Thursday, May 16, 2019

Identity Impersonation continued:
Perhaps the most difficult task in mitigating identity threats, is the task of detecting identity spoofing and impersonation. Identity is only determined based on credentials. If the credentials become compromised, there is no one to prevent anyone from assuming the identity of another.

There are several mitigations for the owner for this purpose. Yet the sad truth is that even the best mitigation has been known to overcome or circumvented. These include improving forms of credentials in terms of what the owner knows or has. The latter has taken the form of one time passcodes, fingerprints and other biometrics, and keys. The system to recognize these forms or authentication mechanisms become increasingly complex and often to the hackers advantage.

However, impersonation is sometime necessary and even desirable in some cases. Systems frequently allow workers to impersonate the user so that they can proceed with the security context of the user. In such cases, identity is already established prior to impersonation. The mechanism is usually easier within the system boundary rather than outside it primarily because system can exchange tokens representing users.

The stealing of identity can cause significant trouble for the owner as it is widely known from those who suffer from credit card fraudulent activity where someone else impersonates the user. In the digital world, the compromise of identity often implies a risk that goes beyond personal computing. Most of the resources are on the network and a hacker can easily gain access to privileged areas of the code.

There are two ways of looking at this and they correspond to two different organizations such as the white hat and the black hat organizations who study and expose these vulnerabilities.

They have a large membership and their findings are well-covered in publications, news reports and circulations.

Software makers including those with IAM modules often release patches based  on their findings. Some of them even have their own set of penetration testers who user old and new findings to test the security of the product.


No comments:

Post a Comment