Abstract—This paper presents a knowledge about access control that how access should be granted to the employee by considering the security measures. It also describes whether the access should be granted to the person for the specific task or not. This will also give you an understanding according to business aspects of improper access control for ABC bank.
This report will give you deep knowledge about the trends in improper access control. Categories like MAC, DAC, and RBAC. Also, the common attacks happen in the companies due to improper access control and the explanation of all those vulnerabilities.
It will give you an understanding that how it can impact on our business and what cost will be provided to safeguard it. It also gives you a brief scenario of the attack happened in the past in Uk because of Improper access control and what are the steps taken by them after the research of that attack.
Keywords—Access control, Authorization, Authentication, Attack, Employee, data, security.
- Introduction to improper access control
Access control is based on the three trends i.e. AAA which stands for Authorization, Authentication, and Accounting. Every organization has their different security measures for access control. For every employee and the user, there are different accesses because of the security measures.
Trends In Access Control
It is the mechanism for security, for granting the level of access given to the client/user. Authorization gives access to the system resources, files, programs and data to the user on the basis of their identities.
Most of the web applications follow the two-factor authentication. In which first they do the authentication of the user and then provide authority based on their identity. But nowadays systems are more advanced they only contain one factor which is an effectively designed authorization process. It includes some key factors like user number, type, credentials, verification, and role.
Authorization is basically a policy phase where requests are permitted or not permitted based on their previous actions. Authorization server checks on every request whether the resources of a particular file are granted to a particular user or not.
This is a process of determining whether someone or something is the same as it is tending to be. Authentication grants access by verifying the user credentials from the database credentials. For example when a user inputs his user id and password system check that id and password with the database and if they match, the access is granted otherwise denied.
Authentication is important for the company in cybersecurity aspects because it checks before giving access to the user that the user is legitimate or not. There are different types in authentication like two factors (ask for one more verification rather than a password) and multi-factor (ask for two or more than two types of verification).
Authentication checks for different factors while login like Knowledge factor, Time factor, Location factor, a possession factor (OTP or Pin) and the inherence factor (Biometric identification).
Fig. 1. Authorization and Authentication
There are different types of authentication methods like Two-factor authentication, Multi-factor authentication, One time passwords, Biometric, Three-factor authentication, API authentication, and Mobile authentication.
Accounting is basically a log file used to maintain the records of the user activities. It can include the amount of data the user had sent or received in a particular session. Accounting is taken out by logging (information usage and session statistics).
- Categories in access control
Basically there are three categories in Access control.
- Mandatory access control (MAC)
- Discretionary access control (DAC)
- Role-based access control (RBAC)
- Mandatory Access Control
In MAC, the user can not override the defined policy the only administrator has access to those. It uses a hierarchal approach for accessing resources. All the settings in MAC are handled by the system administrator. All the resource permission is given by the operating system which is controlled by system admin. In MAC systems the user can not change permissions of the resources.
In MAC every resource is assigned with the security labels. Security labels consist of two different pieces of information. One is classification and another one is category and in addition to that user’s accounts also have these two properties.
When a user tries to access some file, operating systems check the user’s classification and category and compare that to file a security label. It is must that file and user category and classification should match otherwise user can not access the files.
Mac is used in many modern operating systems like Microsoft Windows, free BSD, SUSE Linux, Ubuntu, etc
- Discretionary Access Control
In DAC, the user can ask for permission for the admin and admin can give permission for the specific objects for the given interval of time. Mostly in the DAC model owner of the object can change the permissions and can pass on the ownership to another subject. DAC allows each user to access their own data with all the controls.
Like the MAC security label in DAC, there is Access Control List associated with each resource. ACL contains the user information and groups that which level to that user belongs. For example, User1 has an excess to read operation, User2 has an excess of reading and write operation and User3 has excess to all operation. So they all will be in different groups.
- Role-based access control
Role-based policies have access or permission to the objects within the system and access depends upon the role of the user. Every user has their own predefined rules for access.
Improper access control has a weakness suppose if the software fails to restrict the user from predefines permissions than any hacker can hack into the system and can have an outbreak to the confidential files and can also perform all the actions on it like read, write, delete, etc
Fig. 2. Access control parameters
Two major concern with the problem is
Permission those are intended for the user A that can also be intended for the other user B with the same characteristics. (For eg assigning privileges to user A for file 1 as same as assigned to user B for file 1)
The mechanism assigned for the security that contains an error which prevents the proper enforcement of the access control. (for eg give access to the user to set his own settings that can lead to improper access control)
- Vulnerability explanation
This vulnerability can also come under the cross-site scripting. So, in this vulnerability attacker can put some malicious code inside the blank fields on website GUI and can gain access to the private files. This vulnerability allows an attacker to put the arbitrary code in the filed provided on the website for example in the search bar.
