Skip to main content

Access Control Attacks

Common Attacks

Dictionary Attacks

  • Description:
    • Use programs with built-in dictionaries.
    • Attackers try all dictionary words (usually a list of common passwords) hoping a has a common password. 

Brute Force Attack

  • Description:
    • Tries all possible combinations.
    • Password complexity and attacker tools determine efficacy.

Spoofed Logon Screen

  • Description:
    • Fake login screen captures user credentials.
  • Prevention:
    • Secure endpoints to prevent these fake screens.
    • Consider mechanisms like Ctrl + Alt + Delete to access the login screen.

Sniffer Attacks

  • Description:
    • Packet capturing tools capture, analyze, and read data.
    • Especially vulnerable if data is sent in cleartext.

Spoofing Attacks

  • Description:
    • Attacker impersonates another user.
    • Often used to steal user credentials.

Social Engineering

  • Description:

    • Convincing someone to reveal information or perform unintended actions.

    • Includes requesting access or manipulating for gift card payments.

  • Best Defense:

    • Security Awareness Training (SAT).

Phishing

  • Description:
    • Trick users to reveal personal information or take a malicious action.
  • Types:
    • Spear Phishing: Targets specific groups.
    • Whaling: Targets high-level executives.
    • Vishing: Uses VoIP technology.

Phishing types are among the most common cyberattacks.

Access Aggregation

  • Description:

    • Combines non-sensitive information to deduce sensitive details.
    • Used in reconnaissance attacks.

  • Defense:

    • Operations Security (OpSec).

Example: Consider a social media platform where users:

  1. Publicly mention attending a particular gym.
  2. Share images of their meals with timestamps.
  3. Use a running app that posts the time they start their morning run.

An attacker can aggregate this data to infer when the user is likely away from home (e.g., during their gym and run timings) and possibly what they might eat afterward, setting up a potential scenario for physical or online intrusion.

OpSec Defense:

  • Ensure that some personal habits or routines are kept private and not shared across multiple platforms.
  • Use pseudonyms or avoid timestamped posts.
  • Regularly review and adjust privacy settings on social media and apps.

Other Attacks

TEMPEST

  • Description:
    • Reads electronic emanations from CRT monitors from a distance.

Shoulder Surfing

  • Description:
    • Observing monitor displays or key inputs directly.

White Noise

  • Description:
    • Broadcasting false traffic continuously.
    • Masks real emanations.

General Preventive Measures

  • Long, complex, periodically changed passwords.
  • Strong password policy enforcement.
  • Account lockouts after specific unsuccessful login attempts.

Back to top