In the world of security, authentication, and authorization methodologies are foundational aspects of defense. Authentication techniques protect against unlawful entry to systems through the verification of a user, and authorization either grants or denies the verified user’s access level.
For example, if an employee from the finance department requests records from the administration department, the system checks the employee`s identity, and will either allow or deny access based on the employee’s authority to view data.
Identity and Access Management (IAM) is an automated process that facilitates both authentication and authorization mechanisms, delivering much more control in governing resources. It has centralized identification and access control, password management, single sign-on, with many other administrative functions. IAM authentication comprises several methods to verify a user along with the standard password authentication method, including the use of Multi-Factor Authentication (MFA). MFA includes additional authentication factors covering 3 aspects –
- Something that you know – Which includes passwords, passphrases, or a Personal Identification Number (PIN).
- Something that you have – Any other physical object to gain access to a system such as OTP tokens, key cards, or through a cryptographic identification device.
- Something that you are – A unique biometric authentication of yourself, including fingerprints, voice, or facial recognition.
IAM authorization includes management mechanisms which govern users’ activities based on their roles or given permissions. Access control has many types –
- Mandatory Access Control (MAC) – Only system administrators are allowed to permit, deny, or change access of users. It is done by variable tags linked to a profile describing what access level they have. MAC is often used in the most confidential and sensitive systems.
- Discretionary Access Control (DAC) – Is a flexible and high-effort access control system where the owner of an organization gets to choose who can access the resources even surpassing the set rules of the administrator as well.
- Role-Based Access Control (RBAC) – The access levels are based on the role and function performed by an employee in the organization. Employees can only access information that is relevant to their department. For example, low-level employees cannot access high-level information.
- More detailed access control systems – Rule-Based Access Control, as the name implies, is based on set rules and policies according to an access control list which is quite similar to the role-based approach. Attribute Access Control is a dynamic and risk-intelligent system that analyzes characteristics available on a user profile.
- Intuitive Control Systems – Identity-Based Access Control systems consider the visual or biometric identity of a user to provide access. History-Based Access Control systems tally the usage of the history of an individual to determine access.
It is worth noting that even though there are many authentication and authorization methods available they still have vulnerabilities and are subject to many threats and attacks by threat actors.
Authentication and Authorization Vulnerabilities
Authentication vulnerabilities are often related to password-based authentication methods since they are mostly breached by brute-force attacks. Even the wrong implementation or the coding of the authentication process is a gateway to attacks as well.
Compromising passwords through phishing campaigns, brute-force, credential-stuffing, manual exploitation of HTTP requests and responses, and SQL injection are some attack types. The main vulnerabilities that cause these attacks are –
- Authentication logic flaws – The premise used for the authentication, improper application of security controls, wrongful assumptions about a user, and huge confidence in them are determinants for authentication escalation.
- Insecure password and account recovery methods – Malicious users can attempt to reset the password themselves by answering obvious questions about the target, such as the pet`s name, or favorite movie. If the attacker has access to the target`s phone number it may be easy to be able to bypass these recovery and verification processes. This is much more possible if the user has only two-factor authentication (2FA) activated.
- Insecure session handling – Threat actors can make use of a valid authenticated session if the sessions aren`t properly managed with secure protocols. Improper user logouts, lack of session timeouts, and storing session data in browsers, web pages, and non http-only cookies are some examples.
According to the PlainID 2022 State of Access and Authorization Report, it was revealed that authorization is given the highest priority in IAM strategies. Unauthorized use of privileges to resources, that is, where a user can indiscriminately read, write or execute files is a breach of authorization. The process of assigning roles and privileges can be complicated, therefore, it is important to know common identified vulnerabilities around authorization.
- Exploitation of the Insecure Direct Object References (IDOR) vulnerability – IDOR enables an unauthorized user to carry out operations without checking whether the actual owner’s permissions allow it. For example, a user is permitted to edit files, rather than just editing their own files; the user is incorrectly privileged to edit other user`s files.
- Unprotected resources – Resources that are left unsecured, but have been obfuscated to make them unidentifiable, and resources that are set for default access are considered unprotected resources.
- Misconfigured access policies – Sometimes, due to a highly complex network, a user can have incorrect permissions mistakenly set. Misconfigured Cross-Origin Resource Sharing (CORS) is a common vulnerability around access policies.
- Privilege escalation by binary exploitations – Exploitation of binary configurations to gain elevated access to resources. For example, in Linux, the Dirty Pipe Privilege Escalation Vulnerability (CVE-2022-0847), and PwnKit vulnerability.
Threat actors are now able to bypass IAM authentication and authorization methodologies in various ways. The methods we once thought were secure are now vulnerable to many attacks, and the security of information and systems is at a stake.
There are many threats and risks to look out for, therefore it is always important to know and plan the correct type of IAM strategy for your organization. Routine checks of all the access controls, policies, privileged accounts, and maintaining a zero-trust policy are recommended.
About the Author:
Dilki Rathnayake is a Cybersecurity student studying for her BSc (Hons) in Cybersecurity and Digital Forensics at Kingston University. She is also skilled in Computer Network Security and Linux System Administration. She has conducted awareness programs and volunteered for communities that advocate best practices for online safety. In the meantime, she enjoys writing blog articles for Bora and exploring more about IT Security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.