Access-Control Misconfiguration

Owned by David Doret, created
Last updated: 20-28-2021
2 min read

Access-Control Misconfiguration

dictionary-term

[ 1 Definitions ] [ 1.1 Definition 1 ] [ 1.1.1 Causes ] [ 1.1.2 Countermeasures ] [ 1.1.3 Sample Sentence ] [ 1.1.4 Conceptual Diagram ] [ 2 Related Terms ] [ 3 Quotes ] [ 4 Bibliography ] [ 5 See Also ]

Definitions

Definition 1

An Access-Control Misconfiguration is a special class of System Misconfiguration whereby access controls are not configured in compliance with the system owner’s security policy.

While general System Misconfigurations tend to cause functional failures or performance degradations, Access-Control Misconfigurations cause security weaknesses. This absence of obvious and immediate consequences is a characteristic that makes it hard to detect Access-Control Misconfigurations. This situation is amplified by the volume of access-control configuration settings in information systems.

For these reasons, Access-Control Misconfigurations may stay unnoticed during long periods of time. Threat agents may easily exploit Access-Control Misconfigurations because they are valid system configurations.

The risk posed by Access-Control Misconfigurations varies widely with systems and may range from benign to catastrophic.

Strictly speaking, Access-Control Misconfiguration may either lead to under-entitlement or over-entitlement. The situation of under-entitlement is of lower interest because its risk is negligible.

Causes

  • Troubleshooting using try and error problem-solving strategy

  • Manual provisioning errors

  • Weak incident management process

  • Weak change management process

  • Incompetence

Countermeasures

  • Adequate error messages

  • Reliable documentation

  • Awareness training

  • PAM

  • Configuration scans

  • Audits

  • Reconciliation controls

Sample Sentence

The application was down. The business was putting a lot of pressure to get that fixed. Bob the System Administrator was stressed when he troubleshooted the database server. In the process, he granted admin access permissions to normal users to check if the problem was related to access permissions. It was not. He then moved on with another hypothesis but forgot to remove this Access-Control Misconfiguration from the system. Eve took advantage of this and compromised the system.

Conceptual Diagram

  • Over-entitlement hyponym

  • Under-entitlement hyponym

  • Security Misconfiguration hyperonym

  • System Misconfiguration hyperonym

Quotes

Filter by label

There are no items with the selected labels at this time.

Bibliography

See Also

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.