Lecture7 Broken Authorisation Flashcards
Access Control and what mean the same thing?
Authorisation
What is Access Control about?
It is about mediating access to resources on the basis of a user specific policy
- Resources such as Users / Processes / Files & Data etc
What are often overlooked?
Meta-operations are often overlooked – Read, Write, Execute, Create, Delete and File Ownership
What can you access?
1) Network access – can you connect to a system or service
2) Physical Access – Laptops, Desktops, Servers, USBs (IT equip. basically)
3) Restricted functions – Transactions, Configuration changes
4) Also NOTE !!!!! Resource Access does not mean only Files and Database Functionality
- API’s, Memory, Storage Media, Basically anything used in data processing
Example of Access Controls
1) Account management
2) Limits on the number of concurrent sessions
3) Session lock after a period of inactivity
4) Session termination after a period of inactivity, total time of use or time of day
5) Restriction of access after a certain time of day
6) Principle of least privilege for granting access
7) Mapping of users’ rights to business and process
requirements (give min level of access required)
Access Control Models
There are 4 access control models:
1) Discretionary access controls (DAC)
Identify / Need to know basis
2) Mandatory access controls (MAC)
Sensitivity of the information contained in objects. (think of this as ‘top secret’ or ‘for your eyes only’ type stuff)
3) Role-based access controls (RBAC)
Based on roles played by users and groups in organizational functions.
4) Attribute-based access control (ABAC)
Contextual attributes such as time of day / location
i.e. something can only be accessed at a specific time of day in a specific location
Discretionary Access Control (DAC) means …
means restricting access based on the identity of users (and members of certain groups)
- Access decisions are typically based on the authorisations granted to a user based on credentials
Mandatory Access Control (MAC)
Assigns sensitivity labels to information and compares this to the level of sensitivity a user is operating at.
- MAC is appropriate for extremely secure systems including (Military applications / mission critical data applications)
Role Based Access Control (RBAC)
gives security admins the ability to determine who can perform what actions where/when/from where
- Access decisions are based on the users roles. (Doctor / nurse / attendant / patients ) all have different permissions
Attribute Based Access Control (ABAC)
- Also referred to as Permission Based Access Control (PBAC)
- Permission = String based name, for example ”READ” / ”WRITE” / ”EXECUTE”
- In some (PBAC) where they provide fine-grained domain object level access, permissions are grouped into classes
- In such a system a ”Document” class may be defined with the permissions ”Read”, ”WRITE” and ”DELETE”.
- A ”SERVER” class may be defined with the permissions ”START”, ”STOP” and ”REBOOT”
Mitigations
1) Check authorisation on every page
2) Users can supply their own URLs –
including unexpected ones. Check them.
3) Do not inadvertently become a proxy for services
behind a firewall
4) Short amounts of time for session tokens
5) Destroy tokens server-side on user logout
6) Do not use timestamps as a token
- Timestamps can be used in generating a token
- Timestamps should be used for expiring tokens
7) Remove all demo/debug code before going live
8) Do not create session IDs based solely on user input
- “sufficiently random” session ID.
9) Do not trust IP addresses
see slides for more
