• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/25

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

25 Cards in this Set

  • Front
  • Back

¿QUE ES SALT? ¿CUAL ES LA MEJOR PRACTICA PARA SU USO?

Regardless of which algorithm you choose for password storage, be sure
to add a unique per-use salt to your user’s password before protecting it.

Adding a random salt value to your hash ensures that no two password
hashes are the same, even if they use the same starting value.

P44


¿QUE EFECTO GENERA UTILIZAR UN RANDOM SALT VALUE AL HASH AL ENCRIPTAR UN PASSWORD CON RELACION A UN POTENCIAL ATAQUE?

This also radically increases the size of the rainbow table that an attacker
would need in order to store all precomputed hashes of all possible passwords.
Adding a 32-character random salt would mean that instead of one entry, an
attacker would need 6232 or 2.272+e5724 entries, just for “password1”!

P44


DESCRIBA EL PROCESO (MEJOR PRACTICA) PARA ENCRIPTAR UN PASSWORD HACIENDO USO DE UN SALT.

Whenever a user creates or changes his or her password, create a
32-character random value, the salt. Then, add the salt to the password before
you protect it with PBKDF2, scrypt, or your specialized HMAC setup. Be sure
to store the salt along with your hashed password in the database so that you
can use the salt again on subsequent authentication attempts. Without the
stored value of the salt, you will never be able to recompute the correct hash
to check if a password the user entered is correct!


¿QUE ES EL OWASP PASSWORD STORAGE CHEAT SHEET Y QUIEN ES EL AUTOR?

P45


¿CUAL ES EL ESQUEMA MAS COMUN DE RESTABLECIMIENTO DE PASSWORDS? ¿QUE OPCION PREFIEREN LOS BANCOS Y POR QUE?

P45


¿CUAL ES LA OPCION DE RESTABLECIMIENTO DE PWD IDEAL/MAS RECOMENDABLE Y POR QUE? ¿QUE INCONVENIENTES PRESENTA?

If possible, do not support the forgot password workflow as part of your
website. Force your enterprise users to actually call in or use some other
well-vetted manual process. This alone will deter many attackers. While this
is ideal, it does not scale very well.

P45


DESCRIBA LAS CARACTERISTICAS DE UN PROCESO AUTOMATICO RECOMENDADO PARA EL RESTABLECIMIENTO DE CONTRASEÑAS.

If you must have an automated forgot
password process, consider the following example from the banking industry:
1. Establish the user’s identity with requests for two or more pieces of
information such as the user’s Social Security number26 and account
number. Start a session for this process and ensure that the rest of the
process comes from the same session.
2. Once you have successfully established the identity of that user, as
an optional step, consider asking the user a security question27 that
users set up during registration. Some banks use this, some do not.
3. Now that you have fully established identity, send a multi-factor
token out of band. The best bet is to use a dedicated multi-factor
device or application. Next best is to use SMS to the phone number
on the account. The worst option is to send a token over email, but
by having already established identity this is still better than an email
password reset link alone.
4. Once you have verified that the user’s token is valid, allow the user
to reset his or her password to a new, strong value according to your
organization’s password policy.

P45


¿CUALES SON LAS CARACTERISTICAS DESEABLES DE UNA BUENA PREGUNTA DE SEGURIDAD EN UN PROCESO DE FORGOT PASSWORD?

Good security questions must be memorable, consistent, nearly universal, and safe. For more on choosing good security questions go here: https://www.owasp.org/index.php/Choosing_and_
Using_Security_Questions_Cheat_Sheet.

P45


¿QUE ES USERNAME HARVESTING Y EN QUE CONSISTE?

Any time your error messages
are different when the username is valid or when the username is not valid,
attackers have an easy means to conduct username harvesting.

P46


MENCIONE MEJORES PRACTICAS PARA PREVENIR USERNAME HARVESTING.

1. Many secure
coding standards encourage your error message for login failure to be the
same regardless of the type of failure to protect against username harvesting.
For example, regardless of whether the username entered was valid, your application could return the generic message “Invalid username/password
combination.”
2. Simply changing the text of the message is not enough. For this to work
properly, you need to be very conscious of your actual login logic and even
formatting. Consider the code in Figure 2-2, with nonprintable characters
shown.
Even though the exact same error message is used in both conditions, an
intercepting proxy such as Burp Suite can easily detect differences in output
that would appear identical on visual inspection (see Figure 2-3).


¿QUE PRACTICAS COMUNES DE SITIOS ORIENTADOS A USUARIOS FACILITAN EL USERNAME HARVESTING?

1. Any time your error messages
are different when the username is valid or when the username is not valid,
attackers have an easy means to conduct username harvesting
2. Simply changing the text of the message is not enough. For this to work
properly, you need to be very conscious of your actual login logic and even
formatting. Consider the code in Figure 2-2, with nonprintable characters
shown.
3. onsumer-centric websites almost always verify if a requested username is in use already and disallow that choice if a duplicate name is selected. This can easily be leveraged by an attacker to harvest valid usernames. In fact, some user registration mechanisms provide an AJAX-like widget to verify if a requested username is valid or not. An attacker working with a list of names and email addresses can leverage these features to quickly harvest a large number of valid usernames.


EN EL PROCESO DE REGISTRO DE USUARIOS DE UN SITIO, VALIDA QUE EL NOMBRE DE USUARIO SELECCIONADO POR EL USUARIO NO EXISTA YA Y MUESTRA UN MSG DE ERROR AL USUARIO EN SU CASO. ¿QUE RIESGO DE SEGURIDAD PRESENTA ESTE ESCENARIO? ¿QUE MECANISMOS SE PUEDEN USAR PARA PREVENIR UN ATAQUE?

