BRUTE FORCE
CONTEXT
Unfortunately, computers are fairly stupid, and this is especially true of security protocols. In
the real world, if you were to punch someone in the stomach, they would do one of two things:
punch you back or run away. The one thing they would not do is say "try again." Yet this is how
most security protocols function.
Authentication systems are built on at least one secret that the user knows and the attacker
does not. Attackers leverage misplaced trust that secrets cannot be reverse-engineered.
VULNERABILITIES IDENTIFICATION & TRACKING
Attackers use brute-force replay and retry
attacks to impersonate or gain access to a
legitimate user's authenticated session
The authentication system must log the
number, type and time of access requests
COUNTERMEASURE(S)
Rate-limiting services can be delivered via an API gateway to throttle access requests and detect
potential malicious patterns like brute-force attacks. This should be done at network, application
and user levels.
ASSURANCE
Build test harnesses that are designed to lock out users aer multiple failed attempts with
invalid credentials and tokens.
03
|
The Curious Case of Brute Force