If a person breaches access control than he/she can do anything with the company.
- Risk Evaluation
- A Common attack happens due to improper access control
Improper access control is the most common vulnerability nowadays. This vulnerability allows a hacker to take the permission of the file which they are not supposed to be like:
- Stack overflow
Stack overflow helps hacker to attack the most common and successful attacks. It is basically like a D-DOS attack. When it gets lots of traffic than stack got overflow and the attacker can easily crash the application at that time.
- Password attack
Passwords are the easiest way to hack and gain access to resources. If a hacker can able to bypass the admin passwords than they can gain access to any other account.
A password attack is used to crack the passwords of the accounts by using different types of methods.
- Dictionary attack: This attack is used in cracking passwords from a dictionary which includes all the combinations of passwords.
- Brute force attack: It includes all the possible combinations of numbers, letters, and special characters. In brute force instead of manual attacks, the attacker uses all the possible combinations to get the password.
- Rainbow table attack: Normally previously hacker used to make the hash of the password and have to compare it with the actual password hash. But the rainbow table attack made it easy by making the automated hash values for guessing passwords. A cracker can compare the hashes from the rainbow table to hack the database.
- Sniffer attack: Sniffing is a technique used over the network to sniff the packets. It captures the packets transferred over the network including username and passwords.
- Spoofing attack
Spoofing attack involves access other’s profiles from accessing credentials through the IT system. There are different types of attacks that come under IP spoofing.
- IP Spoofing: Attacker changes their IP from original to fake one to hide their identity and location.
- Email Spoofing: Attacker change the email address to the genuine one so that the user can not able to recognize the ID source.
- Phone number spoofing: This technique is used in voice over internet protocol to spoof the number for acting as someone else.
- Social engineering attack
Social engineering attack is used to gather information from the person’s social profile or from the person by manipulating them.
- Shoulder sniffing: It is the simplest attack in which the attacker just stand behind the victim and just watch passwords from behind his shoulder on the screen.
- Phishing: In phishing, the attacker creates the same web page like the original one and the victim thinks that it’s an original website and puts the credential and attacker directly got the credentials in his linked database.
- Whaling: Whaling is a technique that is used to hack usually big people like CEO, president because they contain sensitive information. So whaling is done just by sending an attached link and when the victim opens it a software(payload) gets downloaded in the system which gives all the access to the hacker.
- Denial of service attack
Denial of service is an attack used to make the server down so that no one can access the resources. Basically denial of service sends multiple requests to the server and if the server is not capable of handling too much request than it gets down.
Also, Read | Attack Surface: How to Minimize in your Network?
Hulk is the tool used to send multiple requests from the system to the server. Every organization should have traffic handlers for handling these types of attacks.
BUSINESS IMPACT OF IMPROPER ACCESS CONTROL
Improper access control can ruin the company in one day. It is a must to give proper access to a proper employee. For example, let’s take a bank and bank have 100 employees and all employees have access to all the files then they can easily manipulate the amount of any file which means the bank is not trusted. It will give a bad impact on the bank’s reputation and banks can lead to hack or leaking data.
Fig. 3. Graphical impact on business from access control
So the access should be given properly and carefully. It is the most important part of the security because by giving wrong access hack can be done easily. Also, the access should be given for the limited time of period as much as the employee needs to access the file for his/her work. A periodic audit of the access should be done every 5 days. So that if any employee leaves the company than his/her access should be revoked at the same time so that he/she can not harm the company data after leaving the company.
Banks can go in a big loss of millions with a small leak of data. So access control is the most important factor in banks.
VII. UK 2007 ATTACK
In 2007 in the UK 25 million people data was breached by the revenue and custom officer. That was a huge embracement for the government of the UK.
The National audit office asked revenue and customs officer to get the data of children in the country. But they ended up extracting 25 million users’ data in a couple of disks and in the mail. Then it was easier for them just to select and send the data needed by the national audit office. Regrettably, the disk was stolen and everyone came to know that data is stolen and that was a huge embracement for the government.