USERNAME HARVESTING

it’s pointless to protect against username harvesting if you allow
users to select their own username during account registration. Consumer-centric
websites almost always verify if a requested username is in use already and
disallow that choice if a duplicate name is selected. This can easily be leveraged
by an attacker to harvest valid usernames. In fact, some user registration
mechanisms provide an AJAX-like widget to verify if a requested username is
valid or not. An attacker working with a list of names and email addresses can
leverage these features to quickly harvest a large number of valid usernames.
Consider implementing a throttle to slow down automated requests to these
mechanisms. Some enterprises and banks, such as HSBC, even force complex policy requirements on usernames, or create complex machine-generated
usernames, something worth considering for secure web applications.

P46, P47


¿QUE ES UN BRUTE FORCE ATTACK? DESCRIBIR. ¿QUE OTRO TIPO DE ATAQUE ESTA COMUNMENTE RELACIONADO? ¿EJEMPLOS DE HERRAMIENTAS? ¿COMO SE CONTRARRESTA?

Once an attacker knows a valid username, he can attempt a brute force
attack. A brute force attack occurs when an attacker attempts many
passwords in high volume against a victim’s account, attempting to discover
their authentication credentials through trial and error. Old school brute
force tools such as Brutus make brute force attacks simple. As the name
implies, this is not a savvy or intelligent attack.
There are many ways to counter brute force attacks. The most common
defense is account lockout.

P48


EJEMPLOS DE ESTRATEGIAS PARA CONTRARRESTAR BRUTE FORCE ATTACKS

ACCOUNT LOCKOUT

P48


¿QUE ES ACCOUNT LOCKOUT Y PARA QUE SE UTILIZA? ¿QUE PRACTICA SE RECOMIENDA? ¿QUE DESVENTAJA PRESENTA?

P48, P49


¿QUE ES REVERSE BRUTE ATTACK? ¿QUE DIFERENCIA TIENE VS BRUTE ATTACK? ¿COMO SE CONTRARESTA?

A reverse
brute force attack occurs when an attacker attempts a commonly used password
once against many different accounts in your system. The benefit of this attack
is that it will not trigger account lockout against any one account. Disallowing
commonly used passwords, even ones that fit your normal password policy, is a
good mitigation to this attack.

P49


¿QUE ES EL REMEMBER ME FEATURE? ¿QUE TIPO DE ATAQUE PERMITE Y COMO ES? ¿CUAL ES LA PRACTICA RECOMENDADA PARA SU IMPLEMENTACION?

P49


¿CUAL ES LA CARACTERISTICA MAS FUNDAMENTAL PARA UN MECANISMO DE AUTENTICACION SECURO?

MULTIFACTOR AUTHENTICATION

P50


¿QUE ES MULTIFACTOR AUTHENTICATION Y EN QUE CONSISTE? ¿QUE CAMBIO DE PARADIGMA IMPLICA?

Multi-factor, or
multi-step, authentication involves requiring two or more factors at login
time (as well as during re-authentication). That includes something your
user knows (such as a password) in addition to something the user has (such
as a multi-factor token or mobile application) or something the user is
(such as a retinal scan or a fingerprint).
SOMETHING DE USER
KNOWS (E.G. PASSWORD)
HAS (E.G. TOKEN OR MOBILE APP) OR IS (RETINAL SCAN OR FINGERPRINT)
CAMBIO DE PARADIGMA: The era of the password as a sole authentication credential
is dead.

P50


¿QUE BENEFICIOS SE OBTIENE AL UTILIZAR MULTIFACTOR AUTHENTICATION VS ALGUNOS TIPOS DE ATAQUES COMUNES?

Multi-factor authentication reduces the impact of password theft,
mitigates bruteforce attacks without the need for account lockout, and in
general protects the front door of your web application in a way that is much
stronger than username and password alone.

P50


¿QUE ES EL MULTIFACTOR TOKEN GENERATOR SEEDS? ¿QUE RIESGOS EXISTEN EN CUANTO A SU MANEJO? ¿QUE MEJOR PRACTICA SE RECOMIENDA? MENCIONE UN EJEMPLO DE UNA ATAQUE DE SEGURIDAD RELACIONADO.

First of all, who is storing a copy of your multi-factor token generator seeds?
These seeds are used to keep the multi-factor token value in sync between
the token and the server. If stolen, the seeds can be used to generate valid
multi-factor token values. In March 2011, RSA was breached by a hacker
who stole the multi-factor token seeds from their SecurID product. Three
months later RSA admitted it was breached and that information used in the
breach was used to hack Lockheed Martin and that it would be replacing
SecurID tokens for nearly all of its customers. 29 Consider solutions where
third-party vendors do not control your authentication or multi-factor seeds!

P50


DESCRIBA EL PROCESO DE ENVÍO DE TOKEN EN UN PROCESO DE AUTENTICACIÓN MULTIFACTOR.

EMAIL (WORST)
SMS
APPS WITH PUSH NOTIFICATION
MOST SECURE: DEDICATED HARDWARE TOKEN

P50, P51


¿QUE ES SAML? ¿QUE DESVENTAJAS PRESENTA? DESCRIBIR CONCEPTO

P51


¿QUE ES OAuth? DESCRIBA Y MENCIONE UN CASO DE EJEMPLO

P52


PROPORCIONE UN RESUMEN CON LAS CONSIDERACIONES DE SEGURIDAD ESENCIALES PARA AUTENTICACIÒN Y MANEJO DE SESIONES.

P54