ABC Company uses the cloud for its applications. It uses a password management application that stores passwords in a protected file encrypted by a single password. The password is five alphabetic characters and is changed on a monthly basis by the administrator, who delegates that to a colleague in case of the administrator’s absence. When a subject seeks access to a certain protected object, the application decrypts the whole file in memory and matches the subject’s password with the one in the store.
The access control system does not accommodate contextual attributes in its access decision.
Evaluation of the Scenario
The system is used as clearly indicated by the scenario is “Cloud-Based”, however, it is not clear as to the setup of the cloud, whether it be of a Public, Private or Hybrid configuration. Depending on the configuration of the Cloud solution, the system may be subjected to multiple security type risks. Another point worth paying attention to surrounds the application’s functionality. It is clear from the scenario overview, that this application was not given much thought as it only encrypts one password, which is the password to the file for all passwords itself, an obvious risk on its own.
For every subject that seeks access to a certain protected object, the system repeatedly loads the contents to memory. Also for a system that will be containing all the company’s users and passwords, it goes without saying that protecting a file of this magnitude is of utmost importance.
In an article by Ruppert(2009), he made an important point when he stated that “Most companies focus their resources and defensive strategies on protecting the perimeter from outsider attacks but often the greatest damage can be done by someone already inside these defenses.”, he when even further to state that a System Admin can be the organization’s most trusted ally or their worst nightmare and this depends on their motivation or personal interest towards said company; which within itself is a major risk.
Cloud access needs to be via a VPN by means of HTTP/HTTPS/TLS which can be insecure as well; as SSL/TLS doesn’t provide persistent security on the data been transmitted. Another point to highlight is that of the unsecured flat file.
Even though it is a cloud-based application, which should provide redundancy the following risk remains true:
- Susceptible to Brute Force Attack
- Password is only 5 characters long
- Password only uses alphabetic characters
- Susceptible to Memory Hack
- The entire password file is loaded in memory.
- Cold Boot Attack
- Direct Memory Access (DMA) also known as DMA Malware
- Everyone within the company is exposed even at the high level of management
- Password Policy(due to the nature of the password policy)
- Password is weak
- Delegation Subject(person delegate could share password)
- Forget the main password
- The file could become corrupted based on the ongoing, main password updates
- Once the file has become corrupted, then it is replicated across the cloud infrastructure. If there is a backup process, then only then they will be able to recover the data.
- Cloud-based Infrastructure
- Are they meeting their SLAs
- How often is it being backup
- How long are the backup being kept
- Memory size for loading everyone’s information as well as handling the other functionalities may become inadequate and potential cause corruption.
- Direct access to password containment file
- Sharing of said file
- Single point of failure by using the application as an Access Control Enforcement function (AEF) and Access Control Decision Function (ADF).
- If the password if forgotten, this might pose a risk in terms of recovering the file
- Encryption potential weak
- An application might have bugs, or behind in version updates
- Parameter injection
- Cross-Site scripting
Due to the nature of the risks listed above, these are the threats that relate to the same:
The cloud-based application’s password policy is very weak, this is noted by the criteria of only access 5 alphabetic characters with which it then encrypts an entire file of non-encrypted passwords. By use of Brute Force attacks using a number of methods, namely: dictionary attack, commonly-used passwords and or combinations of letters and numbers.
Methods/Mitigation to address Risk
Access control is a very important aspect of security and should be guided as such. Authenticating users before giving them access to any resource is key. Based on the scenario that was evaluated. Subject essentially has access to the system before requesting an object, the password is checked after an object is requested. Using this password management application as both the Access Control Enforcement Function (AEF) and the Access Control Decision Function (ADF) is ill-advised.
What is needed is a new framework that provides Authentication, authorization, and accounting(user activity audit), what this does is facilitates an environment that intelligently controlling access to computer resources, enforcing policies, auditing usage and providing the information necessary to bill for services.
The unsecured flat file; using SQL is more secure than a flat-file but still not 100% secure as attackers can use SQL injection to get information.
Other forms of mitigation include, but not limited to:
- Requiring users to have complex passwords(alphabet, numbers and or symbols)
- Implement Two-Step authentication
- Ensure that the system uses a public and private key for encryption
- Limiting the number of times a user can attempt to log in
- Temporarily locking out users who exceed the specified maximum number of login attempts
- Ensures that there is protective application with the cloud environment, namely:
- Antivirus Scanner
- Anti-Spyware Scanner
- Malware Scanner
There are many other steps that can be used to ensure the sustainability and integrity of the passwords as well as other facets of the cloud-based environment. “To maximize consumer trust, businesses need to focus efforts in the three pillars of consumer protection; Brand Protection, Security, and Privacy. The companies looking at these issues holistically are best equipped in protecting their brand from a significant incident.”, (OTA, 2014)
Online Trust Alliance (2014) Data Protection & Breach, Available at: https://otalliance.org/system/files/files/best-practices/documents/2014otadatabreachguide4.pdf (Accessed: Aug 22, 2016).
Ruppert, B., 2009. Protecting against insider attacks. Sans Institute.
Vanhoef, M. (2012) Memory Hacking: Anyone can do it!, Available at: http://www.mathyvanhoef.com/2012/01/memory-hacking-anyone-can-do-it.html (Accessed: Aug 22, 2016).