CISSP ch 14

Question 1

Permissions

Answer 1

the access granted for an object and determine what you can do with it

E.g., read and execute permissions for an application file, which gives you the right to run the application

Question 2

Rights

Answer 2

the ability to take an action on an object

E.g., the right to modify the system on a computer or the right to restore backed-up data

Question 3

Privileges

Answer 3

combination of rights and permissions

Question 4

Capabilit tables

Answer 4

a way to identify privileges assigned to subjects (as opposed to ACLs, which are focused on objects)

Question 5

ACL

Answer 5

access control list

Question 6

constrained interface / restricted interface

Answer 6

used to restrict what users can do or see based on their privileges

Question 7

Content dependent control

Answer 7

restricts access to data based on the content within an object

Question 8

context dependent control

Answer 8

requires specific activity before granting users access

Question 9

DAC model

Answer 9

Discretionary Access Control model

Every object has an owner and the owner can grant or deny access to any other subject

Windows’ New Technology File Systems (NTFS) uses the DAC model

Identity-based access control is a subset of DAC because systems identify users based on their identity and assign resource ownership to identities

Question 10

Windows’ NTFS

Answer 10

Windows’ New Technology File Systems (NTFS) uses the DAC model (discretionary Access control)

Question 11

RBAC

Answer 11

Role Based Access Control

The use of roles or groups, instead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles

Windows implements this model with the use of groups

Question 12

TBAC

Answer 12

Task Based Access Control

Similar to RBAC, but instead of being assigned to one or more roles, each user is assigned an array of tasks

Control access by assigned tasks rather than by user identity

Question 13

Rule based Access control

Answer 13

Applies global rules to all subjects

Rules within the rule-based access control model are sometimes referred to as restrictions or filters

E.g., firewall

Question 14

ABAC

Answer 14

Attribute Based Access Control

Use of rules that can include multiple attributes, allowing more flexibility than a rule-based access control model

Many software defined networks (SDNs) uses the ABAC model

Mobile device management (MDM) systems can use attributes to identify mobile devices

Question 15

MAC

Answer 15

Mandatory Access Control = a lattice-based model

Use of labels applied to both subjects and objects

E.g., if a user has a label of top secret, the user can be granted access to a top-secret document – both the object and subject have matching labels

Each classification label represents a security domain (e.g., Secret or Top Secret), or a realm of security

Question 16

Types of MAC environments

Answer 16

Hierarchical

Compartmentalized

Hybrid

Question 17

Hierarchical (MAC environment)

Answer 17

Relates various classification labels in an ordered structure from low security to high security, such as Confidential, Secret and Top Secret

Each level or classification label is related: Clearance in one level grants the subject access to objects in that level as well as to all objects in lower levels but prohibits access to all objects in higher levels

Question 18

Compartmentalized (MAC environment)

Answer 18

No relationship between one security domain and another, each domain represents a specific isolated compartment

Question 19

Risk-based Access control

Answer 19

Grants access after evaluating risk

Evaluates the environment and the situation and makes risk-based decisions using policies embedded within software code

Can use machine learning to make predictive conclusions about current activity based on past activity

Question 20

nondiscretionary Access controls

Answer 20

administrators centrally manage nondiscretionary access controls and can make changes that affect the entire environment

Question 21

XML

Answer 21

Extensible Markup Language

Goes beyond describing how to display the data by actually describing the data

Can include tags to describe data as anything desired:

<ExamResults>Passed</ExamResults>

Databases from multiple vendors can import and export data to and from an XML format, making XML a common language used to exchange information

Many specific schemas exist, and if companies agree on what schemas to use, they can easily share information

Question 22

SAML

Answer 22

Security Assertion Markup Language

An open XML-based standard commonly used to exchange authentication and authorization (AA) information between federated organizations

Provides SSO capabilities for browser access

The Organization for the Advancement of Structured Information Standards (OASIS) adopted SAML 2.0 as a standard in 2005, and has maintained it since then

Utilizes three entities:

Principal or user agent

Service Provider (SP)

Identity Provider (IdP)

Question 23

SP (SAML)

Answer 23

Service Provider (SP)

With service being accessed and requiring authentication + authorization

Question 24

IdP (SAML)

Answer 24

Identity Provider (IdP)

Third party that holds the user authentication and authorization information

Question 25

IdP assertions (SAML)

Answer 25

Authentication Assertion

Authorization Assertion

Attribute Association

Question 26

Authentication Assertion (SAML)

Answer 26

Provides proof that the user agent provided the proper credentials, identifies the identification method and identifies the time the user agent logged on

Question 27

Authorization Assertion (SAML)

