{"id":5692,"date":"2020-10-07T13:10:40","date_gmt":"2020-10-07T11:10:40","guid":{"rendered":"https:\/\/tekmart.co.za\/t-blog\/?p=5692"},"modified":"2020-10-07T13:10:41","modified_gmt":"2020-10-07T11:10:41","slug":"how-to-prevent-password-attacks-and-other-exploits","status":"publish","type":"post","link":"https:\/\/tekmart.co.za\/t-blog\/how-to-prevent-password-attacks-and-other-exploits\/","title":{"rendered":"How to prevent password attacks and other exploits"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time-approximately:<\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<h2 class=\"wp-block-heading\"><strong>Prevention is essential to protection against various types of password attacks, unauthorized access and related threats. Expert Adam Gordon outlines how to proactively bolster your defenses.<\/strong><\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong>The following is an excerpt from\u00a0the\u00a0Official (ISC)<sup>2<\/sup>\u00a0Guide to the CISSP CBK, fourth edition, edited by Adam Gordon, CISSP-ISSAP, ISSMP, SSCP. This section from Domain 5 highlights actions infosec pros can take proactively to minimize the\u00a0risk of password attacks\u00a0and other access breaches.<\/strong><\/p><\/blockquote>\n\n\n\n<p>Protecting against\u00a0access control\u00a0attacks requires that the security professional implement numerous security precautions as well as rigid adherence to a\u00a0strong security policy. The following list identifies many security precautions, but it is important to realize that this is not a comprehensive list of all proactive preventative steps that the security professional can take.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li><strong>Control physical access to systems<br><\/strong>The security architect needs to take into consideration in his or her designs that if an attacker has unrestricted physical access to a computer, the attacker owns it. If an attacker can\u00a0gain physical access\u00a0to an authentication server, he or she can often steal the password file in a very short time. Once a password file is stolen, the attacker can crack the passwords offline. After password attacks like this, all passwords should be considered compromised, but the problem can be prevented by controlling physical access.<\/li><li><strong>Control electronic access to password files<\/strong>\u00a0<br>The security practitioner needs to tightly control and monitor electronic access to password files. End-users and those who are not account administrators have no need to access the password database file for daily work tasks. Any unauthorized access to password database files should he investigated immediately.<\/li><li><strong>Encrypt password files\u00a0<br><\/strong>Protecting against access control-based password attacks requires that the security professional implement numerous security precautions. The security practitioner should\u00a0encrypt password files\u00a0with the\u00a0strongest encryption\u00a0available for the operating systems under management. One-way encryption (hashing) is commonly used for passwords instead of storing them in plain text. In addition, rigid control over all media containing a copy of the password database file, such as backup tapes or repair disks, should be maintained. Passwords should also be encrypted when transmitted over the network.<\/li><li><strong>Create a strong password policy<br><\/strong>The security professional needs to understand that a\u00a0password policy\u00a0can programmatically enforce the use of strong passwords and ensure that users regularly change their passwords. The longer and stronger a password, the longer it will take for it to he discovered in an attack. However, with enough time, all passwords can be discovered via brute force or other methods. Therefore,\u00a0changing passwords regularly\u00a0is required to maintain security. More secure or sensitive environments require passwords to be changed more frequently. The security professional should use separate password policies for privileged accounts such as administrator accounts to ensure that they have stronger passwords and that the passwords are changed more frequently.<\/li><li><strong>Use password masking<br><\/strong>The security practitioner should ensure that applications never display passwords in cleartext on any screen. Instead, mask the display of the password by displaying an alternate character such as asterisk (*). This reduces shoulder surfing attempts, but users should be aware that an attacker may be able to watch the keystrokes to discover the password.<\/li><li><strong>Deploy multifactor authentication<br><\/strong>The security architect should plan on\u00a0deploying multifactor authentication, such as using biometrics or token devices. If passwords are not the only means used to protect the security of a network, their compromise will not automatically result in a system breach.<\/li><li><strong>Use account lockout controls<br><\/strong>Account lockout controls help\u00a0prevent online password attacks. They lock an account after the incorrect password is entered a predefined number of times. It&#8217;s common to allow a user to incorrectly enter the password as many as five times before the account is locked out. For systems and services that do not support account lockout controls, such as most FTP servers, the security practitioner should employ extensive logging and an intrusion detection system to look for evidence of password attacks.