CISSP Prep: Mitigating access control attacks

January 31, 2019 by

This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.

What access control attacks should I know for the CISSP exam?

Access control secures system resources and data from unauthorized access by specifying the appropriate level of authorization for each user. It is implemented by taking robust physical, administrative and technical measures. The security implementations also aim to prevent unauthorized information disclosure and alteration to achieve consistent availability.

Access control attacks typically circumvent or bypass access control methods to steal data or user credentials. By collecting the latter, adversaries safely break access control by logging in as the authorized user and accessing his/her resources. Attackers then attempt to modify system information so that it is no longer accurate.

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

The following are the most common attacks pertained to access control that you will be asked about in the CISSP certification exam.

Access aggregation attacks

An access aggregation attack is carried out by collecting several pieces of insensitive information and drawing conclusions from them to devise sensitive information. In simple words, adversaries will gather multiple facts related to a system and study them to conduct an attack. A reconnaissance attack is an example. It involves hackers combining several tools to identify different elements of a target system, such as the operating system, IP address, open port, and more.

You should be concerned about the following access aggregation attacks.

Password attack

Passwords are the weakest link of authentication. Password attacks attempt to breach the user, administrator or root password. On the user level, the attacker can access the individual account and the resources associated with it. On the administrator or root level, the attacker can access any account and authorized resources. The latter could also be used to create backdoors that could be used at a later date. An enterprise may need to rebuild the entire system if it becomes a victim of a password attack. Strong passwords are the key to securing the system against such attacks. A strong password includes 8-15 characters with a combination of different character types (lowercase letters, uppercase letters, special characters, and numbers).

Dictionary attack

These attacks are based on the dictionary file (in its fixed state) that a program scans to discover a “match” with an entered password. Comparative analysis is the method commonly used by password-decoding programs to “hash” the common word variations in the dictionary file. The programs then compare the results to the encrypted password and decode it if a match is found. Therefore, if a password includes dictionary-based words, it can be cracked quickly. All types of authentication except PAP are vulnerable to a dictionary attack. Dictionary attack was used to hack Twitter accounts of celebrities in 2009. Again, combining different character types is the key to safeguarding your network and system.

Brute-force attack

This attack systematically tries all password combinations including symbols, letters, and numbers. Hackers use sophisticated tools that attempt these combinations and search for passwords with a “hash value” that’s similar to the entry stored in a user account’s system file. The adversary does not need to find the real password, rather another password with the same hash gets the job done. For instance, the stored hash value for the password “INFOSEC1” might be 68FAC1 hexadecimal. The brute-force tool will conduct comparative analysis to see if there’s a hash value match. If a match is found, it will crack the password. Complex and long passwords are the solution to making a brute-force attack time-consuming and unattractive to carry out.

Birthday attack

If two passwords store the same hash value, “collision” occurs. A birthday attack, based on a statistical term known as the birthday paradox, attempts to find a collision. The statistical concept states that in a room with 23 people, there’s a 50 percent chance of two individuals having the same birthday. If February 29th is removed from consideration, there are 365 days in a year, but a match does not require 366 people in the room. So there’s a possibility that two passwords can have the same hash, and a cyber criminal with a 23 hash sample has a 50 percent chance of discovering them. Seeing all hashes is not a necessity to discover a match. Birthday attacks can be prevented by implementing hashtag algorithms with ample bits to make collision discovery infeasible. Long and complex passwords will also help.

Sniffer attack

Also known as eavesdropping, a sniffer attack takes place when a hacker uses a sniffer (aka. protocol analyzer or packet analyzer) to capture traffic routing over a network. The tool can capture and read any information in cleartext, such as passwords, over a network. An example of a sniffing tool is Wireshark; it can collect the contents of a document opened on a system and routed over a network. Data encryption is the most effective safety measure as sniffers cannot analyze encrypted data. Intrusion detection systems can also be used to receive sniffing alerts to know when a sniffer is capturing data.

Spoofing attacks: What are they?

A spoofing attack tries to imitate a trusted user, thereby fooling the system to accept the imposter as the original entity, either to enable them to alter information or lure the system to send data to their malicious servers. Breaches like these can have dire consequences because a trusted entity could be central to several networking systems. An example is IP spoofing attack. In IP spoofing, hackers replace a valid IP address with a phony one to impersonate a genuine system or keep their identity in a shadow.

The following are the most common types of spoofing attacks executed by adversaries to attack access control.

Email spoofing attack

The sender’s address in the Form field is spoofed to send the email from a malicious source. Phishing attacks often include email spoofing that attempts to make users think that they are receiving the email from a legitimate sender. A different email ID can be included in the Reply-To field, and it is not usually visible until an answer is given by the recipient. Earlier in the year, Indian businessmen lost a hefty sum of money to adversaries who carried out email spoofing attacks. To safeguard themselves against email spoofing, recipients should trace IP addresses, read message headers and avoid clicking on unfamiliar attachments or links.

Phone spoofing attack

To conduct phone spoofing, an attacker will change the caller ID number to another one. A technique known as Frequency Shift Keying is used to transmit the caller ID instead of the actual number in a binary form. Simple offerings such as Spoofcard can also be used to spoof caller IDs. Phone spoofing is often used to breach voicemail boxes, which don’t need a password if the caller has the phone number associated with them. To protect yourself, ask the caller to hold, and dial the displayed number. If you find the number busy, then it is probably the real caller. However, avoid giving your financial details such as credit card numbers over the phone.

Social engineering attack

This attack involves the use of manipulation and deception to collect confidential data. Attackers rely on human interaction to trick victims into breaking security procedures. The usual goal is to obtain access to the physical facility or the IT infrastructure. Social engineering attacks can happen via email, over a call, and even in person. Attackers take advantage of the fact that employees often neglect the safety of the information they possess and fail to realize its importance. Social engineering awareness training is the solution to combating social engineering attacks. For instance, employees should be informed that any phone call or email that’s pressuring them to reveal official information is likely a suspect.

Phishing attack

This is a type of social engineering attack that attempts to lure users into revealing sensitive information by clicking a malicious link or opening an attachment. By acting as a legitimate company, hackers try to gain access to personally identifiable details like credit cards and passwords. In other instances, they make the user download attachments that install malicious drive-by downloads. Hackers have used phishing attacks to target think tanks after the US election. Social engineering awareness training for employees is important to safeguard your systems against such attacks.

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Spearphishing attack

This is a type of phishing attack that targets a specific group of individuals. A spearphishing attack can originate from an external source or from a co-worker within a company. The usual way to conduct this attack is to send an email message to targeted email IDs at a particular organization. A practical occurrence of spearphishing happened within the U.S. Department of Energy when a scientist named Charles Eccleston sent malicious emails to people employed in sensitive positions. Inbound email sandboxing (a measure that checks the safety of the links inside the email) and monitoring employee behavior can help prevent phishing attacks.

To conclude, access control is a core part of the CISSP certification. An explanation has been given for the most common access control attacks and how they can be mitigated. The information can be counted as an asset in your preparation for the CISSP exam.