During an IS audit, auditor has observed that authentication and authorization steps are split into two
functions and there is a possibility to force the authorization step to be completed before the authentication
step. Which of the following technique an attacker could user to force authorization step before
authentication?
Correct Answer: D
Section: Protection of Information Assets
Explanation/Reference:
A race condition is when processes carry out their tasks on a shared resource in an incorrect order. A race
condition is possible when two or more processes use a shared resource, as in data within a variable. It is
important that the processes carry out their functionality in the correct sequence. If process 2 carried out its
task on the data before process 1, the result will be much different than if process1 carried out its tasks on
the data before process 2.
In software, when the authentication and authorization steps are split into two functions, there is a
possibility an attacker could use a race condition to force the authorization step to be completed before the
authentication step. This would be a flaw in the software that the attacker has figured out how to exploit. A
race condition occurs when two or more processes use the same resource and the sequences of steps
within the software can be carried out in an improper order, something that can drastically affect the output.
So, an attacker can force the authorization step to take place before the authentication step and gain
unauthorized access to a resource.
The following answers are incorrect:
Eavesdropping - is the act of secretly listening to the private conversation of others without their consent,
as defined by Black's Law Dictionary. This is commonly thought to be unethical and there is an old adage
that "eavesdroppers seldom hear anything good of themselves...eavesdroppers always try to listen to
matters that concern them."
Traffic analysis - is the process of intercepting and examining messages in order to deduce information
from patterns in communication. It can be performed even when the messages are encrypted and cannot
be decrypted. In general, the greater the number of messages observed, or even intercepted and stored,
the more can be inferred from the traffic. Traffic analysis can be performed in the context of military
intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security.
Masquerading - A masquerade attack is an attack that uses a fake identity, such as a network identity, to
gain unauthorized access to personal computer information through legitimate access identification. If an
authorization process is not fully protected, it can become extremely vulnerable to a masquerade attack.
Masquerade attacks can be perpetrated using stolen passwords and logons, by locating gaps in programs,
or by finding a way around the authentication process. The attack can be triggered either by someone
within the organization or by an outsider if the organization is connected to a public network. The amount of
access masquerade attackers get depends on the level of authorization they've managed to attain. As
such, masquerade attackers can have a full smorgasbord of cyber crime opportunities if they've gained the
highest access authority to a business organization. Personal attacks, although less common, can also be
harmful.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 324
Official ISC2 guide to CISSP CBK 3rd Edition Page number 66
CISSP All-In-One Exam guide 6th Edition Page Number 161
