Chapter 14: Controlling and Monitoring

               Access




                1.  A discretionary access control (DAC) model allows the owner,
                    creator, or data custodian of an object to control and define access.

                    Administrators centrally administer nondiscretionary access
                    controls and can make changes that affect the entire environment.

                2.  Assets, threats, and vulnerabilities should be identified through
                    asset valuation, threat modeling, and vulnerability analysis.

                3.  Brute-force attacks, dictionary attacks, sniffer attacks, rainbow
                    table attacks, and social-engineering attacks are all known methods
                    used to discover passwords.

                4.  A salt is different for every password in a database. A pepper is the

                    same for every password in a database. Salts for passwords are
                    stored in the same database as the hashed passwords. A pepper is
                    stored somewhere external to the database such as in application
                    code or as a configuration setting for a server.