The following is an excerpt from the Official (ISC)2 Guide to the CISSP CBK, fourth edition, edited by Adam Gordon,...
CISSP-ISSAP, ISSMP, SSCP. This section from Domain 5 illustrates how devastating access control attacks can be to an enterprise and provides tips for thwarting them.
Most people have an intuitive understanding of the terms insiders and insider attacks. We all have seen spy movies in which agents and double agents exploit inside knowledge or privileged access to inflict damage on a hostile regime. The consequences of insider attacks can be extremely damaging. For example, in January 2008, Jerome Kerviel circumvented internal security mechanisms to place more than $70 billion in secret, unauthorized derivatives trades, which, according to his employer Societe Generale, resulted in a net loss of $7.2 billion to the bank. Jerome Kerviel managed to launch his attack because, over time, he was able to take on two roles that should not have been held by any single individual, even at different points in time. But this role-based separation of duty was not implemented in any part of the IT system. Support for role-based access control (RBAC) within that IT system, in combination with proper identity management, may have prevented or at least detected this insider attack.
A look at access control attacks
A massive data breach in April 2011 resulted in attackers stealing data from 77 million Sony PlayStation customer accounts. In May 2011, 24.5 million Sony Online Entertainment accounts were compromised. In June 2011, an attack on Sony Pictures compromised over one million user accounts, and the attackers bragged that they used a single SQL injection attack to retrieve data. In October 2011, when Sony locked almost 100 thousand PlayStation accounts, it said the credentials were stolen from other sites and sent email messages to users encouraging them to “choose unique, hard-to-guess passwords,” implying the problem was the customers' fault.
In February of 2014, new details emerged revealing that hackers originally gained access to Target's network by stealing the access credentials, via a phishing attack, of a refrigeration contractor. The contractor said its electronic interaction with Target was limited to billing, contract submission, and project management (i.e., nothing related to the customer's personal or credit card data). Further details of the breach covered in the press revealed a sophisticated and prolonged attack at Target tracing back to these access control attacks. Once the hackers infiltrated the Target network, they distributed malware to thousands of point-of-sale (PoS) machines designed to siphon off customer data, and then they set up a control server within Target's internal network that acted as the central repository for the stolen credit card data. The stolen data was later uploaded from the Target network to an FTP server.
Mitigating access control attacks
Protecting the enterprise from such attacks requires a coordinated defense involving people, processes, and tools that span antimalware, firewalls, application, server, and network access control, intrusion detection and prevention, security event monitoring and more. But what about identity and access management (IAM)? As the security professorial examines the Target scenario, he or she should see several areas where the right IAM preventive and detective controls could have helped to prevent, detect, or mitigate the attack:
- It all starts with getting visibility and control over user access privileges (who has access to what?). Especially so for highly sensitive data or applications. This means putting in place IAM tools to ensure the right access controls are in place and that user access privileges conform to policy.
- Next, you need detective controls such as periodic access certifications, which are designed to detect and revoke inappropriate access (e.g., an HVAC partner with access to credit card data) or access that does not map to a legitimate user (so-called “rogue” accounts). To ensure that potentially serious issues are detected promptly, the security architect and professional may choose to deploy “event-based” certifications that are triggered by any change in a user's privileges—requiring management review and approval.
- Access policy that can prevent or detect “toxic combinations” of access privileges. These types of policies are very useful in preventing risky scenarios. For example, the security practitioner can easily define policies that prevent partners from having access to PoS systems or systems storing customer data. Likewise, the security architect can enforce network segmentation by defining policies that prevent administrators on one network from having the same privileges on another.
- Lastly, to find cases where hackers are granting their own “rogue” privileges, the security professional can use automated account reconciliation to detect unauthorized changes to access privileges. Running a reconciliation process allows companies to detect access privileges that were granted outside of normal provisioning processes, without management approval. These rogue accounts can be detected in nightly scans and immediately reported to managers and application owners.
Implementing the right IAM controls can help the enterprise mitigate risks and more effectively protect critical resources and their customers' data.
Authentication attacks occur when a web application authenticates users unsafely, granting access to web clients that lack the appropriate credentials. Access control attacks occur when an access control check in the web application is incorrect or missing, allowing users unauthorized access to privileged resources such as databases and files. Web applications are becoming increasingly prevalent because they allow users to access their data from any computer and to interact and collaborate with each other. However, exposing these rich interfaces to anyone on the internet makes web applications an appealing target for attackers who want to gain access to other users' data or resources. Web applications typically address this problem through access control, which involves authenticating users that want to gain access to the system and ensuring that a user is properly authorized to perform any operation the server executes on his or her behalf. In theory, this approach should ensure that unauthorized users cannot subvert the application to launch access control attacks.
Unfortunately, experience has shown that many web applications fail to follow these seemingly simple steps, with disastrous results. Each web application typically deploys its own authentication and access control framework. If any flaw exists in the authentication system, an authentication bypass attack may occur, allowing attackers to become authenticated as a valid user without having to present that user's credentials, such as a password. Similarly, a single missing or incomplete access control check can allow unauthorized users to access privileged resources. These attacks can result in the complete compromise of a web application.
Designing secure access control systems
Designing a secure authentication and access control system in a web application is difficult. Part of the reason is that the underlying file system and database layers perform operations with the privileges of the web application rather than with privileges of a specific web application user. As a result, the web application must have the superset of privileges of all of its users. However, much like a Unix setuid application, it must explicitly check if the requesting user is authorized to perform each operation that the application performs on his or her behalf; otherwise, an attacker could exploit the Web applications privileges to access unauthorized resources.
This approach is ad-hoc and weak because these checks must be sprinkled throughout the application code whenever a resource is accessed, spanning code in multiple modules written by different developers over a long period of time. It is hard for developers to keep track of all the security policies that have to he checked. Worse yet, code written for other applications or third-party libraries with different security assumptions is often reused without considering the security implications. In each case, the result is that it's difficult to ensure the correct checks are always performed.
Access control attacks attempt to bypass or circumvent access control methods. Access control starts with identification and authorization, and access control attacks often try to steal user credentials. After attackers have stolen a user's credentials, they can launch an online impersonation attack by logging in as the user and accessing the user's resources.
Access aggregation refers to collecting multiple pieces of non-sensitive information and combining (i.e., aggregating) them to learn sensitive information. In other words, a person or group may be able to collect multiple facts about a system and then use these facts to launch an attack.
Reconnaissance attacks are access aggregation attacks that combine multiple tools to identify multiple elements of a system, such as IP addresses, open ports, running services, operating systems, and more. Aggregation attacks are also employed against databases. Combining defense-in-depth, need-to-know, separation of duties, and least privilege principles helps prevent access aggregation attacks.
In part 2 of this tip, learn additional strategies and best practices for preventing access control attacks.
CISSP® is a registered mark of (ISC)².
Learn what enterprise NAC products can do for you
Compare these network access control products and see which one is best for you
Learn how to vet network security tools