Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Access Management

Access Management

Section titled “Access Management”

5 automated security scanners

Compromised Access Detection

Section titled “Compromised Access Detection”

Purpose: The Compromised_Access_Detection Scanner is designed to analyze authentication systems for indicators of compromised credentials. It aims to detect active account takeover attacks by identifying various anomalies such as credential stuffing attempts, impossible travel patterns, device fingerprint anomalies, behavior deviations, and leaked credential correlation.

What It Detects:

  • Credential Stuffing Detection: Tests for exposure to credential stuffing endpoints, checks integration with the Have I Been Pwned API, and verifies if compromised credentials are detected.
  • Impossible Travel Detection: Analyzes geolocation data to identify patterns that suggest multiple logins from different locations within a short period, which could indicate potential compromise.
  • Device Fingerprinting Monitoring: Monitors device characteristics to detect unauthorized use of legitimate devices or the creation of new devices for malicious purposes.
  • Behavioral Anomaly Detection: Observes user behavior and compares it against normal patterns to identify anomalies that may suggest a compromised account.
  • Failed Login Pattern Analysis: Analyzes failed login attempts to detect if they follow a pattern indicative of brute force attacks or other compromise tactics.

Inputs Required:

  • Domain: The target domain whose authentication system is being analyzed.
  • API Keys: For services like Have I Been Pwned and potentially others used for device fingerprinting or behavioral analysis.

Business Impact: The detection of compromised credentials, especially those used in credential stuffing attacks, can lead to unauthorized access to sensitive information and potential financial losses. Improper handling of session management can also facilitate prolonged unauthorized access by allowing attackers to retain access even after initial compromise.

Risk Levels:

  • Critical: If the scanner identifies no detection mechanisms at all or only partial coverage (e.g., missing behavioral analytics), this is critical.
  • High: If there are significant gaps in detection capabilities, such as incomplete monitoring of geolocation data or device fingerprints, but some detections are present, this is high.
  • Medium: If the scanner identifies some compromises but misses others critically (e.g., no behavioral analytics), this could be medium.
  • Low: If comprehensive compromised access detection mechanisms are in place and functioning well, risk level is low.
  • Info: Provides informational findings about strengths or specific detections that do not directly impact security posture but can guide improvements.

Example Findings:

  • A domain fails to detect a known compromised credential even though it has been publicly breached.
  • The geolocation data shows multiple logins from different IPs within an hour, which could indicate unauthorized access.

Credential Theft Prevention

Section titled “Credential Theft Prevention”

Purpose: This scanner analyzes credential theft prevention mechanisms for a given domain by examining various aspects such as phishing-resistant authentication methods, secure password storage practices, strong password policies, enforcement of HTTPS and TLS protocols, and the presence of Content Security Policy (CSP) on login pages.

What It Detects:

  • Phishing-Resistant Authentication Methods: The scanner identifies if the domain uses any of the following phishing-resistant authentication methods: WebAuthn, FIDO2, hardware keys, certificate-based authentication, and passwordless authentication.
  • Secure Password Storage Practices: It checks whether the domain discloses secure practices for storing passwords such as using hashing algorithms like bcrypt with salt rounds.
  • Strong Password Policies: The scanner verifies if the minimum password length is at least 12 characters and ensures that there are mechanisms in place to block compromised passwords.
  • Enforcement of HTTPS and TLS Protocols: It evaluates whether the domain enforces the use of HTTPS, uses HTTP Strict Transport Security (HSTS), and operates with a secure version of the TLS protocol.
  • Content Security Policy (CSP) on Login Pages: The scanner checks if CSP is implemented on login pages to mitigate various types of attacks like cross-site scripting (XSS).

Inputs Required:

  • <domain>: The domain name for which the credential theft prevention mechanisms are to be assessed.

Business Impact: This assessment is crucial as weak authentication, insecure password storage, and lack of encryption can lead to significant data breaches compromising sensitive user information such as login credentials, financial details, and personal data. Proper implementation of strong security practices helps in preventing unauthorized access and protects the integrity and confidentiality of user data.

