in the cloud, the IoT, and the sheer volume of data that many enterprises generate.

How is Access Control Managed?

There are three common types of file access modes: files will be read-only, read-and-write, or execute. Each type of file will have its own particular types of access control. These access controls should be carried out throughout the system and be the standard operating procedure (SOP) for your company.

Enforcing access control follows a multi-layered protocol:

Subject ID: know who wants the request for access.
Authentication: verify who wants the request for access resulting in allotting user accounts, password allocation, and usage.
Privilege ACLs: once authenticated, the request is checked against the access control list to see what privileges can be granted to the requestor.
Audits: checks for vulnerabilities and flaws in the system.

Once authentication is validated and privilege is granted, access authorization is based on the following:

Role-based: limited, hybrid, full roles.
Rule-based: access is granted only if it follows a rule.
Mandatory: a self-managing system that allows access on a need-to-know basis.
Discretionary: access is owner-granted.

Even with such protocols, files with improper access control happen. Access control is an on-going process: it is not a one-off, set-up-and-be-done-with-it event.

How Do Access Controls Become Vulnerable?

Access controls become vulnerable when functionality and resources are compromised due to users who do not have proper authorization to access files. Verifying function level access on every level is the best way to find vulnerabilities like navigation to unauthorized functions and missing authorization checks and balances.

Weaknesses can be found in the URL, old directories, cached pages, passwords that are not strong enough or that have not been changed when employees or employee roles change. Many times users are afraid to forget information like passwords and save them in their computer, making them easy to infiltrate.

Access can also be compromised when users fail to follow strict pathways to needed information using company protocols for retrieval. Back-door pathways can cause loss of system functionality because authorized access controls are bypassed. Users may try to manipulate access controls such as firewalls to gain access to needed information.

It is important to note that passwords are the weakest link in access control, subject to guessing and easy to create an attack from both within a company and from outside invaders.

Passwords should be 8 to 15 characters using no words, utilizing upper- and lower-case letters, numbers and company-designated special characters.

There are many ways to break access into a system, including “dictionary” attacks that scan for password matches, “brute-force” attacks run password combinations until they find a way to match one, and “birthday” attacks use “colliding” hashtags. Other attacks that can happen once access controls are breached are spoofing and phishing attacks.

Broken access controls leave the door open for such attacks. Impacts include broken day-to-day operations (denied access, downtime), data breaches, and bad PR if such breaches are publicized.

Resolving Broken Access Controls

Application access policies can be broken when the functional level access is misconfigured by developers resulting in access vulnerabilities.

Denied access is arguably the most common result of broken access controls. Access can be denied in applications, networks, servers, individual files, data fields, and memory. Denied access not only causes inaccessible requested files, it can cause other security mechanisms to fail. For instance, if the access is broken on one control, other controls may be affected in the file hierarchy.

IT teams have to resolve a broken access control not only by fixing what is broken (like a bad password leading to denied access) but also considering any other potential areas that may be affected, such as controllers and business logic.

Preventing broken access control should come from a central entity that ensures all company access functionality is maintained and managed.

Mitigating Risk and Managing Access Control

There are many ways to enforce and manage access usability within your company. These include:

Keeping close tabs on employee identification and credentials
Having employees sign non-disclosure agreements
Monitoring activity for unauthorized personal-use web sites, telephone usage, and software installation,
Creating multi-layered login-in processes and workflow accessibility
Monitoring password resets, reuse and expiration
Daily issue logging to help track functionality and any broken access controls.

Access control is a proactive process. Understanding what it is, how it works and following company protocol keeps broken controls in check and your company running smoothly.