Answer 27

Indicates whether the user agent is authorized to access the requested service

If the message indicates access is denied, it indicates why

Question 28

Attribute association

Answer 28

Attributes can be any information about the user agent

Question 29

OAuth 2.0

Answer 29

An authorization framework (not an authentication protocol) described in RFC 6749 and maintained by the Internet Engineering Task Force (IETF)

Many companies on the internet use it to share account information with third-party websites by sending the third-party an authentication token in an API message

OAuth is not backward compatible with OAuth 1.0

Question 30

OpenID

Answer 30

An open standard maintained by the OpenID Foundation rather than as an RFC standard

Provides decentralized authentication, allowing users to log into multiple unrelated websites (i.e., a relying party) with one set of credentials maintained by a third-party service referred to as an OpenID provider

Question 31

OIDC

Answer 31

OpenID Connect

An authentication layer using the OAuth 2.0 authorization framework

Provides both authentication and authorization

Uses a JavaScript Object Notation (JSON) web token (JWT), also called an ID token

OpenID Connect uses a web service to retrieve the JWT

In addition to providing authentication, the JWT can also include profile information about the user

E.g., logging onto eBay with a Google account

Question 32

JSON

Answer 32

JavaScript Object Notation

Question 33

JWT

Answer 33

JavaScript Object Notation (JSON) web token, also called an ID token when used in OIDC

Question 34

Kerberos

Answer 34

Most common and well-known ticket authentication system – ticket authentication is a mechanism that employs a third-party to prove identification and provide authentication

Primary purpose of Kerberos is authentication – after users authenticate and prove their identity, Kerberos uses their proven identity to issues tickets, and user accounts present these tickets when accessing resources

Offers a SSO solution for users and protects logon credentials

Relies on symmetric-key cryptography using AES

Provides confidentiality and integrity for authentication traffic using end-to-end security and helps protect against eavesdropping and replay attacks

Question 35

Kerberos elements

Answer 35

KDC = Key Distribution Center

Kerberos Authentication Server

Ticket / service ticket (ST)

TGT = Ticket-Granting Ticket

Kerberos Principal

Kerberos Realm

Question 36

KDC (Kerberos)

Answer 36

Key Distribution Center

Trusted third party that provides authentication services

All clients and servers are registered with the KDC, and it maintains the secret keys for all network members

Question 37

TGS (Kerberos)

Answer 37

ticket granting service

Question 38

AS (Kerberos)

Answer 38

authentication service

Question 39

Kerberos authentication server

Answer 39

Hosts the functions of the KDC: a ticket granting service (TGS) and an authentication service (AS)

Authentication service verifies or rejects the authenticity and timeliness of tickets

Question 40

Ticket / Service ticket (Kerberos)

Answer 40

An encrypted message that provides proof that a subject is authorized to access an object

Sometimes called a service ticket (ST)

Subjects request tickets to access objects

Tickets have specific lifetimes and usage parameters

Question 41

TGT

Answer 41

Ticket-Granting Ticket

Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects

Encrypted, and includes a symmetric key, an expiration time and the user’s IP address

Subjects present the TGT when requesting tickets to access objects

Question 42

Kerberos Principal

Answer 42

A user/entity that requests a ticket

Question 43

Kerberos Realm

Answer 43

A logical area (e.g., domain or network) ruled by Kerberos

Question 44

AD

Answer 44

Microsoft’s Active Directory

Example of a directory service where database of accounts is stored

Question 45

DC

Answer 45

domain controller

Question 46

NTP server

Answer 46

Network Time Protocol server = is synchronized with the DC (domain controller) in an Active Directory domain

Question 47

RADIUS

Answer 47

Remote Authentication Dial-in User Service

Centralizes authentication for remote access connections

Used when an organization has more than one network access server

A user can connect to any network access server which then passes on the user’s credentials to the RADIUS server to verify authentication and authorization and to track accounting

Network access server = RADIUS client

RADIUS server = authentication server

Many internet service providers (ISPs) use RADIUS for authentication

Uses UDP by default (port 1812 for RADIUS messages and port 1813 for RADIUS accounting messages) and encrypts only the password’s exchange

Current version is defined in RFC 2865

RFC 6614 (experimental) defines how RADIUS can use TLS over TCP (port 2083) to encrypt the entire session

Question 48

Diameter

Answer 48

remote access authentication

based on RADIUS and improves many of its weaknesses, but is not compatible with RADIUS

Question 49

TACACS+

Answer 49

remote access authentication

Terminal Access Controller Access Control System Plus

Originally developed by Cisco and later released as an open standard

Provides several improvements over RADIUS

Separates authentication, authorization and accounting into separate processes, which can be hosted on three different servers if desired

