Download to read offline
More Related Content
Similar to Broken Authentication and Authorization(1).pptx
![UiPath Automation Suite Installation (Hands-On) [2/3]](https://cdn.slidesharecdn.com/ss_thumbnails/automationsuitecommunitysession2-251015095633-a6d862f1-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Broken Authentication and Authorization(1).pptx
- 1. Broken Authentication and Authorization RMManahari Pemarathna Master in Information System Management, USC
- 2. OUTLINE Authentication Authorization Why this happen? Impactto the Organization How can we fix this issue Known Security Incidents
- 4. Authentication Authentication is theprocess of determining whether someone or something is, in fact, who or what it declares itself to be Authentication technology provides access control for systems by checking to see if a user's credentials match the credentials in a database of authorized users or in a data authentication server
- 5. 3 Categories What youknow? What you have? What you are?
- 6. Main types ofAuthentication • Password based authentication • Certificate based authentication • E-token based authentication • Biometric based authentication Types of authentication
- 8. Password based Authentication Mostcommon form May be a string of alphabets, numbers and special characters To be known by the ENTITY or the THING or a PERSON
- 10. Certificate Based Authentication •A Digital Document • Includes Distinguished Name (DN) and associated public key • Sign by trusted party called Certificate Authority • Certificate based authentication is stronger as compared to password based authentication • HAVE something rather than KNOW
- 12. E-token Based Authentication Smalldevice which generates a new random value every time it is used Random value become a basis for authentication Can be implemented in USB key fob or a smart card Data physically protected on the device Store passwords, digital signatures and certificates and passwords
- 14. Biometric based Authentication Biometricsmeans identification of humans by their characteristics such as fingerprint, voice, iris pattern of the eye, vein pattern, etc. Form of identification and access control
- 16. Authorization Authorization is asecurity mechanism used to determine user/client privileges or access levels related to system resources, including computer programs, files, services, data and application features Authorization is normally preceded by authentication for user identity verification
- 17. Example For example, ifa user tries to access a file that resides on a file server, it will be the responsibility of the file service to determine whether the user will be allowed this type of access
- 18. Why this happen? Whenauthentication functions related to the application are not implemented correctly by developers, it allows hackers to compromise passwords or session ID's or to exploit other implementation flaws using other users credentials User authentication credentials are not protected when stored. Predictable login credentials Passwords, session IDs, and other credentials are sent over unencrypted connections
- 19. Impact to theOrganization • Valuable Business information can be leaked • Customer dissatisfy with the organization • Image of the company will loose • Disclosure, improper modification, or unavailability of information may incur expenses • Missed profits for the organization
- 20. Can we fixthis issue ? • Mapping Authentication Token and user ID • Proper Session Invalidation - Session should always invalidate at login. • Attackers cannot use session to access accounts. • Prevent Guessable User Identifier in cookie - Most of the times you generate the user ID sequentially so it is very easy to guess, so correct way is to generate a random identifier, associate it with the user and only store the Random ID in the cookie. • Strong password reset functionality - ex. Verify if the sender is the real user by asking verification questions. • Application data should not contain sensitive information • Response body should not contain debugging error message -Proper • exceptions handling instead of returning an error code. Recommendations to prevent Authentication Bypass
- 21. Can we fixthis issue ? Mapping user role with session ID Prevent from GUI-Based/ Client side privilege implementation Proper access control mechanism - Security technique that regulates who or what can view or use resources in a computing environment. - Mandatory Access Control (MAC) - Rule-based access control - Discretionary access control (DAC) - Attribute-based access control (ABAC) - Role-Based Assess Control (RBAC) The goal of access control is to minimize the risk of unauthorized access to physical and logical systems. Not using IDOR (Insecure Direct Object Reference) - Variables in the application such as “id”, “pid”, “uid” are often seen as HTTP parameters. they can be found in headers and cookies. The attacker can access, edit or delete any of other users’ objects by changing the values. Use Server Side validation - Sever side validation is much secure than client side validation Recommendations to prevent Authorization Bypass
- 22. Known Security Incidents THEUSPS(UNITED STATES PARCEL SERVICE )API INFORMATION LEAK INCIDENT - Insufficient authorization Control The security weaknesses leaked account data for around 60 million users. Any malicious user logged in the system could exploit the API to collect user data by simply introducing wildcard characters in a search function of the API. Essentially, the root cause of the USPS incident is having insufficient authorization controls, which in turn allow attackers to retrieve (and modify) data beyond their lawful control.
- 23. Known Security Incidents •Password was stolen from a payroll executives smart phone on CLEANTECH • it has been Highly effected on payroll system. There are 4500 Employees in Cleantech. • Hacker was modified Bank Account nos of Employee’s in database. • Ultimately large Number of Employees Monthly salaries was rejected and transferred to unknown account nos. • Incident is disaster for the company. • Company has organized a password security awareness Program for staff members.
- 24. Known Security Incidents 50Million Robbery on ABS due to unauthorized Access into Mtransit web Based system. • Hacker attacked abs mail server and acquired 2 cash collecting officer’s user-ids and passwords. • mTransit system has been accessed and got all cash collection and transit details. • Route,Vehicleno,Collected amt ,approximately delivery time etc. • They submitted these valuable information to robbery team and they was stolen huge amount of cash on kurunagala -Colombo route.
- 25.
Editor's Notes
- #5 Confirm identity of person or software program Verifying validitity of identification
- #6 What you know (Passsword,PIN) What you have (e-toent, RFID,Certificate) What you are (Bio metrics)
- #17 System administrators (SA) are typically assigned permission levels covering all system and user resources During authorization, a system verifies an authenticated user's access rules and either grants or refuses resource access