Page 1057 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1057

processing timings to gain information based on how much time
               different computations require. Fault analysis attacks attempt to cause

               faults, such as by providing too little power to the card, to glean
               valuable information.


               Summary of Protection Methods

               The following list summarizes many security precautions that protect
               against access control attacks. However, it’s important to realize that

               this isn’t a comprehensive list of protections against all types of
               attacks. You’ll find additional controls that help prevent attacks
               covered throughout this book.

               Control physical access to systems. An old saying related to
               security is that if an attacker has unrestricted physical access to a
               computer, the attacker owns it. If attackers can gain physical access to
               an authentication server, they can steal the password file in a very

               short time. Once attackers have the password file, they can crack the
               passwords offline. If attackers successfully download a password file,
               all passwords should be considered compromised.

               Control electronic access to files. Tightly control and monitor
               electronic access to all important data including files containing
               passwords. End users and those who are not account administrators

               have no need to access a password database file for daily work tasks.
               Security professionals should investigate any unauthorized access to
               password database files immediately.

               Create a strong password policy. A password policy
               programmatically enforces the use of strong passwords and ensures
               that users regularly change their passwords. Attackers require more
               time to crack a longer password using multiple character types. Given

               enough time, attackers can discover any password in an offline brute-
               force attack, so changing passwords regularly is required to maintain
               security. More secure or sensitive environments require even stronger
               passwords, and require users to change their passwords more
               frequently. Many organizations implement separate password policies
               for privileged accounts such as administrator accounts to ensure that
               they have stronger passwords and that administrators change the
   1052   1053   1054   1055   1056   1057   1058   1059   1060   1061   1062