AccessControl

Purpose

An AccessControl object represents some access restriction, commonly login functionality.

Connections

Object

Connection

Description

Function

Host

Authorization

Denotes that there is a login prompt to access the Host.

A missing AC results in automatic "login" (or represents that no login is needed).

Router

Authorization

Denotes that there is a login prompt to access the Router.

A compromise of the administration network will compromise the router directly without an access control.

Service

Authorization

Denotes that there is a login functionality to access the Service.

A compromise of the administration network will compromise the router directly without an access control.

UserAccount

Non-Root Authorization

A User Account connects to an Access Control object stating that the access control functionality has an active user account present.

A connection to a UserAccount object represents the user account needed to bypass the AccessControl. It is mandatory to have at least one connection (either root or non-root) to a UserAccount.

UserAccount

Root Authorization

A User Account connects to an Access Control object stating that the access control functionality has an active user account present.

A connection to a UserAccount object represents the user account needed to bypass the AccessControl. It is mandatory to have at least one connection (either root or non-root) to a UserAccount.

Attack Steps and Defenses

Attack Step

Description

Leads to

Access

The possibility to reach the AccessControl functionality (but not traverse it).

AccessControl: ExtractPasswordRepository
AccessControl: NonRootLogin
AccessControl: RootLogin

Extract Password Repository

The possibility to read the passwords accepted by the AccessControl.

UserAccount: GuessOffline

Non Root Login

Logging in via the AccessControl using a non-root user account.

Host: UserAccess
Router: Compromise
Service: ApplicationLogin
Service(shell): NonRootLogin

Root Login

Logging in via the AccessControl using a root user account.

Host: Compromise
Router: Compromise
Service: ApplicationLogin
Service(shell): RootLogin

Defense

Description

Impact

Default

Backoff

Backoff is a contention control mechanism that reacts to failed login attempts and can delay or disrupt many consecutive tries.

The probability of GuessOffline AttackStep can be reduced if coupled with NoDefaultPassword

On

Enabled

Enabled denotes that the Access Control mechanism is enabled and authenticates users for access to the connected asset.

If connected to a Service, Access Control can reduce the TTC of DeployExploit and prevent GuessOffline

On

Hashed Password Repository

A Hashed Password Repository stores no passwords in clear text. Instead, one-way cryptographic hashes are stored to protect the password but still allow authentication.

Reduces the probability of GuessOffline.

On

No Default Passwords

A special case of password guessing is the use of default passwords which are created for new accounts and software products. No Default Passwords denotes that all default passwords are removed.

Reduces the probability of GuessOnline

Off

Password Policy Enforcement

Proactive password checkers and filters can enforce password policies which force users to create more complex password. In securiLang, Password Policy Enforcement denotes a checker with at least 8 character, one lowercase, one uppercase, one special sign and one number.

Prevents GuessOffline coupled with Hashed Password Repository and GuessOnline coupled with NoDefaultPasswords

Off

Salting

Salting appends a random value to the password hash that makes the password cracking more difficult.

Prevents GuessOffline coupled with HashedPasswordRepository.

On


What’s Next