Risk Levels:

  • Critical: If no phishing-resistant authentication methods are detected, or if there is a lack of any secure password storage practices, enforcement of HTTPS/TLS protocols with outdated versions, or absence of CSP on login pages, the risk level is critical.
  • High: If multiple vulnerabilities are present, such as weak minimum password lengths and inadequate breach detection mechanisms, the risk level is high.
  • Medium: A combination of some secure practices but significant gaps in others results in a medium risk level.
  • Low: When all detected aspects show robust security measures, the risk level is low.
  • Info: Informational findings are present when minor issues or missing features do not significantly impact security but still warrant attention for improvement.

Example Findings:

  1. The domain does not implement any phishing-resistant authentication methods, posing a high risk of credential theft through social engineering or other means.
  2. The password storage uses weak hashing algorithms without salt rounds, making passwords vulnerable to rainbow table attacks and dictionary attacks.

Third-Party Access Governance

Section titled “Third-Party Access Governance”

Purpose: This scanner analyzes third-party access governance for a given domain by examining various aspects such as vendor policy, separate authentication systems, multi-factor authentication (MFA), monitoring of third-party activities, and periodic access reviews. It aims to identify gaps in the governance framework that could lead to potential vulnerabilities or risks associated with third-party interactions.

What It Detects:

  • Vendor Policy: The presence of a documented policy outlining third-party access practices.
  • Separate Vendor Authentication System: Existence of distinct authentication mechanisms for vendors compared to internal systems.
  • Multi-Factor Authentication (MFA): Enforcement of MFA for vendor interactions, enhancing security.
  • Third-Party Activity Monitoring: Continuous monitoring and logging of activities involving third parties.
  • Periodic Access Reviews: Regular reviews of access permissions for third-party entities to ensure appropriate levels of access are maintained.

Inputs Required:

  • Domain: The target domain whose third-party access governance is being assessed.

Business Impact: Identifying and addressing gaps in third-party access governance is crucial as it directly impacts the security posture of an organization, potentially exposing sensitive data or systems to unauthorized access. Effective governance can mitigate risks associated with vendor dependencies and enhance overall cybersecurity resilience.

Risk Levels:

  • Critical: A critical finding occurs when there are no provisions for a third-party access policy, leading to significant exposure without any mitigation strategies in place.
  • High: High severity findings include the absence of separate authentication systems or MFA requirements, which can lead to unauthorized access and substantial risk if not addressed promptly.
  • Medium: Medium severity findings pertain to deficiencies such as incomplete periodic access reviews or lack of ongoing vendor risk monitoring, which may still pose significant risks but are less severe than critical issues.
  • Low: Low severity findings indicate the presence of some governance elements but with notable gaps that could be improved without immediate threat to security infrastructure.
  • Info: Informational findings highlight areas where improvements can be made in a non-critical manner, providing opportunities for enhanced security practices.

Example Findings:

  1. The domain lacks any documented third-party access policy, which is highly critical as it leaves the organization vulnerable to significant risks without any mitigation strategies in place.
  2. There are no separate authentication mechanisms for vendors compared to internal systems, posing a high risk of unauthorized access and potential data breaches due to shared credentials.

Privileged Access Security

Section titled “Privileged Access Security”

Purpose: This scanner analyzes privileged access security for a given domain by examining various indicators such as presence of a PAM solution, credential vaulting, session monitoring, just-in-time access, and enforcement of MFA. It evaluates the effectiveness of these controls to determine the overall level of vulnerability and risk associated with privileged access on the target system.

What It Detects:

  • Presence of Privileged Access Management (PAM) Solution: Identifies whether a domain has implemented tools or software that manage and monitor privileged user activities.
  • Privileged Credential Vaulting: Checks for mechanisms that securely store and manage sensitive credentials used by privileged users.
  • Privileged Session Monitoring: Evaluates the presence of systems that track and log sessions initiated by privileged accounts to detect potential misuse.
  • Just-in-Time Access Implementation: Assesses whether there are controls in place to grant or deny access on a just-in-time basis, enhancing security posture against threats.
  • Enforcement of Multi-Factor Authentication (MFA) for Privileged Accounts: Verifies that MFA is enforced for privileged accounts to prevent unauthorized access even if credentials are compromised.

Inputs Required:

  • Domain: The target domain whose privileged access security needs to be assessed. This input allows the scanner to fetch relevant information from the specified website and analyze its configuration regarding privileged user management.

Business Impact: The security of privileged accounts is critical as they possess elevated permissions that can significantly impact an organization’s operations, financial stability, and reputation. Weaknesses in privileged access controls can lead to unauthorized activities, data breaches, and other significant risks. Therefore, ensuring robust privileged access security is essential for maintaining a secure digital environment.

