Previous month:
April 2017
Next month:
June 2017

May 2017

What is Authorization and Access Control?

You are probably familiar with the concept of authentication, the way that security systems challenge you to prove you are the customer, user, or employee whom you claim to be, using a password, token, or other form of credential. You may be less familiar with the concept of authorization, and the related term, access control. Authorization is a critical but often overlooked aspect of managing access to information and no less important than authentication.

4186687321_51fc55b139_m
 Image by Martin Lewison

Authorization

Authentication verifies your identity and authentication enables authorization. An authorization policy dictates what your identity is allowed to do. For example, any customer of a bank can create and use an identity (e.g., a user name) to log into that bank's online service but the bank's authorization policy must ensure that only you are authorized to access your individual account online once your identity is verified.

Authorization can be applied to more granular levels than simply a web site or company intranet. Your individual identity can be included in a group of identities that share a common authorization policy. For example, imagine a database that contains both customer purchases and a customer's personal and credit card information. A merchant could create an authorization policy for this database to allow a marketing group access to all customer purchases but prevent access to all customer personal and credit card information, so that the marketing group could identify popular products to promote or put on sale.

We implicitly create authorization policies when we use social media: Facebook, LinkedIn, or Twitter may authenticate hundreds of millions of users, but to some extent we can authorize whether or how these users engage with us. The same is true when you share files, videos, or photos from sites like Google Docs, Dropbox, Instagram, Pinterest, or Flickr or even when you create a "shared" folder from on your laptop.

TURNSTILES DSCN0243_640_small
Security Turnstiles

Access Controls

Whereas authorization policies define what an individual identity or group may access, access controls – also called permissions or privileges – are the methods we use to enforce such policies.

Let's look at examples:

  • Through Facebook settings – Who can see my stuff? Who can contact me? Who can look me up? – We allow or deny access to what we post on Facebook to users or the public.
  • Google Docs settings let us set edit or sharing privileges for documents we use collaboratively.
  • Flickr settings allow us to create or share albums or images with family, friends, or publicly, under different (e.g., Creative Commons) publishing rights licenses.
  • Shares and permissions on the MacOS or the Security tab in a Windows OS file properties dialog box allow you to set access privileges for individual files or folders.

Correct configuration of access privileges is a critical component of protecting information against unauthorized access and protecting computer systems from abuse, but access control configuration is tricky business. In our next post, I'll look at how organizations implement authorization policies using access controls or user permissions. I'll follow that with a post that examines attacks that malicious actors or criminals can conduct when access controls are not adequate to prevent unauthorized use, unintended disclosure, or privilege escalation.

An earlier version of this post originally appeared at ICANN blog on 2 December 2015.


Cybersecurity Business Model: When in Rome...

By guest author Cristina Ion 

Improving cybersecurity is an expressed priority for virtually every cyber-enabled country. Actual investments in the IT security industry, however, remain greatly unequal from one region to another, from one country to another, or even from one industry sector to another. By comparison, the hacker community has shaped a burgeoning global industry of its own. While the infosec industry seems fragmented still, hackers have transformed their communities from guild-like organizations into a formidable, global industry with dedicated market places, a long-term vision and fixed objectives. Ironically, the modern day hacker resembles more resembles a cyber-businessman today than many infosec professionals. Why is this so?

Hacking: the rise of a new business model

The hacker community, like any other organization, aims for three things: increased revenues, cost reduction and product differentiation. Thus, it is quite simple to draw a parallel between today's cybercriminal businesses and traditional businesses. 

Increased revenues.

Author Terry Goodkind tells us that knowledge is a weapon and advises us to be "formidably armed". In our case, knowledge is data and this data can replace common currency on the Dark Web marketplace. The equation for increasing revenues in such marketplaces is simple:

↑ attacks = ↑ sensitive data = ↑ revenues

For example, on June 15, 2016, Kaspersky announced that over 70,000 servers were hacked worldwide in then recent months, and that these data were now available for purchase on a marketplace dedicated exclusively to hackers. For the very attractive price of only $6.00 USD, the hackers could gain access to the data on those servers to gather more data to sell in the market place. 

Sometimes, hackers employ other methods to earn revenue from data; for example, certain attackers use malware known as ransomware to coerce a payment from a user to restore access to data (yes, simple blackmail, see my previous article on, How to avoid being in a data hostage situation) . Until recently, Linkedin, Tumblr and other social networks saw login data exposed during previous breaches resurface on underground marketplaces (see my previous article,  Cybersecurity Hygiene and Social Networks) . The data breach attacks dated all the way to 2012. In instances like these, we can speculate that the current day sale may be a recycling attempt (some of these logins may still be useful), or it may be a a novice to the Dark Web market place who didn't make an informed purchase. Irrespective of the reason, the fact that data of these kinds remain on underground markets attests to their persistent value.

Cost reduction.

Successful, established businesses typically seek to increase revenue through expansion. Established attackers, too, are always eager to find new ways of compromising our computers or databases. New players, mostly amateurs, will also try to earn from the poorly secured and thus lucrative public Internet landscape. These players will most likely rely on existing tools and methods, often purchased cheaply from the established attackers, who sell attack  or exploit "kits" in Dark Web marketplaces. Established attackers thus derive revenue from sales or services to new players, who don't need to hack but can simply "buy online" to launch an already-prepared script and exploit a certain vulnerability. This thriving Dark Web industrialization is a strong indicator that cybercrime is expanding into a software as a service (SaaS) strategy.  

Product differentiation.

Marketing permeates every layer of the web, from the "Interweb" your granny uses to check her AOL email to the Dark Web, the Internet's sketchy neighborhood. Established hackers demonstrate their expertise on YouTube or more questionable and often illegal forums.  Often, underground marketing makes use of a completely different vocabulary from the fear, uncertainty or doubt (FUD) used in the commercial cybersecurity marketplace. The goal of hacker marketing is to recruit and instill commitment within the community: it's laid-back, quite frankly, funnier (for a taste, visit the Hacker’s Dictionary here), and given the growth in the industry, clearly effective.

When In Rome, do as the Romans do

Yes! Another well-known expression (or rather a quote from St. Augustine during his trip to Rome in the year 54). But don’t thank us yet for having quenched your thirst for knowledge, the article goes on (rest assured, it’s almost over!).

Companies all over the world have understood that, in order to protect their future, they must clearly define their business approach. Hackers were quick to grasp how to survive in Rome (#wink). They introduced a disruptive organizational model by leveraging collaborative platforms. The hacking community succeeded in transforming a crime family model into a distributed, loosely collaborative and profitable way to do business. 

Understanding how contemporary hackers operate could help us better cope with cyber-attacks. we should consider focusing directly on the root causes, not just on the symptoms. Traditional policy-based security, combined with the field’s best practices causes us to think of the cyber-threat landscape in a very Manichean way (it’s either black or it’s white), when the reality is actually painted in many shades of gray. Understanding how hackers think and knowing that they can also create their own business models is, by far, the only option we have if we truly want to be able to detect these shades.