CCSK

Expand all | Collapse all

Elevation of Privilege Clarification

  • 1.  Elevation of Privilege Clarification

    Posted 3 days ago
    Hello,

    In Module 5 Unit 2 when it talks about threat modeling and the STRIDE model, it describes elevation of privilege as "bypassing authorization system". It then says later that a defense against an elevation of privilege attack can be authorization. I don't understand how authorization would help mitigate the risk of privilege escalation if the attacker is bypassing the authorization system anyways?


    Would someone be able to help clarify this for me?

    Thank you :)



    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: Elevation of Privilege Clarification

    CSA Instructor
    Posted 3 days ago

    A weak, vulnerable or poorly configured authorization system can be bypassed – sometimes it is as simple as clicking a folder you're not supposed to access and it just opens and you can read and modify all the files in it, and sometimes it's a bit more complicated - whereas a strong and properly configured authorization system will be more difficult to bypass and you won't be able to elevate your privileges so easily.


    So you want to mitigate the risk of privilege escalation by implementing a strong (or stronger) authorization system or architecture, basically. At minimum, one that functions properly.

    You can look at some vendors web sites and their product descriptions to find out what specific mitigation elements a proper authorization system/architecture should have . You can also find some general (high level) principles in the IAM section of the Cloud Control Matrix.



    ------------------------------
    Guillaume Boutisseau
    CCSK Authorized Instructor , CCSP
    ------------------------------



  • 3.  RE: Elevation of Privilege Clarification

    Posted 2 days ago
    Thank you for the clarification, that makes sense!

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------



  • 4.  RE: Elevation of Privilege Clarification

    Posted 2 days ago
    Edited by Nicholas Grove 2 days ago
    @Jenna Morrison To tag onto Guillaume's apt comments – Jenna I see the catch-22 you're referring to; this is where DiD (Defense in Depth) comes in. (AKA: layered security, etc.) In your scenario: Yes, imagine the attacker bypasses the authorization system, but there is another, seperate authorization control. Now the workfactor (AKA: cost/effort) has multiplied by 2X. Combine that with properly validating BOTH authorization controls (testing for appropriate function) and you get nearer to a solution appropriate for the need. (Ie: If you're defending a cooking recipe versus trade secrets, etc.). Hope this helps.

    ------------------------------
    CISSP, CCSP, CASP+, et al. | Cybersecurity • Supply Chain • Education | www.linkedin.com/in/nicholasgrove/
    ------------------------------



  • 5.  RE: Elevation of Privilege Clarification

    Posted 2 days ago
    Yes that definitely does help, thank you!

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------