Page 1477 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1477

reduce the amount of time required to conduct a brute-force attack
               against hashed passwords. In this attack, the perpetrator takes a list of

               commonly used passwords and then runs them through the same hash
               function used by the system to create hashed versions of those
               passwords. The resulting list of hashes is known as a rainbow table. In
               a simple implementation of password hashing, the attacker can then
               simply search the list of hashed values for the values contained in the
               rainbow table to determine user passwords. Salting, discussed in
               Chapter 7, addresses this issue. See the sidebar “Salting Saves

               Passwords” in that chapter for more detail.


               Social Engineering

               Social engineering is one of the most effective tools attackers use to
               gain access to a system. In its most basic form, a social-engineering
               attack consists of simply calling the user and asking for their

               password, posing as a technical support representative or other
               authority figure who needs the information immediately. Fortunately,
               most contemporary computer users are aware of these scams, and the
               effectiveness of directly asking a user for a password is somewhat
               diminished today. Instead, these attacks rely on phishing emails that
               prompt users to log in to a fake site using their actual username and

               password, which are then captured by the attacker and used to log into
               the actual site. Phishing attacks often target financial services
               websites, where user credentials can be used to quickly transfer cash.
               In addition to tricking users into giving up their passwords, phishing
               attacks are often used to get users to install malware or provide other
               sensitive personal information.


               Phishing messages are becoming increasingly sophisticated and are
               designed to closely resemble legitimate communications. For example,
               the phishing message shown in Figure 21.1 was sent to thousands of
               recipients representing itself as an official communication from the
               Social Security Administration. Users clicking the link were redirected
               to a malicious website that captured their sensitive information.

               There are also many common variants of phishing. Some of these

               include the following:
   1472   1473   1474   1475   1476   1477   1478   1479   1480   1481   1482