OWASP identification and authentication failures (noun)

Transcript

Rick Howard: The word is: OWASP identification and authentication failures.  

Rick Howard: Spelled: O for open, W for web, A for application, S for security, P for project, identification for recognizing a legitimate user, authentication for validating that the legitimate user has permission to access the resource, and failures for lack of success.  

Rick Howard: Definition: Ineffectual confirmation of a user's identity or authentication in session management.  

Rick Howard: Example sentence: Most identification and authentication failures occur due to the continued use of passwords as the sole identity factor.  

Rick Howard: Origin: Dave Wickers and Jeff Williams, working for Aspect Security, a software consultant company ,published an education piece in 2003 on the top software security coding issues of the day. That eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for web applications.  

Rick Howard: Today OWASP is an international team of security professions led by the Foundation Executive Director and Top 10 project leader, Andrew van der Stock.  

Rick Howard: OWASP ranked identification and authentication failures as number 7 on their 2021 top 10 list. Hackers attempt to leverage these failures with techniques like credential stuffing and brute force attacks by taking advantage of poor password recovery processes, the storage of unencrypted passwords, the lack of two-factor authentication systems, and reusing session IDs or incorrectly using them after a successful login. To counter these attacks, developer's best practices include installing a multi-factor authentication system, not shipping default admin credentials, checking for weak passwords, and logging failed access attempts.  

Rick Howard: Nerd reference: In Season 1, Episode 1 of the best hacker TV show ever, Mr. Robot, Elliot played by Rami Malek, uses a social engineering and brute force password attack to take advantage of Bank of eSecurity's identification and authentication failures.  

Rami Malek: Hi, this is Sam from the Bank of Esecurityâ€™s fraud department. Unfortunately, I have to inform you that your account has been compromised.  

Unknown: What happened?  

Rami Malek: First, before I can answer any questions, I need to verify some information. Are you still at 3 0 6 Hawthorne Avenue?  

Unknown: Yes. Apartment 2C.  

Rami Malek: Great. And your security question, favorite baseball team?  

Unknown: Yankees, I don't remember this being a  

Rami Malek: And lastly, your pet's name?  

Unknown: Flipper. Who am I speaking to? Can I get your name and number?  

Rami Malek: With those details? Plus a dictionary brute force attack. It'll take my program maybe 10 minutes to crack his password.  

Rick Howard: Word Notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by. John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening. .

HOST(S):

Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.

Schedule: Tuesdays

Creator: CyberWire, Inc.