Repudiation Attack

From Guidance Share

Jump to: navigation, search

Description

The issue of repudiation is concerned with a user denying that he or she performed an action or initiated a transaction. You need defense mechanisms in place to ensure that all user activity can be tracked and recorded.


Vulnerabilities

  • Anonymous access enabled
  • Application using a role-based authorization model
  • Ineffective or lacking logging controls


Countermeasures

  • Disable anonymous access and authenticate every principle
  • Consider using a more granular authorization model in order to produce precise logs at all tiers
  • Log actions to identify a. identity, b. action, c. time, d. component (who, what where, when) while not capturing any sensitive data in logs (e.g., SSN, CC's, passwords, etc.)
  • Enable logging to an object with append-only permissions from the application
Personal tools