<\/li><li><strong>Use last logon notification<\/strong><br>Many systems display a message including the time, date, and location (such as the computer name or IP address) of the last successful logon. If users pay attention to this message, they might notice if their account has been accessed by someone else. For example, if the last time a user logged on was the previous Friday but a message indicates that the account was accessed on Saturday, it is apparent the account has been breached. Users who suspect that their account is under attack or has been compromised should report this to a system administrator.<\/li><li><strong>Educate users about security\u00a0<br><\/strong>To mitigate the risk of password attacks, the security professional needs to ensure that he or she properly trains users about the necessity of maintaining security and the\u00a0use of strong passwords. Inform users that passwords should never be shared or written down; the only possible exception is that long, complex passwords for the most sensitive accounts, such as administrator or root accounts, can be written down and stored securely. In addition, the security professional should offer tips to users on how to create strong passwords and how to prevent\u00a0shoulder surfing\u00a0and inform users of the risk of using the same password for different accounts. For example, a user that uses the same password for banking accounts and an online shopping account can have all of his or her accounts compromised after a successful attack on a single system Additionally; the security professional needs to inform users about social engineering tactics.<\/li><li><strong>Access controls<br><\/strong>Regular reviews and audits of access control processes by the security practitioner will help assess the\u00a0effectiveness of access controls. For example, auditing can track logon success and failure of an account. An intrusion detection system can monitor these logs and easily identify logon prompt attacks and notify administrators.<\/li><li><strong>Actively manage accounts<br><\/strong>When an employee leaves an organization or takes a leave of absence, the account should be disabled as soon as possible by the security professional. Inactive accounts should he deleted when it is determined they are no longer needed. Regular user entitlement amid access reviews can discover excessive or\u00a0creeping privileges.<\/li><li><strong>Use vulnerability scanners<br><\/strong>Vulnerability scanners\u00a0can detect access control vulnerabilities and, when used regularly by the security practitioner, help an organization mitigate these vulnerabilities, including exposure to password attacks. Many\u00a0vulnerability scanners include password cracking tools\u00a0that will detect weak passwords in addition to tools that can verify that systems are kept up to date with patches.<br><br><em>CISSP\u00ae is a registered mark of\u00a0<\/em><a rel=\"noreferrer noopener\" href=\"https:\/\/www.isc2.org\/\" target=\"_blank\"><em>(ISC)\u00b2<\/em><\/a><em>.<\/em><\/li><\/ol>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><a href=\"https:\/\/www.techtarget.com\/contributor\/ISC2\"><\/a><a href=\"https:\/\/www.techtarget.com\/contributor\/ISC2\">(ISC) 2<\/a>\u00a0asks:<\/p><p>What&#8217;s the most effective way to secure password files?<\/p><\/blockquote>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/searchsecurity.techtarget.com\/tip\/How-to-prevent-password-attacks-and-other-exploits#commenting\"><strong>Join the Discussion<\/strong><\/a><\/h2>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time-approximately:<\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>Prevention is essential to protection against various types of password attacks, unauthorized access and related threats. Expert Adam Gordon outlines how to proactively bolster your defenses. The following is an excerpt from\u00a0the\u00a0Official (ISC)2\u00a0Guide to the CISSP CBK, fourth edition, edited by Adam Gordon, CISSP-ISSAP, ISSMP, SSCP. This section from Domain 5 highlights actions infosec pros can take proactively to minimize<\/p>\n<p><a class=\"more-link\" href=\"https:\/\/tekmart.co.za\/t-blog\/how-to-prevent-password-attacks-and-other-exploits\/\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5,30,125,3,126,95],"tags":[],"class_list":["post-5692","post","type-post","status-publish","format-standard","hentry","category-datacenter-news","category-engage-the-experts","category-expert-advise-and-opinion","category-identity-and-access-management","category-industry-news-and-expert-advise","category-password-management-and-policy","category-timeless-tips"],"_links":{"self":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts\/5692","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/comments?post=5692"}],"version-history":[{"count":1,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts\/5692\/revisions"}],"predecessor-version":[{"id":5693,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts\/5692\/revisions\/5693"}],"wp:attachment":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/media?parent=5692"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/categories?post=5692"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/tags?post=5692"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}