| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
CISSP 14.4 - Understanding Access Control Attacks (Part 1 of 3)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series opens a multi-part look at how attackers defeat access controls, part of identity and access management in Domain 5. This first part gets inside the attackerβs playbook, anchoring the core risk terms before moving into the techniques that elevate privileges and crack passwords across a network.
What this episode covers
- What an attacker is after β anyone exploiting a weakness to break confidentiality, integrity, or availability for money, power, or notoriety.
- Risk, threat, and vulnerability β a weakness, a potential harmful event, and the chance the two combine into a loss.
- Privilege escalation β vertical climbs a user to admin while horizontal moves sideways as lateral movement across machines.
- Minimal-privilege service accounts β a key defense that denies attackers broad system rights to chain escalation.
- su versus sudo β su blurs actions into shared root, while sudo ties each elevated command to a real, auditable user.
- Dictionary attacks β try a prepared list of likely passwords and one-upped variations, betting on human predictability.
- Brute-force attacks β grind through every combination, defeated by long, complex passwords that explode the search space.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is an attacker really after?
An attacker is anyone attempting to exploit a weakness and break confidentiality, integrity, or availability. Their motives run from money to power to simple notoriety, and the fallout can include lost data, downtime, and reputational harm. The word hacker once meant a harmless enthusiast, but common usage has blurred it, so we simply say attacker for anyone with malicious intent. The point is that a deliberate adversary is trying to get past your controls.
How do risk, threat, and vulnerability fit together?
A vulnerability is any weakness, like a missing patch or the absence of a control. A threat is a potential event that could cause harm, whether a criminal, a flood, or an honest employee mistake. Risk is the likelihood that a threat actually exploits a vulnerability and causes a loss. Picture a cracked window latch: the latch is the vulnerability, a burglar in the area is the threat, and the chance of a break-in is the risk. You reduce risk by fixing weaknesses or blunting threats, never by chasing zero.
How does privilege escalation spread through a network?
Privilege escalation is any move that gives a user more power than they should have, and it comes in two directions. Vertical escalation climbs upward, turning a regular account into an administrator on the same machine. Horizontal escalation moves sideways, reusing that foothold to compromise other accounts and computers at the same level, which is also called lateral movement. Attackers chain the two, often reaching domain-wide control, so a key defense is keeping service accounts locked to only the privileges they truly need.
How do the su and sudo commands change accountability?
On a common family of server systems the all-powerful account is called root. The su command switches you fully into that root account after you enter the root password, and from that point the logs record activity as root, not as you. The sudo command instead lets an approved user run a single command with elevated power using their own credentials, and the logs record it under their own name. With su, actions blur into a shared superuser; with sudo, every elevated action is tied to a real person you can audit.
How do dictionary and brute-force attacks crack passwords?
A dictionary attack tries passwords from a prepared list of likely candidates, including real words, weak strings people actually use, and one-upped variations that nudge a single character. It is fast because it bets on human predictability. A brute-force attack instead systematically tries every possible combination until one matches, with modern graphics processors testing enormous numbers per second offline. Length and complexity make the search space explode, so a long password using all four character types pushes the cracking time from hours to something wildly infeasible.
π Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 14.4 - Understanding Access Control Attacks (Part 1 of 3).