How to prevent access control attacks
As we know, organizations are prone to data breaches, and even though organizations are becoming serious about their security posture, they are often attacked, and sensitive information (such as passwords) is stolen from their vaults. Various attacks succeed because of lack of IAM control or because of some misconfigurations in them. In this article, we will look at the various ways in which attacks on access controls can be mitigated.
Access control process starts with identification, authentication, and authorization and access control attacks steal user credentials to impersonate a user and perform malicious activities. This attacks are often a buildup of pre-stage passive attacks like reconnaissance (collecting systems metrics like IP, server banner, what type of access controls are put in place to protect user's credentials), access aggregation (combining several non-sensitive information to form a sensitive information for example a user DOB followed by name can very well be the user's password).
What should you learn next?
Thus, organizations must implement strong IAM controls and policies to protect user's critical resources and their customer's data. Following are some ways in which attacks on access controls can be controlled if not completely prevented
- Use of Multifactor Authentication: These days a single authentication type is not sufficient as it can be easily breached for example various organizations are still using only username/password as an authentication type mechanism, and thus various attacks succeed against them. There are options now to deploy additional authentication types before a user is granted access to resources. Use of Multifactor Authentication follow these:
- Something you have (SMART card etc.)
- Something you are (Biometrics)
- Something you know (password)
The organization must employ a combination of above to strengthen the authentication check.
- Strong Password Policy: There must be a password policy that directs the use of strong passwords organization-wide as it can reduce the attack surface of passwords. The policy should not only include enforcing a strong password but also directs changing passwords regularly. This type of policy is a must and organizations should not on depend solely on users' awareness about strong password and rather enforce it.
- Secure password files: Password files should be encrypted and that too with a strong encryption method. Passwords must be secured at disk using encryption and while in transit over the wire by not passing them in clear text and also not in URL directly. The organization must employ HTTPS instead of HTTP to secure sensitive data like password over the wire. Also hashed passwords must be salted to make sure attacks like rainbow tables do not succeed and the user gets uniqueness even for the same password.
- Restrict access to systems: Access whether physical or electronic must be restricted to systems, sensitive files, etc. If the attacker has physical access to the system which hosts authentication records, then they can dump the records and then crack them offline. Same is the case for electronic access as user's access should be restricted to password files. All such activities should be logged and investigated immediately. Also, user roles should be controlled/restricted as to what they can do on a system for example on an exposed web application which a user is allowed to sensitive areas in an application where there is no need.
- Account Lockout Policies: Organizations must employ strong account lockout policies. The account is set to lock after five consecutive failed login attempts. This setting must be changed as per organization needs. This policy can give a lot of false positives since it can be legitimate that user types the wrong password so policy must keep those false positives into account. Also, the policy must also look out for 1:1 attack, 1: N attack (where an attacker is using a single password across multiple systems) or N:1 (where N numbers of systems are targeting a single system) or N:N (where N malicious systems are targeting N benign systems). Efficient logging should also be done, and policies must also define N bad login attempts followed by a successful attempt as that completes the definition of an attack. This logging of the last successful login can help to identify who last logged onto the systems. Normally banks employ similar kinds of message on their portal where they log and display "User last login" to help user's identity legitimate activities.
- Account Management: Organizations must carefully implement and follow up on account management cycle which starts right from business need/reason followed by provisioning and ends up with deleting the account. When users leave companies, their account should be deleted immediately. Also, an account which is inactive should also be deleted as their logging are often overlooked. Also, accounts privilege levels should also be monitored carefully.
- Testing: As they say think like a malicious user would and then prepare control test strategies. This technique should only be followed by approvals from different groups from within an organization. Testing strategies should also follow compliance guidelines under which the control fall or for the compliance organization is striving towards. Testing should frequently be done on the access control systems, for example, like whenever a new control is deployed, or a new logical network segmentation is performed. Testing results should be distributed, and appropriate decisions should be made to fine tune the existing policies or create a new policy if one is missing. For example, if the password is weak and can be cracked but allowed by the password policy then organization password policy should be fine-tuned and must be enforced on user accounts.
- User Awareness: Users should be trained about how to maintain security for example by never sharing a password, or write it down somewhere or use the same credentials on multiple forums (as that can easily defeat an organization control if some other portal authentication system is breached). Users should also be taught about various social engineering attacks like phishing.
So in this article, we have looked at some ways of enforcing stronger IAM control policies and mitigate attacks towards them.
In this Series
- How to prevent access control attacks
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security