Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 135

Security questions are often used as an additional Type I factor during authentication. These often use a preset list of security questions that users must answer during account provisioning or after a password is forgotten. Typically, the system hashes the answers entered by the user (ideally at the user's endpoint device!) and stores the hashed answers in a table associated with the user ID. A very few systems treat the answer to a security question in ways that allow the user to vary the way that they enter it (such as with fewer blank spaces or in a different mix of upper and lowercase); while this may make “passing this quiz” easier on the user, it also reduces the security of the system overall and would not therefore be a recommended approach.

At each login or access attempt, the user is asked to provide answers to a certain number of these questions. Retry logic might allow two incorrect responses to a set of five randomly chosen questions, for example, before the user must contact the help desk for assistance and verification of their identity.

In many respects, security questions are just another set of passwords, and they suffer from all of the shortcomings and risks that passwords do. Users have been prone to take screenshots of the questions and answers as they first establish them and then store that file in an unprotected way on their system, for example. (You don't do that, do you?)

In practice, most security questions reflect open source information (often called OSINT) about the subject—that is, information that is published or public-facing—which can be used to deduce both correct and incorrect answers to traditional security questions. Users can, of course, establish incorrect answers for these questions when the account is being provisioned, but those wrong answers still have to be memorable.

Because of this, NIST has dropped security questions from its list of policy recommendations for user authentication. It might be argued that security questions can be used as part of a password reset dialog process; this might make life for your users easier at the risk of making it easier for an attacker to gain access.

NOTE Intelligence information also comes directly from humans (HUMINT), technical sources (TECHINT) such as your own network, and of course rumors (RUMINT). All of these, and more, should play valuable roles in your threat-hunting reconnaissance efforts.