A weak, vulnerable or poorly configured authorization system can be bypassed – sometimes it is as simple as clicking a folder you're not supposed to access and it just opens and you can read and modify all the files in it, and sometimes it's a bit more complicated - whereas a strong and properly configured authorization system will be more difficult to bypass and you won't be able to elevate your privileges so easily.
So you want to mitigate the risk of privilege escalation by implementing a strong (or stronger) authorization system or architecture, basically. At minimum, one that functions properly.
You can look at some vendors web sites and their product descriptions to find out what specific mitigation elements a proper authorization system/architecture should have . You can also find some general (high level) principles in the IAM section of the Cloud Control Matrix.
------------------------------
Guillaume Boutisseau
CCSK Authorized Instructor , CCSP
------------------------------
Original Message:
Sent: Jun 09, 2021 01:09:09 PM
From: Jenna Morrison
Subject: Elevation of Privilege Clarification
Hello,
In Module 5 Unit 2 when it talks about threat modeling and the STRIDE model, it describes elevation of privilege as "bypassing authorization system". It then says later that a defense against an elevation of privilege attack can be authorization. I don't understand how authorization would help mitigate the risk of privilege escalation if the attacker is bypassing the authorization system anyways?
Would someone be able to help clarify this for me?
Thank you :)
------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------