Chapter 3: Access Control - Threats to Access Control

There is more of a risk from attacks with the organization than from outside of the organization. A dictionary attack is designed to steal passwords. All passwords should be encrypted and never stored in clear-text. Brute force attacks are where a hacker uses many different input to reach their goal. A successful countermeasure for these types of attacks might be to use an IDS that scans for this type of malicious activity. Spoofing is also a technique used by hackers, in which the hacker presents a fake logon screen to a user in order to obtain user information. Attackers user phishing to lure for data by tricking users into clicking links and directing them to dangerous websites. Email is a popular tool hackers often use for phishing. A way to help prevent attacks is threat modeling, which tries to uncover who might want to attack the organization and how they might attack. Instead of trying to fix access control, the organization uncovers ways the current controls could be attacked. There are two types of identity theft. True name, where thieves use personal information of others to open new accounts, and account-takeover, where they use obtained info to gain access to a user's existing accounts.