According to Accenture, security attacks have increased by 31% from 2020 to 2021. The average number of attacks per company has increased by approximately 23.7%, and Cisco predicts the cumulative costs of cybersecurity to hit $10.5 trillion by 2025.
A security breach occurs when unauthorized actors find their way into data and systems they shouldn't be in. While the digitizing businesses through the cloud and online spaces have revolutionized the ability to connect people with information, it also spawned a new set of risks.
Access control is something we all know we should do - yet, rarely is it implemented properly. This leaves people and organizations vulnerable to data breaches and potential compromises. IBM puts the current average daily cost of a data breach at $4 million.
So what are the vulnerabilities that lead to access control attacks? And how can your team mitigate them before they become a major issue on your customers' trust, business reputation, and bottom line?
What are Access Control Attacks?
Most systems have some form of access control in place to restrict access to sensitive data and systems. However, these controls are not always effective, and vulnerabilities can exist that allow unauthorized access.
Poorly designed access controls can be easy to bypass. Weak implementation can also lead to bypasses, such as when an administrator fails to properly restrict access to a sensitive file. The Identity Defined Security Alliance (IDSA) reports that 94% of organizations have experienced some form of a data breach.
There are many different types of access control attacks, but some of the most common include:
- Lack of proper authentication: This can occur when systems do not require strong authentication measures, such as two-factor authentication. Google claims that a two-step verification through SMS text messages can stop 100% of all automated attacks and the bulk of phishing attacks.
- Weak passwords: Another common issue is weak passwords that can be easily guessed or brute-forced by attackers. Over 80% of breaches are due to stolen or weak passwords.
- Insufficient authorization: This vulnerability can occur when authorization controls are not properly implemented. In 2021, over 22 billion records were unintentionally exposed due to a lack of proper authorization controls.
- Lack of auditing: Without proper auditing, it can be difficult to detect unauthorized access or activity. The World Economic Forum reports that 95% of cybersecurity breaches are caused by human error. This may come in the form of incorrect permissions set up or no automated processes to remove unused credentials.
The listed above are common occurrences and are based on privileged access. This is why it is vital to understand horizontal and vertical escalation.
Horizontal privilege escalation
Horizontal privilege escalation happens when a user gains access to data or performs an action at the same security level as their current permissions, but they are not supposed to have access to that data. For example, if two users have access to the same file, but one user is not supposed to be able to see the other user’s data, then the user has horizontally escalated their privileges.
Horizontal privilege escalation is often seen as more dangerous than vertical privilege escalation because it is more difficult to detect and prevent. When a user vertically escalates their privileges, it is usually obvious because they are trying to access data that they shouldn’t be able to access. When users horizontally escalate their privileges, they can often do so without raising any red flags.
One of the most common ways horizontal privilege escalation is used is through “pass-the-hash” attacks. In these attacks, a malicious user can obtain another user's password hash and use that to log in as that user. This allows the attacker to access the other user's data without knowing their password.
Vertical privilege escalation
Privilege escalation is the act of a user elevating their privileges to gain access to data or functions they wouldn't normally have access to. This can happen vertically when a user elevates their privileges to a level above their current role or horizontally when a user elevates their privileges to the same level as another user.
Vertical privilege escalation is a serious security vulnerability because it allows users to bypass security controls and access sensitive data or perform actions they shouldn't be able to. For example, a user with low-level access to a database could escalate their privileges to the administrator level and then delete or modify data at will.
There are a few different ways that vertical privilege escalation can happen. The most common is when users are assigned too many privileges or when privileges are not properly managed. For example, suppose a user is added to an administrator group but never removed when they leave the company. In that case, they will still have access to sensitive data and functions even after they no longer should. Another way vertical privilege escalation can happen is through privilege escalation exploits, where a user exploits a flaw in the system to gain higher privileges.
