Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 286
  • Last Modified:

Authentication portals

I am doing some research into login portals on websites/web services, and I am after some up to date expert knowledge of the threats against such portals.

By login portal I am simply talking about any web site or service that requires Single-factor authentication (a username and a password).

Some of the security we already have in place are account lockout mechanisms to prevent brute force or guessing attacks, we have changed any default accounts / default passwords, encryption of the credentials using https etc etc.

My question is without either a username or password how do attackers try to penetrate or "hack" into a System that requires authentication credentials, essentially bypassing the login portal. Any pointers and best practice to help prevent such attacks would be much appreciated.
0
pma111
Asked:
pma111
1 Solution
 
Chris GralikeSpecialistCommented:
Good but complex question.

When looking at any login / authentication page or application there are indeed various ways to rome. When i limit my scope to the application of the portal as describe above there might still be various ways in.

But before you start building you bunker you should first answer some questions to yourself to gain some understandig about the threats themselfs. Usually people turn to the CIA model as a guide to what needs to be protected in the first place...

Confidentiality
1. Authentication
2. Ownerships
3. Read / Write / modify access
....

Integrity
1. Verify (backup)
2. Dataguard
4. Versioning
....
Availability
1. Clustering
2. Offsite Replication
3. Failover connectivity
....

To anwser your question directly, find out what your attack vectors are by thinking what a hacker could potentially use to gain access. Usually it starts with the system itself, is your scripting language save? (php savemode for instance?)

Is the script / login application written safely and only for your company or is it public. Do you have trustworthy personel, are there policies in place agains social engineering. Do people understand why there is a lockout policy in the first place?

In the end, make sure the doorstep is high enough and hard enough to crack that will keep out most of them. And accept that you are never perfectly save with a network plug connected to the internet ;)

Rgrds,
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now