WA6. User education and User enumeration

Statement

There is an established opinion that users are the weakest part of cybersecurity defense. For this assignment conduct research and discuss what organizations can and should do to enforce cybersecurity compliance by users of organizational computer systems.

In a separate paragraph discuss user enumeration. Is this a common exploit? Why or why not? Support your argument with appropriate research.

• Write a paragraph with not less than 100 words discussing what organizations can and should do to enforce cybersecurity compliance by their users. Support your arguments with appropriate research.
• In a separate paragraph (minimum of 100 words) discuss the impact and scale of user enumeration exploits. Is this a common exploit? Why or why not? Support your argument with appropriate research.

---

Solution

User education

Human error is a major point of weakness; it is the cause of 90% of cyber-attacks (Ryerse, 2020, ¹), thus it is important for users (company employees either technical or non-technical) to be aware of potential threats and not to relax knowing that their company has a contract with a TSP (Technical Security Provider) or that they have a firewall or antivirus installed on their computer.

The first step to enforce cybersecurity compliance by users is to educate them with the necessary knowledge, and then define clear and strict policies, with explanations of the reasoning behind these policies and the consequences of not following them. The education step is the most important as humans are enemies for things they don’t understand; and for any education to be successful it must include the following (Kelly, 2017, ²):

• Phishing and social engineering: most cyber-attacks start with a phishing email or manipulation of some users; users must be aware of the different techniques used by attackers and how to identify; and respond to them.
• Access control, passwords, and connections: every user must know the various connections that their company uses, including any internal or external connections, best practices for passwords, and the various roles, permissions, and access control policies that are in place.
• Device security: users must know how to secure their devices, including personal devices that they use to access company resources such as laptops, phones, gadgets, etc; and the importance of keeping their devices up to date.
• Physical security: users must know how to secure their physical environment, including their office, desk, and any other place where they work; policies such as locking computers when unattended, locking files in safe cabinets, and other physical security policies must be enforced.

We will conclude with a quote from the article (Kelly, 2017, ²): “Computers don’t create crimes. It is the people who are using the computers that commit the crimes. And people in the organizations can be—and often are—complicit” which summarizes the importance of keeping users informed and educated.

---

User enumeration

Enumeration is the process of utilizing a system vulnerability to extract information about resources that may exist on this system; these resources may include usernames, groups, hostnames, network connections and services, IP and routing tables, configuration files, and other system information (Chakravartula, 2021, ³).

User enumeration is the process of extracting information about users of a website or web application; this information is gathered and later used to perform other attacks such as brute force attacks, phishing, and social engineering or sold to other attackers (Chakravartula, 2021, ³).

In the context of user enumeration, some pages and functionalities are more important than others; login, reset-password, and registration pages are the most important as they are the most likely to be targeted by attackers; other pages such as search, contact, and profile pages are less important but may still be targeted.

The enumeration problem is very common as (OWASP, 2021, ⁴) lists them under broken access control which is the number one web application security risk in 2021. This vulnerability can be exploited on websites, web applications, NetBios, SNMPs, LADPs, NTPs, STMPs, DNSs, and other types of servers and protocols making it a very common vulnerability, and its ability to be automated makes it even more common.

The section below discusses the best practices that must be used on the most important pages to prevent user enumeration attacks (Lara, 2018, ⁵; Hacksplaining, 2018, ⁶):

• Login pages:
  • Login pages should return the same ambiguous error message for both invalid usernames or passwords.
  • Returning a message that says “invalid username” or “invalid password” is a bad practice as it allows attackers to enumerate valid usernames, that is, detect if a username exists in the system.
  • Do not encode usernames or login error codes in the URL.
  • HTTP response codes should be the same for both invalid usernames or passwords, in general; it should always be 200 OK; as 404 Not Found or 401 Unauthorized can be used to enumerate usernames.
  • If detecting incorrect usernames takes a different time than detecting incorrect passwords, then an attacker may be able to guess what’s wrong even if the error message is the same; thus, the server should always take the same amount of time to respond to both invalid usernames and passwords. Consider using a sleep function if necessary.
  • The entire HTTP response (including headers and cookies) should be the same for both invalid usernames and passwords.
  • Implement exponential backoff to prevent brute force attacks.
• Reset password pages:
  • Reset password pages should not tell if the username exists or not; it should just say that the password reset link has been sent to the email address.
  • Send an email in both cases, whether the username exists or not; if the username does not exist, send a signup email, or send a reset password email.
• Signup Pages:
  • Avoid telling the user if the username is already taken or not.
  • Do not use sequential IDs for users.
  • If the user tries to sign up again, send a reset password email.
  • Use CAPTCHA to prevent automated attacks.

To conclude, user enumeration is a very common vulnerability that can be exploited on many types of servers and protocols; and it can be used to perform other attacks such as brute force attacks, phishing, and social engineering. It is very important to take the necessary precautions to prevent such attacks and increase the developers’ awareness of such attacks.

---

References

---

1. Ryerse, J. (2020, September 7). The basics of cybersecurity training for end users. ConnectWise. https://www.connectwise.com/blog/cybersecurity/the-basics-of-cybersecurity-training-for-end-users ↩

2. Kelly, R. (2017, March 3). Almost 90% of cyber-attacks are caused by human error or behavior. ChiefExecutive. https://chiefexecutive.net/almost-90-cyber-attacks-caused-human-error-behavior/ ↩↩

3. Chakravartula, R. (2021, January 22). What is enumeration? [updated 2021]. Infosec. https://resources.infosecinstitute.com/topic/what-is-enumeration/ ↩↩

4. Introduction - OWASP Top 10:2021. (2021). Owasp.org. https://owasp.org/Top10/A00_2021_Introduction/ ↩

5. Lara, H. (2018, March 10). User enumeration vulnerability [Video]. YouTube. https://www.youtube.com/watch?v=IahnJVOhak4 ↩

6. Hacksplaining. (2018, September 30). What is user enumeration? [Video]. YouTube. https://www.youtube.com/watch?v=fP0VVzPI4jQ ↩