Access attacks

A decade ago, common attacks against access control were dictionary attacks, brute force attacks and spoofing (login) screens. To defend from these type of attacks, people were harassed by security policies to use long and complex passwords that needed changing every so often and users were locked out after so many logon attempts. Defence from spoofed logon screens was considered almost unavoidable if the fake logon screen had already been installed on a computer, which meant focus shifted to securing vulnerable endpoints, such that fake logon screens could not be employed.

Authentication schemes appeared, providing a way to collect credentials and determine the identity of a user. During authentication with a web application for example, Web Agents communicate with a Policy Server to determine the proper credentials that must be retrieved from the user who is requesting resources, introducing a larger attack surface. More authentication schemes appeared.

Access to data and resources is commonly classified as:

  • Authorised access: A person has access rights to data according to the security policies.
  • Unauthorised access: A person has no access rights to a set of data or resources, but has deliberately circumvented the system to gain access.
  • Improper access: A person has access rights to the data granted to them by the system, but use their access to perform operations they are not truly entitled to.

Insiders can gain unauthorised access to information by:

  • Gaining credentials of an authorised user.
  • Using authorised users' unattended logged-in machines.
  • Stealing devices that contain the credentials of authorised users.
  • Stealing devices or storage that contains the information.

In these cases, insiders break the authentication scheme being used. If the attributes associated with authorised users, along with the attributes associated with the object, action, and environment, satisfy the policy of the data being attacked, the adversary would be able to access the information. The strength of the access control model to guard against unauthorised access depends on the robustness of the authentication scheme being used. In role based access control, an inside attacker is likely to have access to a large subset of information due to its lack of granularity.

Authorised users may be able to perform improper operations over information using their own credentials. Such improper access may be relatively easy when the system is regulated using roles. Once a set of users are assigned to a role, all users assigned to this role will be assigned to the same permission set, making improper access possible.