CCSK

  • 1.  Elevation of Privilege Clarification

    Posted Jun 09, 2021 01:09:00 PM
    Hello,

    In Module 5 Unit 2 when it talks about threat modeling and the STRIDE model, it describes elevation of privilege as "bypassing authorization system". It then says later that a defense against an elevation of privilege attack can be authorization. I don't understand how authorization would help mitigate the risk of privilege escalation if the attacker is bypassing the authorization system anyways?


    Would someone be able to help clarify this for me?

    Thank you :)



    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: Elevation of Privilege Clarification

    CSA Instructor
    Posted Jun 09, 2021 03:38:00 PM

    A weak, vulnerable or poorly configured authorization system can be bypassed – sometimes it is as simple as clicking a folder you're not supposed to access and it just opens and you can read and modify all the files in it, and sometimes it's a bit more complicated - whereas a strong and properly configured authorization system will be more difficult to bypass and you won't be able to elevate your privileges so easily.


    So you want to mitigate the risk of privilege escalation by implementing a strong (or stronger) authorization system or architecture, basically. At minimum, one that functions properly.

    You can look at some vendors web sites and their product descriptions to find out what specific mitigation elements a proper authorization system/architecture should have . You can also find some general (high level) principles in the IAM section of the Cloud Control Matrix.



    ------------------------------
    Guillaume Boutisseau
    CCSK Authorized Instructor , CCSP
    ------------------------------



  • 3.  RE: Elevation of Privilege Clarification

    Posted Jun 10, 2021 09:44:00 AM
    Thank you for the clarification, that makes sense!

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------



  • 4.  RE: Elevation of Privilege Clarification

    Posted Jun 10, 2021 11:22:00 AM
    Edited by Nicholas Grove Jun 10, 2021 11:37:18 AM
    @Jenna Morrison To tag onto Guillaume's apt comments – Jenna I see the catch-22 you're referring to; this is where DiD (Defense in Depth) comes in. (AKA: layered security, etc.) In your scenario: Yes, imagine the attacker bypasses the authorization system, but there is another, seperate authorization control. Now the workfactor (AKA: cost/effort) has multiplied by 2X. Combine that with properly validating BOTH authorization controls (testing for appropriate function) and you get nearer to a solution appropriate for the need. (Ie: If you're defending a cooking recipe versus trade secrets, etc.). Hope this helps.

    ------------------------------
    CISSP, CCSP, CASP+, et al. | Cybersecurity • Supply Chain • Education | www.linkedin.com/in/nicholasgrove/
    ------------------------------



  • 5.  RE: Elevation of Privilege Clarification

    Posted Jun 10, 2021 12:47:00 PM
    Yes that definitely does help, thank you!

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------