Examples of Broken Access Control Attacks
Insecure IDs are a major problem when it comes to access control attacks. They can be easily guessed, stolen, or simply forgotten, leaving your systems and data vulnerable to attack. There are a few simple steps you can take to prevent this from happening:
- Use strong and unique IDs.
IDs should be at least 8 characters long and contain a mix of uppercase and lowercase letters, numbers, and special characters. They should also be unique to each user so that one person cannot masquerade as another.
- Do not reuse IDs.
If an ID is compromised, it shouldn't be used again. Reusing IDs makes it easy for attackers to gain access to your systems.
- Do not store IDs in plain text.
IDs should be stored in an encrypted format so that even if they are stolen, they will be challenging to decode.
- Use two-factor authentication.
Two-factor authentication adds an extra layer of security by requiring a second form of identification, such as a fingerprint, and an ID. This makes it much harder for an attacker to access your systems.
- Educate your users.
Make sure your users know to keep their IDs safe and secure. Attackers often exploit weak and insecure IDs by phishing or social engineering. Educating your users about best practices will help to prevent them from falling victim to these attacks.
Client-side caching is a type of caching that occurs on the client side, as opposed to the server side. This means that when a user requests a page, the server will send them a cached version of the page, rather than the most up-to-date version. This can be a problem for a number of reasons.
Client-side caching can be a vulnerability because it can lead to broken access control. If a user can access a cached version of a page, they may be able to see information that they should not have access to.
One way to prevent client-side caching is to use a server-side cache, which will store the most up-to-date versions of pages on the server rather than on the client. Another way is to use a client-side cache that is not accessible to the user. This can be done using a private browsing mode or a service that encrypts the cache.
Directory traversal is a type of security vulnerability that allows attackers to access files and directories they should not have access to. This can be done by manipulating the file path to allow the attacker to "traverse" the file system to reach restricted areas. Directory traversal is a severe security issue because it can expose sensitive data and be used to gain access to restricted areas of a system.
There are a few ways to prevent directory traversal attacks. One method to prevent this is to ensure that all user input is validated before it is used, achieved through input filters and character sanitization techniques.
See how Ocrolus discovered 1,389 shadow data stores within its cloud environment in less than 5 minutesView Case Study
Permissions Control Methods
As the world becomes more connected and more information is shared online, the need for context-dependent security settings becomes more important. Context-dependent security settings allow for different levels of security to be applied in different situations based on the specific context in which the information is being shared.
To prevent privilege escalation vulnerabilities, organizations should carefully control which users have access to which resources. Additionally, users should only be given the permissions needed to perform their job. Here are four types of context-dependent access controls:
- Discretionary access control (DAC) is the most common type of access control. In DAC, access to resources is based on the user's identity and the permissions assigned to that user. For example, a user with read-only permissions would only be able to view a file but not edit or delete it.
- Mandatory access control (MAC) is less common than DAC but often used in high-security environments. In MAC, access to resources is based on the classification of the resource. For example, a resource classified as top secret would only be accessible to users who have been authorized to access top secret resources.
- Role-based access control (RBAC) is a type of access control frequently used in large organizations. In RBAC, access to resources is based on a user's role within the organization.
- For example, a user who is a member of the HR department would have different permissions than a user who is a member of the finance department.
- Permission Based Access Control (PBAC) is a security measure that can be used to prevent privilege escalation. PBAC works by restricting access to certain areas or resources based on a user's permissions.This means a user can only access areas or resources they have been given explicit permission to access.
Mitigate the risk of broken access control attacks with Polar Security
If you're looking to mitigate the risk of broken access control attacks, Polar Security can help. Polar automates the process of data discovery, classification and protection to prevent your company from becoming part of the statistics.
Automated and continuous discovery and classification of sensitive data can give you unparalleled visibility and control over your data assets - giving you the power to always know where your data is stored, who has access to it, whether it is encrypted or not, and so on. With that, you will significantly reduce the risk of being targeted by a ransomware attack.