The following is an excerpt from the Official (ISC)2 Guide to the CISSP CBK, fourth edition, edited by Adam Gordon, CISSP-ISSAP, ISSMP, SSCP. This section from Domain 5 highlights actions infosec pros can take proactively to minimize the risk of password attacks and other access breaches.
Protecting against access control attacks requires that the security professional implement numerous security precautions as well as rigid adherence to a strong security policy. The following list identifies many security precautions, but it is important to realize that this is not a comprehensive list of all proactive preventative steps that the security professional can take.
- Control physical access to systems
The security architect needs to take into consideration in his or her designs that if an attacker has unrestricted physical access to a computer, the attacker owns it. If an attacker can gain physical access to an authentication server, he or she can often steal the password file in a very short time. Once a password file is stolen, the attacker can crack the passwords offline. After password attacks like this, all passwords should be considered compromised, but the problem can be prevented by controlling physical access.
- Control electronic access to password files
The security practitioner needs to tightly control and monitor electronic access to password files. End-users and those who are not account administrators have no need to access the password database file for daily work tasks. Any unauthorized access to password database files should he investigated immediately.
- Encrypt password files
Protecting against access control-based password attacks requires that the security professional implement numerous security precautions. The security practitioner should encrypt password files with the strongest encryption available for the operating systems under management. One-way encryption (hashing) is commonly used for passwords instead of storing them in plain text. In addition, rigid control over all media containing a copy of the password database file, such as backup tapes or repair disks, should be maintained. Passwords should also be encrypted when transmitted over the network.
- Create a strong password policy
The security professional needs to understand that a password policy can programmatically enforce the use of strong passwords and ensure that users regularly change their passwords. The longer and stronger a password, the longer it will take for it to he discovered in an attack. However, with enough time, all passwords can be discovered via brute force or other methods. Therefore, changing passwords regularly is required to maintain security. More secure or sensitive environments require passwords to be changed more frequently. The security professional should use separate password policies for privileged accounts such as administrator accounts to ensure that they have stronger passwords and that the passwords are changed more frequently.
- Use password masking
The security practitioner should ensure that applications never display passwords in cleartext on any screen. Instead, mask the display of the password by displaying an alternate character such as asterisk (*). This reduces shoulder surfing attempts, but users should be aware that an attacker may be able to watch the keystrokes to discover the password.
- Deploy multifactor authentication
The security architect should plan on deploying multifactor authentication, such as using biometrics or token devices. If passwords are not the only means used to protect the security of a network, their compromise will not automatically result in a system breach.
- Use account lockout controls
Account lockout controls help prevent online password attacks. They lock an account after the incorrect password is entered a predefined number of times. It's common to allow a user to incorrectly enter the password as many as five times before the account is locked out. For systems and services that do not support account lockout controls, such as most FTP servers, the security practitioner should employ extensive logging and an intrusion detection system to look for evidence of password attacks.
- Use last logon notification
Many systems display a message including the time, date, and location (such as the computer name or IP address) of the last successful logon. If users pay attention to this message, they might notice if their account has been accessed by someone else. For example, if the last time a user logged on was the previous Friday but a message indicates that the account was accessed on Saturday, it is apparent the account has been breached. Users who suspect that their account is under attack or has been compromised should report this to a system administrator.
- Educate users about security
To mitigate the risk of password attacks, the security professional needs to ensure that he or she properly trains users about the necessity of maintaining security and the use of strong passwords. Inform users that passwords should never be shared or written down; the only possible exception is that long, complex passwords for the most sensitive accounts, such as administrator or root accounts, can be written down and stored securely. In addition, the security professional should offer tips to users on how to create strong passwords and how to prevent shoulder surfing and inform users of the risk of using the same password for different accounts. For example, a user that uses the same password for banking accounts and an online shopping account can have all of his or her accounts compromised after a successful attack on a single system Additionally; the security professional needs to inform users about social engineering tactics.
- Access controls
Regular reviews and audits of access control processes by the security practitioner will help assess the effectiveness of access controls. For example, auditing can track logon success and failure of an account. An intrusion detection system can monitor these logs and easily identify logon prompt attacks and notify administrators.
- Actively manage accounts
When an employee leaves an organization or takes a leave of absence, the account should be disabled as soon as possible by the security professional. Inactive accounts should he deleted when it is determined they are no longer needed. Regular user entitlement amid access reviews can discover excessive or creeping privileges.
- Use vulnerability scanners
vulnerability scanners can detect access control vulnerabilities and, when used regularly by the security practitioner, help an organization mitigate these vulnerabilities, including exposure to password attacks. Many vulnerability scanners include password cracking tools that will detect weak passwords in addition to tools that can verify that systems are kept up to date with patches.
CISSP® is a registered mark of (ISC)².