Versions Compared

Old Version 9

changes.mady.by.user David Doret

Saved on

compared with

New Version Current

changes.mady.by.user David Doret

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Access-Control Misconfiguration

dictionary-term

Table of Contents
minLevel2
typeflat

Alternative Forms

N/A

Definitions

Definition 1

An Access-Control Misconfiguration is a special class of System Misconfiguration whereby access controls are not configured in compliance with the system owner’s security policy.

While general System Misconfigurations tend to cause functional failures or performance degradations, Access-Control Misconfigurations cause security weaknesses. This absence of obvious and immediate consequences is a characteristic that makes it hard to detect Access-Control Misconfigurations. This situation is amplified by the volume of access-control configuration settings in information systems.

For these reasons, Access-Control Misconfigurations may stay unnoticed during long periods of time. Threat agents may easily exploit Access-Control Misconfigurations because they are valid system configurations.

The risk posed by Access-Control Misconfigurations varies widely with systems and may range from benign to catastrophic.

  •  Provide distinction between the hyponyms under and over granting privileges.
  •  Provide distinction with the hyperonym security misconfiguration
Sample Sentences

Strictly speaking, Access-Control Misconfiguration may either lead to under-entitlement or over-entitlement. The situation of under-entitlement is of lower interest because its risk is negligible.

Causes

  • Troubleshooting using try and error problem-solving strategy

  • Manual provisioning errors

  • Weak incident management process

  • Weak change management process

  • Incompetence

Countermeasures

  • Adequate error messages

  • Reliable documentation

  • Awareness training

  • PAM

  • Configuration scans

  • Audits

  • Reconciliation controls

Sample Sentence

The application was down. The business was putting a lot of pressure to get that fixed. Bob the System Administrator was stressed when he troubleshooted the database server. In the process, he granted admin access permissions to normal users to check if the problem was related to access permissions. It was not. He then moved on with another hypothesis but forgot to remove this Access-Control Misconfiguration from the system. Eve took advantage of this and compromised the system.

Conceptual Diagram

Image Modified

Related Terms

  • Over-entitlement hyponym

  • Under-entitlement hyponym

  • Security Misconfiguration hyperonym

  • System Misconfiguration hyperonym

Quotes

Filter by label (Content by label)
showLabelsfalse
max20
sorttitle
showSpacefalse
cqllabel = "access-control-misconfiguration" and label = "quote-item"

Bibliography

Filter by label (Content by label)
showLabelsfalse
max20
sorttitle
showSpacefalse
cqllabel = "access-control-misconfiguration" and label = "bibliographic-entry"

See Also

Filter by label (Content by label)
showLabelsfalse
sorttitle
cqllabel = "access-control-misconfiguration" AND label not in ( "bibliographic-entry" , "quote-item" )