Account enumeration is a common vulnerability that allows an attacker who has acquired a list of valid usernames, IDs, or email addresses to verify whether or not a user exists in a system. User privacy alone is a good reason to remediate this issue, but hackers can use this information to craft phishing or spear-phishing attacks or to help brute-force their way into your network.
In this video, I explain a little about account enumeration vulnerabilities, why it is important to protect against them as well as discuss the three most common types of account enumeration we find during Raxis penetration tests.
As the video demonstrates, the best defense against account enumeration is consistency. Make sure your login and password reset responses are the same so you don’t inadvertently provide valuable information to a malicious actor. The same goes for timing: Make sure there is no difference between valid and invalid log-in attempts.
Raxis is ready to help make sure you are as secure as possible. We will treat your network just like a hacker — only better — because we won’t actually cause any harm, and we’ll tell you where the cracks are and show you how to fix them.
If you’re ready for our team to put your system to the test, contact us today.