Encrypts all of the authentication information, not just the password

Uses TCP port 49, providing a higher level of reliability for the packet transmissions

Question 50

Root user / superuser

Answer 50

Linux equivalent of an administrator account on Windows

Question 51

su command (Linux)

Answer 51

switch user / substitute user command in Linux to access root user account

Question 52

sudo command (Linux)

Answer 52

superuser do command

administrators with root privileges can grant permission to any user to run the sudo command by adding them to the sudo group

users in sudo group don’t need root account password, just their own credentials

once part of sudo group, user can prefix commands with sudo to run the command as root

logs will record any commands using sudo with the user’s account, as opposed to logging everything under the su account when using su command

Question 53

SAM file

Answer 53

Security Account Manager file on Windows = where account database is stored

Question 54

/etc/ shadow file on Linux

Answer 54

where account database is stored

Question 55

spraying attack

Answer 55

brute force spread out across multiple accounts/system to avoid lockout

Question 56

birthday attack

Answer 56

focuses on finding hashing collisions

Question 57

Argon2

Answer 57

algorithm that adds salt

Question 58

bcrypt

Answer 58

algorithm that adds salt

Question 59

PBKDF2

Answer 59

Password-Based Key Derivation Function 2
algorithm that adds salt

Question 60

Pepper

Answer 60

a large constant number stored elsewhere, such as a configuration value on a server or a constant stored within application code

Question 61

Mimikatz capabilities

Answer 61

read stored credentials in memory (for SSO)

can read passwords from memory

> plaintext passwords and PINs stored in the Local Security Authority Subsystem Service (LSASS)

> or password hashes

extract Kerberos tickets

extract certificates and private keys

read LM and NTLM password hashes in memory

read cleartext passwords in local security authority subsystem service (LSASS)

> malware can modify the registry to enable digest authentication and read encrypted passwords

list running processes

be run as fileless malware on remote systems

Question 62

PtH attack

Answer 62

pass-the-hash attack

allows an attacker to send a captured hash of a password to an authenticating service

primarily associated with Windows systems using NT LAN Manager (NTLM) or Kerberos

Question 63

PxExec

Answer 63

popular tools used to execute commands on remote systems once logged into an account and moving laterally

Question 64

Rubeus

Answer 64

Open source tool written in C# and used on Windows systems

used in Kerberos exploitation attacks

Question 65

Impacket

Answer 65

Open source collection of modules written in Python and used on Linux systems

used in Kerberos exploitation attacks

Question 66

overpass the hash / pass the key (Kerberos)

Answer 66

alternative to the PtH attack when NTLM is disabled on a network; even when disabled, systems still create an NTLM hash and store it in memory

An attacker can request a ticket-granting ticket (TGT) with the user’s hash and use this TGT to access network resources

Question 67

pass the ticket (Kerberos)

Answer 67

Attackers attempt to harvest tickets held in the lasass.exe process

Question 68

Silver ticket (Kerberos)

Answer 68

Uses the captured NTLM hash of a service account to create a ticket-granting service (TGS) ticket

Service accounts uses TGS tickets instead of TGT tickets

Silver ticket grants the attacker all the privileges granted to the service account

Question 69

Golden ticket (Kerberos)

Answer 69

If an attacker gains the hash of the Kerberos service account (KRBTGT), they can create tickets at will within Active Directory

The KRBTGT account encrypts and signs all Kerberos tickets within a domain with a hash of its password; because the password never changes, the hash never changes, so an attacker only needs to learn the hash once

If an attacker gains access to a domain administrator account, they can then log on to a domain controller remotely and run Mimikatz to extract the hash; this allows attackers to create forged Kerberos tickets and request TGS tickets for any service

Question 70

Kerberos brute force

Answer 70

Attackers can use the Python script kerbrute.py on Linux systems or Rubeus on Windows systems

In addition to guessing passwords, these tools can guess usernames

Question 71

ASREPRoast (Kerberos)

Answer 71

(offline password guessing)

Identifies users that don’t have Kerberos preauthentication enabled

Kerberos preauthentication is a security feature within Kerberos that helps prevent password-guessing attacks

When preauthentication is disabled, attackers can send an authentication request to a KDC, which will reply with a ticket-granting ticket (TGT) encrypted with the client’s password as the key; the attacker can then perform an offline attack to decrypt the ticket and discover the client’s password

Question 72

Kerberoasting

Answer 72

offline password guessing

Collects encrypted ticket-granting service (TGS) tickets and crack them offline