How to prevent access control attacks
As we know, organizations are prone to data breaches, and even though organizations are becoming serious about their security posture, they are often attacked, and sensitive information (such as passwords) is stolen from their vaults. Various attacks succeed because of lack of IAM control or because of some misconfigurations in them. In this article, we will look at the various ways in which attacks on access controls can be mitigated.
Access control process starts with identification, authentication, and authorization and access control attacks steal user credentials to impersonate a user and perform malicious activities. This attacks are often a buildup of pre-stage passive attacks like reconnaissance (collecting systems metrics like IP, server banner, what type of access controls are put in place to protect user's credentials), access aggregation (combining several non-sensitive information to form a sensitive information for example a user DOB followed by name can very well be the user's password).
Thus, organizations must implement strong IAM controls and policies to protect user's critical resources and their customer's data. Following are some ways in which attacks on access controls can be controlled if not completely prevented
- Use of Multifactor Authentication: These days a single authentication type is not sufficient as it can be easily breached for example various organizations are still using only username/password as an authentication type mechanism, and thus various attacks succeed against them. There are options now to deploy additional authentication types before a user is granted access to resources. Use of Multifactor Authentication follow these:
- Something you have (SMART card etc.)
- Something you are (Biometrics)
- Something you know (password)
The organization must employ a combination of above to strengthen the authentication check.
- Strong Password Policy: There must be a password policy that directs the use of strong passwords organization-wide as it can reduce the attack surface of passwords. The policy should not only include enforcing a strong password but also directs changing passwords regularly. This type of policy is a must and organizations should not on depend solely on users' awareness about strong password and rather enforce it.
- Secure password files: Password files should be encrypted and that too with a strong encryption method. Passwords must be secured at disk using encryption and while in transit over the wire by not passing them in clear text and also not in URL directly. The organization must employ HTTPS instead of HTTP to secure sensitive data like password over the wire. Also hashed passwords must be salted to make sure attacks like rainbow tables do not succeed and the user gets uniqueness even for the same password.
- Restrict access to systems: Access whether physical or electronic must be restricted to systems, sensitive files, etc. If the attacker has physical access to the system which hosts authentication records, then they can dump the records and then crack them offline. Same is the case for electronic access as user's access should be restricted to password files. All such activities should be logged and investigated immediately. Also, user roles should be controlled/restricted as to what they can do on a system for example on an exposed web application which a user is allowed to sensitive areas in an application where there is no need.
- Account Lockout Policies: Organizations must employ strong account lockout policies. The account is set to lock after five consecutive failed login attempts. This setting must be changed as per organization needs. This policy can give a lot of false positives since it can be legitimate that user types the wrong password so policy must keep those false positives into account. Also, the policy must also look out for 1:1 attack, 1: N attack (where an attacker is using a single password across multiple systems) or N:1 (where N numbers of systems are targeting a single system) or N:N (where N malicious systems are targeting N benign systems). Efficient logging should also be done, and policies must also define N bad login attempts followed by a successful attempt as that completes the definition of an attack. This logging of the last successful login can help to identify who last logged onto the systems. Normally banks employ similar kinds of message on their portal where they log and display "User last login" to help user's identity legitimate activities.
- Account Management: Organizations must carefully implement and follow up on account management cycle which starts right from business need/reason followed by provisioning and ends up with deleting the account. When users leave companies, their account should be deleted immediately. Also, an account which is inactive should also be deleted as their logging are often overlooked. Also, accounts privilege levels should also be monitored carefully.
- Testing: As they say think like a malicious user would and then prepare control test strategies. This technique should only be followed by approvals from different groups from within an organization. Testing strategies should also follow compliance guidelines under which the control fall or for the compliance organization is striving towards. Testing should frequently be done on the access control systems, for example, like whenever a new control is deployed, or a new logical network segmentation is performed. Testing results should be distributed, and appropriate decisions should be made to fine tune the existing policies or create a new policy if one is missing. For example, if the password is weak and can be cracked but allowed by the password policy then organization password policy should be fine-tuned and must be enforced on user accounts.
- User Awareness: Users should be trained about how to maintain security for example by never sharing a password, or write it down somewhere or use the same credentials on multiple forums (as that can easily defeat an organization control if some other portal authentication system is breached). Users should also be taught about various social engineering attacks like phishing.
So in this article, we have looked at some ways of enforcing stronger IAM control policies and mitigate attacks towards them.