Difference between revisions of "Identity Pathology"

From MgmtWiki
Jump to: navigation, search
(Problems)
(Problems)
Line 16: Line 16:
 
* Attacks at the user device or user agent.
 
* Attacks at the user device or user agent.
 
**User private data, including credentials used in authentication.
 
**User private data, including credentials used in authentication.
**Data of the user's contacts data.
+
**Theft of user device or second factor token
 +
**Data of the user's contacts.
 
**Insertion of malware on the user's device.
 
**Insertion of malware on the user's device.
 
**Interception of legitimate user connections to valuable resources, including elevation of priviledge.
 
**Interception of legitimate user connections to valuable resources, including elevation of priviledge.

Revision as of 17:14, 20 June 2018

Full Title or Meme

A list of various ways in which identity information can be misused or misappropriated on the internet.

Context

User private data is required for release of web resources. Minimizing the amount of data released or its misuse after release is the object of this effort to collect a list of the various attacks and their mitigations.

There are three entities that are in play here.

  1. The user on a user device (aka a user agent).
  2. The resource provider (aka a relying party.)
  3. Identifier and Attribute Providers.

Problems

  • Attacks at the user device or user agent.
    • User private data, including credentials used in authentication.
    • Theft of user device or second factor token
    • Data of the user's contacts.
    • Insertion of malware on the user's device.
    • Interception of legitimate user connections to valuable resources, including elevation of priviledge.
  • Attacks on the transmission of user private data.
    • Interception of legitimate user connections to valuable resources.
    • Misdirection or misleading connection to attacker sites.
    • Man in the middle attacks.
  • Spoofing attacks at the resource site.
    • Reuse or Replay of user credentials
      • User reliance on passwords alone is known to result in password reuse, so if an attack succeeds on one site, it may work on others.
    • Using data acquired by social engineering.
      • Complex passwords that are unique to one site or service will force users to write down passwords which can be found.
    • Initiating connections through other compromised sites, including compromised Identifier or Attribute Providers.
  • Misuse of user private data.
    • Releasing data to others.
    • Data breaches.

Solutions

These are the mitigations that should be considered based on the risk profile for the resource being protected.

"Malware" encompasses computer viruses (code injection), computer worms, ransomware, spyware, adware, trojan horses, keyloggers, rootkits, malicious Browser Helper Object (BHOs) etc.

References