Purpose
An AccessControl object represents some access restriction, commonly login functionality.
Connections
| Object | Connection | Description | Function |
|---|---|---|---|
| Host | Authorization | Denotes that there is a login prompt to access the Host. | A missing AC results in automatic "login" (or represents that no login is needed). |
| Router | Authorization | Denotes that there is a login prompt to access the Router. | A compromise of the administration network will compromise the router directly without an access control. |
| Service | Authorization | Denotes that there is a login functionality to access the Service. | A compromise of the administration network will compromise the router directly without an access control. |
| UserAccount | Non-Root Authorization | A User Account connects to an Access Control object stating that the access control functionality has an active user account present. | A connection to a UserAccount object represents the user account needed to bypass the AccessControl. It is mandatory to have at least one connection (either root or non-root) to a UserAccount. |
| UserAccount | Root Authorization | A User Account connects to an Access Control object stating that the access control functionality has an active user account present. | A connection to a UserAccount object represents the user account needed to bypass the AccessControl. It is mandatory to have at least one connection (either root or non-root) to a UserAccount. |
Attack Steps and Defenses
| Attack Step | Description | Leads to |
|---|---|---|
| Access | The possibility to reach the AccessControl functionality (but not traverse it). | AccessControl: ExtractPasswordRepository AccessControl: NonRootLogin AccessControl: RootLogin |
| Extract Password Repository | The possibility to read the passwords accepted by the AccessControl. | UserAccount: GuessOffline |
| Non Root Login | Logging in via the AccessControl using a non-root user account. | Host: UserAccess Router: Compromise Service: ApplicationLogin Service(shell): NonRootLogin |
| Root Login | Logging in via the AccessControl using a root user account. | Host: Compromise Router: Compromise Service: ApplicationLogin Service(shell): RootLogin |
| Defense | Description | Impact | Default |
|---|---|---|---|
| Backoff | Backoff is a contention control mechanism that reacts to failed login attempts and can delay or disrupt many consecutive tries. | The probability of GuessOffline AttackStep can be reduced if coupled with NoDefaultPassword | On |
| Enabled | Enabled denotes that the Access Control mechanism is enabled and authenticates users for access to the connected asset. | If connected to a Service, Access Control can reduce the TTC of DeployExploit and prevent GuessOffline | On |
| Hashed Password Repository | A Hashed Password Repository stores no passwords in clear text. Instead, one-way cryptographic hashes are stored to protect the password but still allow authentication. | Reduces the probability of GuessOffline. | On |
| No Default Passwords | A special case of password guessing is the use of default passwords which are created for new accounts and software products. No Default Passwords denotes that all default passwords are removed. | Reduces the probability of GuessOnline | Off |
| Password Policy Enforcement | Proactive password checkers and filters can enforce password policies which force users to create more complex password. In securiLang, Password Policy Enforcement denotes a checker with at least 8 character, one lowercase, one uppercase, one special sign and one number. | Prevents GuessOffline coupled with Hashed Password Repository and GuessOnline coupled with NoDefaultPasswords | Off |
| Salting | Salting appends a random value to the password hash that makes the password cracking more difficult. | Prevents GuessOffline coupled with HashedPasswordRepository. | On |