Risk Levels:

  • Critical: The system lacks any form of PAM solution, making it extremely vulnerable to internal threats and potential catastrophic consequences such as theft of sensitive information or financial loss.
  • High: There are significant gaps in the implementation of privileged access security measures like credential vaulting and session monitoring. This could lead to unauthorized access and substantial risks associated with data integrity and availability.
  • Medium: Partial compliance with some PAM features, indicating a moderate level of vulnerability but still posing potential threats if not mitigated promptly.
  • Low: Most or all required privileged access security controls are in place, demonstrating a low risk profile for the organization’s operations.
  • Info: The scanner did not identify any significant gaps in privileged access security measures; however, continuous monitoring and improvement of these controls are recommended to maintain optimal security posture.

Example Findings:

  1. A domain does not disclose any information about its PAM solution or credential vaulting mechanisms, indicating a high risk profile due to the lack of transparency and control over sensitive activities.
  2. The implementation of MFA for privileged accounts is partially enforced, which could be considered medium-risk as it leaves room for potential unauthorized access attempts if one factor authentication is compromised.

Access Management

Section titled “Access Management”

Purpose: The Access Recovery Processes Scanner is designed to evaluate and identify weaknesses in an organization’s account recovery mechanisms. This includes analyzing password reset flows, access restoration procedures, and any vulnerabilities that could be exploited through social engineering, insufficient verification, or automated techniques. The primary objective of this scanner is to detect and report potential security issues within these processes, which can serve as entry points for attackers to bypass authentication and gain unauthorized access to sensitive information.

What It Detects:

  • Password Reset Flow Analysis: This includes testing the discovery of password reset endpoints, checking for exposure of reset tokens in URLs, verifying expiration times of reset links, detecting weak token generation patterns, and flagging reset links without adequate rate limiting.
  • Email-Based Recovery Validation: This involves assessing email verification requirements, secondary email validation, notification mechanisms for email changes, and the detection of instant email change followed by password reset chains.
  • Security Question Assessment: This includes testing for enumeration of security questions, checking for complexity requirements, verifying answer case sensitivity and validation, and detecting guessable answers to commonly asked questions.
  • SMS/Phone Recovery Analysis: This involves evaluating SMS verification requirements, SIM swap detection mechanisms, notification processes for phone number changes, and the identification of instant number change followed by SMS recovery.
  • Support-Based Recovery: This includes testing the ability to recover an account through a support portal, checking for identity verification requirements, verifying documentation needed for recovery, and detecting susceptibility to social engineering tactics.

Inputs Required:

  • domain (string): The primary domain under analysis, which serves as the entry point for all scanning processes. This parameter is essential for directing the scanner towards the correct target and retrieving relevant data from its endpoints.

Business Impact: Weak recovery processes pose significant risks to an organization’s security posture by providing avenues for unauthorized access through social engineering attacks or automated exploitation techniques. These vulnerabilities can lead to substantial financial losses, reputational damage, and compliance issues if not mitigated promptly.

Risk Levels:

  • Critical: The scanner identifies multiple critical vulnerabilities across several key areas of the recovery process, indicating a severe lack of security controls that could be easily exploited by malicious actors.
  • High: The scanner detects high numbers of vulnerabilities in specific sections such as password reset or email validation, suggesting significant weaknesses that require urgent attention to prevent potential breaches.
  • Medium: There are notable issues within the recovery process but not enough to warrant a critical risk level. These findings indicate areas where improvements could be made without imminent threats to security.
  • Low: The scanner finds minimal vulnerabilities indicating a generally well-protected system, with most risks being negligible or manageable through standard security practices.
  • Info: Informational findings that do not directly impact the security posture but provide insights for continuous improvement and best practice adherence.

Example Findings:

  • “Critical vulnerability found in password reset endpoint: lack of HTTPS protocol usage, exposing sensitive data to man-in-the-middle attacks.”
  • “High risk identified: email verification process is bypassed through phishing links, leading to unauthorized access via compromised accounts.”
  • “Medium severity issue detected: security questions can be easily guessed due to predictable patterns used across multiple accounts.”

This markdown format provides a comprehensive overview of the scanner’s purpose, what it detects, required inputs, business impact, risk levels, and illustrative examples of potential findings.