Access-Control Misconfiguration

dictionary-term

Alternative Forms

N/A

Definitions

Definition 1

An Access-Control Misconfiguration is a special class of System Misconfiguration whereby access controls are not configured in compliance with the system owner’s security policy.

While general System Misconfigurations tend to cause functional failures or performance degradations, Access-Control Misconfigurations cause security weaknesses. This absence of obvious and immediate consequences is a characteristic that makes it hard to detect Access-Control Misconfigurations. This situation is amplified by the volume of access-control configuration settings in information systems.

For these reasons, Access-Control Misconfigurations may stay unnoticed during long periods of time. Threat agents may easily exploit Access-Control Misconfigurations because they are valid system configurations.

The risk posed by Access-Control Misconfigurations varies widely with systems and may range from benign to catastrophic.

•  Provide distinction between the hyponyms under and over granting privileges.
•  Provide distinction with the hyperonym security misconfiguration

Sample Sentences

The application was down. The business was putting a lot of pressure to get that fixed. Bob the System Administrator was stressed when he troubleshooted the database server. In the process, he granted admin access permissions to normal users to check if the problem was related to access permissions. It was not. He then moved on with another hypothesis but forgot to remove this Access-Control Misconfiguration from the system. Eve took advantage of this and compromised the system.

Conceptual Diagram

Related Terms

Quotes

Bibliography

See Also