Authenticated Attackers

  • 30 March 2023
  • 1 reply
  • 64 views

Userlevel 4
Badge

Salt Security API security report 2023 validates an aspect of #threatmodeling that I find myself needing to repeat: 

Authentication does not prevent attack!

Of the 4842 API attacks analyzed for the report, only 22% were unauthenticated. 

A vast majority (78%) of attacks were authenticated!

If what's behind an authentication is worth the expense/effort, attackers are happy to purchase/sign up. 

Consider:

  • Freemium and advert-paid sites (Facebook, etc.) and sites that dole out email addresses (Live, Yahoo, Gmail) allow everyone (of course attackers)
  • Large enterprises always have some compromised machines. Ergo, attacker rides along with authenticated user. Any enterprise user might also allow attack
  • A billion cracked passwords readily available

#threatmodeling must account for authenticated, likely authorized attackers

https://content.salt.security/state-api-report.html

(In another post I’d be happy to explain what authentication does provide. It’s also in a couple of my books, if that helps?)


1 reply

Interesting number here 78%, but the least privilege should lift off the major impact isn’t it ? When privileged access needs a minimum MFA authentication implementation based on security by design principles should help. I am open for suggestions and feedback / advice.

Reply