Chapter 2: Access Control Attacks and Monitoring

Question 1

What is a risk?

Answer 1

A risk is the possiblity or likelihood that a threat will exploit a vulnerability resulting in a loss such as harm to an asset.

Question 2

What is a threat?

Answer 2

A threat is a potential occurrence that can be caused by anything or anyone and can result in an undesirable outcome.

Question 3

What is a vulnerability?

Answer 3

Any type of weakness.

Question 4

What is threat modeling?

Answer 4

The process of identifying, understanding, and categorizing potential threats. Threat modeling should begin early in the design process of a system and continue through its life cycle.

Question 5

What is SD3+C, and what are its goals?

Answer 5

A motto which states: “Secure by Design, Secure by Default, Secure in Deployment and Communication”.

Its goals are:

1. To reduce the number of security-related design and coding defects.
2. To reduce the severity of any remaining defects.

Question 6

What are the approaches to threat modeling?

Answer 6

1. Focused on assets
2. Focused on attackers
3. Focused on software

Question 7

What is vulnerability analysis?

Answer 7

Attempting to discover weaknesses in systems against potential threats. It’s an ongoing process including both technical and administrative steps.

Question 8

What is a dictionary attack?

Answer 8

A dictionary attack is an attempt to discover passwords by using every possible word in a predefined databas.

Question 9

What is a one-upped constructed password?

Answer 9

A password in which a single character differs from its original form. password -> password1, for example.

Question 10

What is a brute force attack? A hybrid attack?

Answer 10

A brute force attack attempts to discover passwords by trying all possible combinations. A hybrid attack attempts a dictionary attack first, then moves on to brute forcing.

Question 11

What is a rainbow table?

Answer 11

A large database of precomputed hashes for guessed passwords.

Question 12

How do you combat rainbow tables?

Answer 12

Use salt.

Question 13

What is salt?

Answer 13

Additional random bits added to a password before hashing it. This can dramatically increase the size needed for rainbow tables.

Question 14

What are the methods to prevent access control attacks?

Answer 14

1. Control physical access to systems
2. Control electronic access to password files
3. Encrypt password files
4. Create a strong password policy.
5. Use password masking
6. Deploy multifactor authentication
7. Use account lockout controls
8. Use last logon notification
9. Educate users about security
10. Audit access controls
11. Actively manage accounts
12. Use vulnerability scanners

Question 15

What are access review audits for?

Answer 15

Checking that users do not have excessive privilieges and that accounts are managed appropriately.

Question 16

What are user entitlement audits?

Answer 16

Discovering when users have been granted excessive privileges or otherwise violate security policies related to user entitlement.

Question 17

What are dual administrator accounts?

Answer 17

Requiring administrators to have two accounts, one privileged and one not. The non-priv account is used for day to day activities, basically anything that doesn’t require privilege. This can mitigate the harm from attacks.