🏠 Back to Exam Syllabus πŸ“Ί RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 14.4 - Understanding Access Control Attacks (Part 1 of 3)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series opens a multi-part look at how attackers defeat access controls, part of identity and access management in Domain 5. This first part gets inside the attacker’s playbook, anchoring the core risk terms before moving into the techniques that elevate privileges and crack passwords across a network.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

What is an attacker really after?

An attacker is anyone attempting to exploit a weakness and break confidentiality, integrity, or availability. Their motives run from money to power to simple notoriety, and the fallout can include lost data, downtime, and reputational harm. The word hacker once meant a harmless enthusiast, but common usage has blurred it, so we simply say attacker for anyone with malicious intent. The point is that a deliberate adversary is trying to get past your controls.

How do risk, threat, and vulnerability fit together?

A vulnerability is any weakness, like a missing patch or the absence of a control. A threat is a potential event that could cause harm, whether a criminal, a flood, or an honest employee mistake. Risk is the likelihood that a threat actually exploits a vulnerability and causes a loss. Picture a cracked window latch: the latch is the vulnerability, a burglar in the area is the threat, and the chance of a break-in is the risk. You reduce risk by fixing weaknesses or blunting threats, never by chasing zero.

How does privilege escalation spread through a network?

Privilege escalation is any move that gives a user more power than they should have, and it comes in two directions. Vertical escalation climbs upward, turning a regular account into an administrator on the same machine. Horizontal escalation moves sideways, reusing that foothold to compromise other accounts and computers at the same level, which is also called lateral movement. Attackers chain the two, often reaching domain-wide control, so a key defense is keeping service accounts locked to only the privileges they truly need.

How do the su and sudo commands change accountability?

On a common family of server systems the all-powerful account is called root. The su command switches you fully into that root account after you enter the root password, and from that point the logs record activity as root, not as you. The sudo command instead lets an approved user run a single command with elevated power using their own credentials, and the logs record it under their own name. With su, actions blur into a shared superuser; with sudo, every elevated action is tied to a real person you can audit.

How do dictionary and brute-force attacks crack passwords?

A dictionary attack tries passwords from a prepared list of likely candidates, including real words, weak strings people actually use, and one-upped variations that nudge a single character. It is fast because it bets on human predictability. A brute-force attack instead systematically tries every possible combination until one matches, with modern graphics processors testing enormous numbers per second offline. Length and complexity make the search space explode, so a long password using all four character types pushes the cracking time from hours to something wildly infeasible.

πŸ“š Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 14.4 - Understanding Access Control Attacks (Part 1 of 3).