Password Management lvii
originating the request rather than authenticating the identity of the user.
Many network applications in use today employ host-based authentication
mechanisms in order to determine whether or not access is allowed to a
given resource. Such host-based authentication schemes are not invulnera-
ble to attack. Under certain circumstances, it is fairly easy for a hacker to
masquerade as a legitimate host and fool the system into granting access.
Security measures used to protect against the misuse of some host-based
authentication systems are often available but require that special steps or
additional configuration actions be taken before they can be used. An
example would be enabling DES encryption when using Remote Procedure
Calls (RPCs).
Techniques Used to Bypass Access Controls
In the realm of security, the use of common terms enables all parties to
understand exactly what is meant when discussing security issues. When
talking about attacks, there are four terms that are quite common: vulnera-
bility, threat, risk, and exposure. A vulnerability is a flaw or weakness that
may allow harm to an information system. A threat is an activity with the
potential for causing harm to an information system. Risk is defined as a
combination of the chance that threat will occur and the severity of its
impact. Exposure is a specific instance of weakness that could cause losses to
occur from a threat event.
Hackers use several common methods to bypass access controls and gain
unauthorized access to information, principally: brute force, denial of ser-
vice, social engineering, and spoofing. The brute force method consists of a
persistent series of attacks, often trying multiple approaches, in an attempt
to break into a computer system. A denial of service (DoS) occurs when
someone attempts to overload a system through an online connection in
order to force it to shut down. Social engineering occurs when someone
employs deception techniques against organizational personnel in order to
gain unauthorized access. This is the most common method of attack
known. Finally, spoofing is when a hacker masquerades an ID in order to
gain unauthorized access to a system.
Password Management
When granting access to a computer system, such access can be restricted
by means of controls based on various kinds of identification and authoriza-
tion techniques. Identification is a two-step function: first, identify the user,
and second, authenticate (validate) the identity of the user. The most basic
lviii Password Management
systems rely on passwords only. These techniques do provide some measure
of protection against the casual browsing of information, but they rarely
stop a determined criminal. A computer password is much like a key to a
computer. Allowing several people to use the same password is like allowing
everyone to use the same key. More sophisticated systems today use Smart-
Cards and/or biometric evaluation techniques in combination with pass-
word usage to increase the difficulty in circumventing password
protections. Use of the password methodology is built on the premise that
something you know could be compromised by someone getting unautho-
rized access to the password. A system built on something you “know” (e.g.,
a password) combined with something you possess (e.g., a SmartCard) is a
much stronger system. The combination of knowing and possessing, com-
bined with being (biometrics), provides an even stronger layer of protec-
tion. Without having all three elements, even if someone could obtain your
password, it is useless without the card and the right biometrics (finger-
print, retinal scan, etc.).
In general, there are two categories of SmartCards. The first is a magnetic
strip card and the second is a ChipCard. As its name suggests, the magnetic
strip card has a magnetic strip containing some encoded confidential infor-
mation destined to be used in combination with the cardholders personal
code or password. The ChipCard uses a built-in microchip instead of a
magnetic strip. The simplest type of ChipCard contains a memory chip
with information, but it has no processing capability. The more effective
type of ChipCard contains a microchip with both memory to store some
information and a processor to process it; hence, the term SmartCard. Such
cards are often used in combination with cryptographic techniques to pro-
vide even stronger protection.
Biometric Systems
Biometric systems use specific personal characteristics (biometrics) of an
individual (e.g., a fingerprint, a voiceprint, keystroke characteristics, or the
pattern of the retina). Biometric systems are still considered an expensive
solution for the most part, and as a result of the cost, they are not yet in
common use today. However, even these sophisticated techniques are not
infallible. The adage that if someone wants it bad enough, they will find a way
to break in and take it still holds true.

Get Business Continuity and Disaster Recovery for InfoSec Managers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.