Stolen data contains information like Medical records, Tax records, Passport records, Corporate secrets.
A case study of this attack was done by Eric Johnson. He said that role-based access control is hard to implement correctly in the real world. Mostly in the big organization boss do not even know who are their employees and vice versa. Even some companies have more than one boss and senior management team.
Nowadays every company changes employees almost every day. So, in this case, it is hard to give all the access to the employees because the boss doesn’t know them personally and that’s why they do not trustworthy.
Eric johnson came to know that a company of 3000 employees changed 1000 roles in just three months. Companies like this give all the access to the employee because they don’t care about security and its easy to give whole access to resources rather than giving access to a particular file.
Erick Johnson came to know that 50-90 percent of the employee in the big organizations are over-entitled means they had given more access as required. In a large organization, access is directly proportional to the work experience of the employee in that company.
Access to the employee should be given according to their work needs not according to their trust and experience. if the employee has no need of accessing the company data file then they should not have access to those anyhow.
The periodic audit should be done in every company every 5 days. So that employee those who had left the company don’t get access to the personal files otherwise they can exploit the data for any reason. So there access should be revoked at the time they left the company.
MITIGATION ACCESS CONTROL ATTACK
To protect such type of attacks require a coordinated defense involving people, tools, firewall, anti-malware monitoring system, and intrusion detection and prevention.
Security professionals carefully check where to put identity and access management devices for better security controls. So that no user can bypass the security easily.
Security professionals also try to hide the security implementations because if hackers came to know about the security infrastructure than they can bypass it easily. Next, you need controls for detecting inappropriate access like periodic access certification.
To ensure security measures security professionals use event-based certification which gives an alert on every permission changed for the user. So that no one can change their permission without the permission of admin.
Access policies are used to prevent dangerous attempts. Security policies give a full description that which partner of the company has what level of access.
At last for checking that hacker can not be able to change their privileges by their own, security professional uses automated account reconciliation. By running automated account reconciliation it tells the privileges which are changed by the hacker without giving the management access.
by implementing the right identity and access management controls it helps the organization to protect critical resource more efficiently and mitigate risk.
IX. Cost to prevent improper access control
Preventing improper access control will not cost much but it needs the followings:
Fig. 4. Controlling preventives for access control
Periodic audit of employee this means when an employee leaves a company than his/her access should be revoked at the same time. So that employees can not harm the company in any sense. Also if the employee is working in the company and his/her needs are downgraded to use the files because of any project change or any of anything than at the same time his/her access should be revoked.
Access should not be given to one individual which means if we will give access to the clients in different ways than chances of leaking data is less. For example, user A has access to file 1 and user B has access to file 2 and user 3 have access to file 3. Now if user A wants to leak the data than he/she can not leak it without the permission of users B and C. So it’s difficult to hack or leak the data if the file id given in distributed ways.
Access should be given for a particular interval of time it means that access to the files to the employee should be given for a minimum amount of time as much he/she needed to complete the task. like if employee A has worked for 5 hours then access to the files also should be given for 5 hours for the safety point of view. So that employee can not steal or change the data after he/she is done with the work.
Multiple factor authentication Which means for accessing the important files there must be authentication of the employee that right employee is accessing the data. So that hackers can not act as a genuine employee. So multiple authentications of an employee are done like while logging in the system will send OTP to the employee registered mobile number and also ask for password and security questions to identify that the employee is genuine.
- “What Is Authorization? Definition of Authorization, Authorization Meaning.” The Economic Times, https://economictimes.indiatimes.com/definition/authorization. Accessed 8 Oct. 2019.
- “What Is Authentication? – Definition from WhatIs.Com.” SearchSecurity, https://searchsecurity.techtarget.com/definition/authentication. Accessed 8 Oct. 2019.
- Mandatory, Discretionary, Role and Rule-Based Access Control – Techotopia. https://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Control. Accessed 8 Oct. 2019.
- Common Attacks Due To Broken Access Control. https://www.hack2secure.com/blogs/common-attacks-due-to-broken-access-control. Accessed 9 Oct. 2019
- Real-World Access Control – Schneier on Security. https://www.schneier.com/blog/archives/2009/09/real-world_acce.html. Accessed 10 Oct. 2019.
- “Learn How to Identify and Prevent Access Control Attacks.” SearchSecurity, https://searchsecurity.techtarget.com/tip/Learn-how-to-identify-and-prevent-access-control-attacks. Accessed 10 Oct. 2019.