Mitigating access control attacks in the CISSP exam

With the rapid rise in sophisticated cyberattacks comes the need for advanced mitigation. Access control is a specific security mechanism that regulates who can access certain infrastructure, applications and files. The goal is to protect both sensitive data and physical areas from unauthorized access. Access control attacks typically circumvent or bypass standard procedures to steal data or user credentials with the intent to harm. 

Need more CISSP help? The CISSP exam tips and tricks e-book covers tips from students and instructors who successfully passed the exam. We also have a free one-hour CISSP exam tips course with a CISSP instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

What access control attacks should I know for the CISSP exam? 

From popular email phishing to social engineering and email spoofing attacks, it's important to know how these attacks happen and how to mitigate them proactively. 

In the recently updated CISSP exam, cyberattacks and access control strategies are examined within multiple different domains on identity and access management, security assessment and testing and more. Look at common access control attacks that might appear on the exam. 

Access aggregation attacks 

Cybercriminals use a variety of sophisticated methods to infiltrate systems illegally. Access aggregation attacks are carried out by collecting several pieces of insensitive information and drawing conclusions from them to devise the sensitive information. It's a reconnaissance-style attack that gathers information to effectively target a system's operating system, IP address, port and more. 

Password attack 

As passwords are the weakest link of authentication, password attacks attempt to breach the user, administrator or root password. Cybercriminals will try to gain access to infiltrate systems immediately or create back doors to use later. 

Popular mitigation strategies: Strong password protections, employee security awareness training and multi-factor authentication 

Dictionary attack 

Similar to scanning a fixed dictionary for a "match" to a specific word, a dictionary attack systematically enters every word in a dictionary or word list in an attempt to guess the password. A successful hit gives criminals access to user information, systems and infrastructure, and if passwords are dictionary-based words, this attack might be successful. 

Popular mitigation strategies: Using passphrases instead of passwords, multi-factor authentication and using complex passwords 

Brute-force attack 

A brute force attack uses trial and error to crack passwords, login credentials or encryption keys. Criminals use sophisticated systems to submit as many passwords as possible with the hope of eventually guessing correctly. Again, when employees or systems have weak, easy-to-guess passwords, these are more likely to be successful. The answer is often complex, long passwords as they make brute force attacks time-consuming to carry out. 

Popular mitigation strategies: Increasing password complexity, limited login attempts, multi-factor authentication and IP blocking 

Birthday attack 

A birthday attack is based on the statistical term known as the birthday paradox. This concept states that in a room with 23 people, there's a 50% chance of two individuals having the same birthday. If February 29 is removed from consideration, there are 365 days in a year, but a match does not require 366 people in the room. Two passwords may have the same hash, and a cybercriminal with a 23 hash sample has a 50% chance of discovering them. Again, this kind of brute force attack involves guessing letter and number combinations until success. 

Popular mitigation strategies: Employee training awareness on password complexity, hashtag algorithms with ample bits, long and complex passwords, regular security audits and proper key management practices 

Sniffer attack 

Also known as eavesdropping, a sniffer attack occurs when a hacker uses a "sniffer" like a protocol or pocket analyzer to capture traffic routing over a network. When data is transmitted, an attacker can intercept or steal sensitive information if it's not properly encrypted. One sniffer attack example was when a Russian hacking group eavesdropped on a hotel's public WiFi network to harvest user's passwords and usernames. 

Popular mitigation strategies: VPNs, advanced encryption protocols like TLS/SSL or SSH, network traffic monitoring, network segmentation and proactive patch management 

Spoofing attacks 

At their core, spoofing attacks attempt to trick users into revealing sensitive information by pretending to be legitimate businesses or authorities. Spoofing breaches tend to be severe because a trusted entity could be interconnected to several systems, giving criminals significant access. 

Email spoofing attack 

Email spoofing is extremely popular, and in this attack, the sender appears to be a legitimate person or business, but upon closer evaluation, the sender's name might look suspicious. The user is encouraged to input sensitive login credentials or credit card information, exposing their data to cybercriminals. 

Popular mitigation strategies: Inbox detection and response, employee security awareness training, IP address tracing and network monitoring 

Phone spoofing attack 

With a similar protocol to email spoofing, phone spoofing happens over the phone on iOS, Android or other smartphone devices when an attacker changes their caller ID number to appear legitimate. This is a popular technique hackers also use to attack voicemail inboxes, which aren't protected if the user's phone number is known. A technique called Frequency Key Shifting transmits a caller ID instead of a phone number, allowing criminals to hide behind an illegitimate number. 

Popular mitigation strategies: Using caller ID verification, call blocking services, third-party apps for screening phone numbers and proactively blocking suspicious numbers that call repeatedly 

Social engineering attack 

A social engineering attack relies on human interaction to deceive users into infiltrating a physical place or IT infrastructure. Social engineering attacks occur over email, the phone, or even in person when criminals pressure users to act or reveal information. Common types of social engineering attacks are phishing, whaling, baiting and spearphishing. 

Popular mitigation strategies: Social engineering awareness training, multi-factor authentication, spam filtering and detection, patch management and establishing a formal incident response plan 

Phishing attack 

Phishing is the most popular form of cyberattack, with 3.4 billion phishing emails sent a day, accounting for almost 36% of all data breaches. Phishing attempts to lure users into clicking a malicious link or opening an attachment by acting as a legitimate company like Amazon, your phone carrier or Apple. Phishing must also use urgency to trick users with scams like "Click this link within 24 hours, or you're being reported to a credit card delinquency agency." 

Popular mitigation strategies: Multi-factor authentication, phishing analysis tools, antivirus software, phishing simulators for employees and DNS filtering 

Spearphishing attack 

A spearphishing attack targets a specific group of individuals, typically at an organization. The attacker pretends to be an external source or a coworker within the company asking for login credentials, credit card information or other sensitive data. 

Popular mitigation strategies: Email sandboxing (checking the safety of links inside the email), employee behavior monitoring, antivirus software, malware detection and robust email security filters 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Prep for the CISSP exam 

Access control and other mitigation strategies are a core part of the CISSP exam. As you prepare for this advanced certification, review mitigation strategies and more inside the Infosec CISSP Boot Camp. Also, download the free cybersecurity salary guide to determine if the CISSP is the right next step for your career.