The system administrator is reviewing the following logs from the company web server:
12:34:56 GET /directory_listing.php?user=admin&pass=admin1
12:34:57 GET /directory_listing.php?user=admin&pass=admin2
12:34:58 GET /directory_listing.php?user=admin&pass=1admin
12:34:59 GET /directory_listing.php?user=admin&pass=2admin
Which of the following is this an example of?
A. Online rainbow table attack B. Offline brute force attack C. Offline dictionary attack D. Online hybrid attack
Correct Answer: D Section: Threats and Vulnerabilities
This is an example of an online hybrid attack. A hybrid attack is a combination of attacks. In this example, we have a combination of a dictionary attack and a brute-force attack.
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software
is used to generate a large number of consecutive guesses as to the value of the desired data.
A dictionary attack uses a list of words to use as passwords. The combination or hybrid attack adds characters or numbers or even other words to the beginning or end of the
password guesses. In this example we have a password guess of ‘admin’. From the word admin, we have four combinations, ‘admin1, 1admin, admin2, 2admin’.
A: A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. The passwords in this attack are plain text, not hashes so
a rainbow table is not being used.
B: The attack in this question is against a web server while the server is online. Therefore, this is an online attack, not an offline attack so this answer is incorrect.
C: The attack in this question is against a web server while the server is online. Therefore, this is an online attack, not an offline attack so this answer is incorrect.
A security administrator must implement all requirements in the following corporate policy: Passwords shall be protected against offline password brute force attacks. Passwords shall be protected against online password brute force attacks. Which of the following technical controls must be implemented to enforce the corporate policy? (Select THREE).
A. Account lockout B. Account expiration C. Screen locks D. Password complexity E. Minimum password lifetime F. Minimum password length
Correct Answer: A,D,F Section: Threats and Vulnerabilities
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security.
A brute force attack may also be referred to as brute force cracking.
For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers.
The best defense against brute force attacks strong passwords. The following password policies will ensure that users have strong (difficult to guess) passwords:
F: Minimum password length. This policy specifies the minimum number of characters a password should have. For example: a minimum password length of 8 characters is regarded as good security practice.
D: Password complexity determines what characters a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers.
This will ensure that passwords don’t consist of dictionary words which are easy to crack using brute force techniques.
A: Account lockout policy: This policy ensures that a user account is locked after a number of incorrect password entries. For example, you could specify that if a wrong password is entered three times, the account will be locked for a period of time or indefinitely until the account is unlocked by an administrator.
B: Account expiration settings determine when an account will expire. This is usually a time or date. An account configured with an expiration date will not prevent an attacker trying to brute force a password as the attacker could make as many attempts as he wants until the time or date of the account expiration.
C: A screen lock will cause the screen of a computer or mobile device to lock after a period of inactivity. It is not used to prevent brute force attacks.
E: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords.
When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to the original password. This is where the minimum password age (minimum password lifetime) comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days. A minimum password age would not protect against brute force attacks.