III.
Analysis/Findings
Weak authentication schemes allow attackers to assume the identity of legitimate database users by stealing or otherwise obtaining login credentials. An attacker may employ any number of strategies to obtain credentials. Some strategies can be done through brute force, social engineering, and direct credential theft.
Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Often deemed 'inelegant', they can be very successful when people use passwords like 123456 and usernames like admin. They are, in short, an attack on the weakest link in any website's security.
Social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a "con game." For example, a person using social engineering to break into a computer network might try to gain the confidence of an authorized user and get them to reveal information that compromises the network's security. Social engineers often rely on the natural helpfulness of people as well as on their weaknesses. They might, for example, call the authorized employee with some kind of urgent problem that requires immediate network access. Appeal to vanity, appeal to authority, appeal to greed, and old-fashioned eavesdropping are other typical social engineering techniques.
Social engineering is a component of many, if not most, types of exploits. Virus writers use social engineering tactics to persuade people to run malware-laden email attachments, phishers use social engineering to convince people to divulge sensitive information, and
scareware vendors use social engineering to frighten people into running software that is useless at best and dangerous at worst.
Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder, or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed.
�Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness of how social engineers operate.
Lastly, the Direct Credential Theft, it is where an attacker may steal login credentials by copying post-it notes, password files, etc.
So now the biggest question is, how can we prevent authentication attacks?
As we all know, identity theft remains one of the more common issues on the Internet today. Studies indicate that digital identity fraud is still on the rise, with an increase in sophistication (that is, "phishing," "man-in-the-middle," DNS poisoning, malware, social engineering, and so forth) and an expansion of attack vectors (that is, unregulated financial systems, lottery and sweepstakes contests, healthcare data, synthetic identities, and so on). With the upward trend of moving data and services into the Web and cloud-based platforms, the management and control of access to confidential and sensitive data is becoming more than verifying simple user credentials at the onset of user sessions for one application, and with higher interconnectivity and interdependencies among multiple applications, services, and organizations.
One of the more exploited methods today is the gaining of account access by stealing reusable credentials for Web sites that have not yet implemented "strong" user authentication. This is so, because most common forms of credentials today are knowledge-based (that is, user ID and password) and are requested only once during sign-on, which provides a higher level of convenience to users, but also requires less effort for attackers to exploit. Many attacks are manifested as "phishing" messages that cover-up as ones that are sent by legitimate organizations and contain URLs that point to fraudulent Web sites that have the same appearances as genuine ones. Often, they act as "man-in-the-middle" and eventually do forward visitors to the actual Web sites; but, in the process, they have captured valid credentials that can be used to gain access to actual accounts.
Subsequently, various methods have been developed to improve the "strength" of an authentication system in withstanding identity-theft attacks.
�Now we can improve Web-based user-authentication systems without compromising usability and reliability, when the Internet is accessed mostly through a browser that has limited access to the client environment and hardware devices through various forms of enhanced sharedsecret and/or multifactor authentication.
Enhanced shared-secret authentication refers to extensions of conventional knowledge-based (single-factor) authenticationfor example, additional passwords, site keys, preregistered graphical icons to support mutual authentication, challenge-response, randomized code selections that are based on input patterns, CAPTCHA, and so on while Multifactor authentication refers to a compound implementation of two or more classes of humanauthentication factors. It can be Knowledge-based, Possession-based, or Biological or behavior biometric traits.
Knowledge-based is something that can only be known by the user, for example, password, pass phrase, shared secrets, account details and transaction history, PIN, CAPTCHA, and so on. Possession-based are those that can be held only by the user like security token, smart card, shared soft tokens and mobile device and last is the biological or behavior biometric traits, these are something that can be inherent by a user like facial recognition, fingerprint, voice recognition, keystroke dynamics and signature.
Aside from having strong authentication, we can also have enterprise directory infrastructure.
Electronic directories come in many different forms, designed for many different purposes. All types of directories have a common characteristic, which is that they hold information about objects. Objects can be almost anything about which one would want to store and retrieve information, such as persons, organizations, computer applications (on-line services), and network components.
Today, the key driving force behind general-purpose enterprise directories is for providing a central corporate repository for commonly and widely used information. This include information about employees of the enterprise for example white pages data (email addresses, phone numbers) and information enabling access to services (printers, computers, buildings). In addition, authentication, encryption and digital signatures are frequently required for secure
�communications. Providing a directory using open directory standards enables a wide range of enterprise applications to interface with a single enterprise directory.
Lastly, we have the SecureSphere Authentication Protections.
Unfortunately, despite best efforts at strong authentication, breakdowns occasionally occur. Password policies are ignored; a lucky attacker may successfully brute force even a reasonably strong password; a legacy authentication scheme may be required for practical reasons; the list goes on. To deal with these situations, SecureSpheres Dynamic Profiling, Failed Log in Detection, and Password Policy Assessment provide broadly applicable authentication protection.
Through Dynamic Profiling, the user can automatically track a range of user attributes that detect compromised login credentials. These attributes include user IP addresses, hostnames, operating system username and client application. For example, the previously described attacker who manages to gain login credentials by posing as an IT administrator would trigger multiple SecureSphere alerts when trying to use stolen credentials. The attackers hostname, operating system username, and possibly even the IP address would not match the profile of the real owner of the compromised login credentials.
To further illustrate the power of Dynamic Profiling, assume an attacker somehow manages to compromise a users database credentials and operating system credentials. Further assume the attacker finds a way to also use the victims actual computer. SecureSphere is still extremely likely to identify the attack! At least two SecureSphere violations come into play.
Failed Login Detection optionally enforces a failed database login threshold (count and timeframe) to prevent brute force attacks and lastly, as part of its active assessment capability, SecureSphere evaluates password policy controls that are enforced by the database. For example, SecureSphere can determine whether or not password length, character diversity, and reset intervals are enforced by the database server.
�And lastly, we have the Password Policy Assessment. SecureSphere evaluates password policy controls that are enforced by the database. For example, SecureSphere can determine whether or not password length, character diversity, and reset intervals are enforced by the database server.
References: o o o o o o
http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
http://codex.wordpress.org/Brute_Force_Attacks
http://searchsecurity.techtarget.com/definition/social-engineering
http://msdn.microsoft.com/en-us/library/cc838351.aspx
http://www.isode.com/whitepapers/ic-6083.html
http://www.imperva.com/products/ssp_technology-dynamic-profiling.html
