身份认证是信息系统的第一道防线,其安全程度直接影响系统的健壮程度,因此身份认证成为安全技术研究的重点。
认证攻击是攻击者利用各种手段获取合法用户的身份认证信息,并利用这些信息冒充合法用户访问系统或使用应用资源的行为。常见的认证攻击和相应的防护措施有以下几种。
暴力破解
攻击方式:暴力破解是指黑客使用大批常见或泄露的密码(密码字典),高强度尝试访问网络时所执行的密码攻击。
防护措施:账号超过错误次数自动锁定、密码强度度要求、多因子身份验证等。
凭证填充
攻击方式:凭证填充攻击(又称撞库攻击),攻击者利用漏洞或字典获取泄露的用户名和密码,通过自动化程序完成登录,达到恶意攻击的目的。
防护措施:使用验证码和生物识别登录系统。
网络钓鱼
攻击方式:攻击者利用欺骗性的电子邮件和伪造的Web 站点来进行网络诈骗活动,受骗者往往会泄露自己的私人资料,如信用卡号、银行卡账户等。
防护措施:网络安全意识培训、个人隐私保护。
社会工程学攻击
攻击方式:社会工程攻击以劝诱人们执行操作或泄露机密信息(以诱骗的方式使人们提供密码信息通常比使用其他手段要容易得多),如网络钓鱼、语音钓鱼、社交媒体引诱等。
防护措施:网络安全意识培训、多因子身份验证等。
英文翻译:
Identity authentication is the first line of defense of information system, its security degree directly affects the robustness of the system, so identity authentication has become the focus of security technology research.
In authentication attacks, attackers obtain the identity authentication information of legitimate users by various means, and use the information to impersonate legitimate users to access the system or use application resources. Common authentication attacks and corresponding protection measures are as follows.
Brute force attack
Attack mode: Brute force cracking refers to the password attack performed by hackers using a large number of common or leaked passwords (password dictionaries) to try to access the network with high intensity.
Protection measures: automatic locking of account over error times, password strength requirements, multi-factor authentication, etc.
Voucher padding
Attack mode: credential filling attack (also known as library collision attack), the attacker uses vulnerabilities or dictionaries to obtain leaked user names and passwords, and completes login through automated programs to achieve the purpose of malicious attacks.
Protection: Use verification codes and biometrics to log in to the system.
phishing
Attack method: Attackers use fraudulent emails and fake Web sites to carry out network fraud activities, victims often reveal their own private information, such as credit card number, bank card account, etc.
Protection measures: network security awareness training, personal privacy protection.
Social engineering attack
Attack methods: Social engineering attacks to cajole people into performing operations or divulging confidential information (it is often much easier to get people to provide password information in a way that is much easier than using other means), such as phishing, voice phishing, social media baiting, etc.
Protective measures: network security awareness training, multi-factor authentication, etc.
本文由数字化转型网(www.szhzxw.cn)转载而成,来源于网络;编辑/翻译:数字化转型网默然。
