Threats Against Access Control

Access control is probably one of the most targeted security mechanisms. After all, its job is to keep out unauthorized individuals. Attackers can use a variety of tools and techniques to try to bypass or subvert access control.

Password Attacks

Think your passwords are secure? A European Infosec conference performed an impromptu survey and discovered that 74% of those surveyed would trade their passwords for a chocolate bar. Now, the results of this survey might not meet strict scientific standards, but this does prove a valuable point: Many individuals don't practice good password security. Attackers are well aware of this and use the information to launch common password attacks. Attackers typically use one of two methods to crack passwords: a dictionary crack or a brute-force crack.

Dictionary Crack

A dictionary crack uses a predefined dictionary to look for a match between the encrypted password and the encrypted dictionary word. Many dictionary files are available, ranging from Klingon to popular movies, sports, and the NFL.

Many times, these cracks can be performed in just a few minutes because individuals tend to use easily remembered passwords. If passwords are well-known, dictionary-based words, dictionary tools will crack them quickly.

Just how do cracking programs recover passwords? Passwords are commonly stored in a hashed format, so most password-cracking programs use a technique called comparative analysis. Each potential password found in a dictionary list is hashed and compared to the encrypted password. If a match is obtained, the password has been discovered. If not, the program continues to the next word, computes its hashed value, and compares that to the hashed password. These programs are comparatively smart because they can manipulate a word and use its variations. For example, take the word password. It would be processed as Password, password, PASSWORD, PassWord, PaSSword, and so on. These programs tackle all common permutations of a word. They also add common prefixes, suffixes, and extended characters to try to crack the password. This is called a hybrid attack. Using the previous example, these attempts would look like 123password, abcpassword, drowssap, p@ssword, pa44w0rd, and so on. These various approaches increase the odds of successfully cracking an ordinary word or any common variation of it.

Brute-Force Crack

The brute-force attack is a type of encrypted password assault and can take hours, days, months, or years, depending on the complexity of the password and the key combinations used. This type of crack depends on the speed of the CPU's power because the attacker attempts every combination of letters, numbers, and characters.

An alternative to traditional brute-force password cracking is to use a rainbow table. Whereas traditional brute-force password cracking tries one combination at a time, the rainbow table technique precomputes all possible passwords in advance. This is considered a time/memory trade-off technique. When this time-consuming process is complete, the passwords and their corresponding encrypted values are stored in a file called the rainbow table. An encrypted password can be quickly compared to the values stored in the table and cracked within a few seconds.

Emanation Security

Attackers can find other ways to break in besides cracking passwords. They might try to sniff the stray electrical signals that emanate from electronic devices. This might sound like science fiction, but the U.S. government was concerned enough about the possibility of this type of attack that it started a program to study it. The program eventually became a standard known as TEMPEST.

TEMPEST is somewhat dated; newer technologies such as white noise and control zones are now used to control emanation security. White noise uses special devices that send out a stream of frequencies that make it impossible for an attacker to distinguish the real information. Control zones are the practice of designing facilities, walls, floors, and ceilings to block electrical signals from leaving the zone.

A CISSP candidate is expected to know the technologies and techniques implemented to prevent intruders from capturing and decoding information emanated through the airwaves. TEMPEST, white noise, and control zones are the three primary controls.

Denial of Service/Distributed Denial of Service (DoS/DDoS)

Denial-of-service (DoS) attacks consume resources to the point that legitimate access is not possible. Distributed DoS (DDoS) attacks work in much the same way, except that they are launched from many more devices and add a layer between the attacker and the victim. Following are DoS/DDoS attacks:

• Ping of death Employs an oversize IP packet.
• Smurf Sends a message to the broadcast of a subnet or network so that every node on the network produces one or more response packets.
• Syn flood Takes advantage of the maximum number of connection requests that a host can handle at one time. When all possible connections are consumed, no one can access the server for legitimate purposes.
• Trinoo A DDoS tool capable of launching User Datagram Protocol (UDP) flood attacks from various channels on a network.