Page 1063 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1063

passwords is used in a dictionary attack. Account lockout controls
               prevent their effectiveness against online attacks.

               Understand the need for strong passwords. Strong passwords

               make password-cracking utilities less successful. Strong passwords
               include multiple character types and are not words contained in a
               dictionary. Password policies ensure that users create strong
               passwords. Passwords should be encrypted when stored and encrypted
               when sent over a network. Authentication can be strengthened by

               using an additional factor beyond just passwords.
               Understand how salt and pepper thwarts password attacks.

               Salts add additional bits to a password before salting it and help
               thwart rainbow table attacks. Some algorithms such as bcrypt and
               Password-Based Key Derivation Function 2 (PBKDF2) add the salt
               and repeat the hashing functions many times. Salts are stored in the
               same database as the hashed password. A pepper is a large constant

               number used to further increase the security of the hashed password,
               and it is stored somewhere outside the database holding the hashed
               passwords.

               Understand sniffer attacks. In a sniffer attack (or snooping
               attack) an attacker uses a packet-capturing tool (such as a sniffer or
               protocol analyzer) to capture, analyze, and read data sent over a
               network. Attackers can easily read data sent over a network in

               cleartext, but encrypting data in transit thwarts this type of attack.

               Understand spoofing attacks. Spoofing is pretending to be
               something or someone else, and it is used in many types of attacks,
               including access control attacks. Attackers often try to obtain the
               credentials of users so that they can spoof the user’s identity. Spoofing
               attacks include email spoofing, phone number spoofing, and IP
               spoofing. Many phishing attacks use spoofing methods.

               Understand social engineering. A social-engineering attack is an

               attempt by an attacker to convince someone to provide information
               (such as a password) or perform an action they wouldn’t normally
               perform (such as clicking on a malicious link), resulting in a security
               compromise. Social engineers often try to gain access to the IT
               infrastructure or the physical facility. User education is an effective
   1058   1059   1060   1061   1062   1063   1064   1065   1066   1067   1068