CISSP ch 14 Flashcards

1
Q

Permissions

A

the access granted for an object and determine what you can do with it

E.g., read and execute permissions for an application file, which gives you the right to run the application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Rights

A

the ability to take an action on an object

E.g., the right to modify the system on a computer or the right to restore backed-up data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Privileges

A

combination of rights and permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Capabilit tables

A

a way to identify privileges assigned to subjects (as opposed to ACLs, which are focused on objects)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ACL

A

access control list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

constrained interface / restricted interface

A

used to restrict what users can do or see based on their privileges

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Content dependent control

A

restricts access to data based on the content within an object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

context dependent control

A

requires specific activity before granting users access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DAC model

A

Discretionary Access Control model

Every object has an owner and the owner can grant or deny access to any other subject

Windows’ New Technology File Systems (NTFS) uses the DAC model

Identity-based access control is a subset of DAC because systems identify users based on their identity and assign resource ownership to identities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Windows’ NTFS

A

Windows’ New Technology File Systems (NTFS) uses the DAC model (discretionary Access control)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

RBAC

A

Role Based Access Control

The use of roles or groups, instead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles

Windows implements this model with the use of groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

TBAC

A

Task Based Access Control

Similar to RBAC, but instead of being assigned to one or more roles, each user is assigned an array of tasks

Control access by assigned tasks rather than by user identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Rule based Access control

A

Applies global rules to all subjects

Rules within the rule-based access control model are sometimes referred to as restrictions or filters

E.g., firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ABAC

A

Attribute Based Access Control

Use of rules that can include multiple attributes, allowing more flexibility than a rule-based access control model

Many software defined networks (SDNs) uses the ABAC model

Mobile device management (MDM) systems can use attributes to identify mobile devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

MAC

A

Mandatory Access Control = a lattice-based model

Use of labels applied to both subjects and objects

E.g., if a user has a label of top secret, the user can be granted access to a top-secret document – both the object and subject have matching labels

Each classification label represents a security domain (e.g., Secret or Top Secret), or a realm of security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Types of MAC environments

A

Hierarchical

Compartmentalized

Hybrid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Hierarchical (MAC environment)

A

Relates various classification labels in an ordered structure from low security to high security, such as Confidential, Secret and Top Secret

Each level or classification label is related: Clearance in one level grants the subject access to objects in that level as well as to all objects in lower levels but prohibits access to all objects in higher levels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Compartmentalized (MAC environment)

A

No relationship between one security domain and another, each domain represents a specific isolated compartment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Risk-based Access control

A

Grants access after evaluating risk

Evaluates the environment and the situation and makes risk-based decisions using policies embedded within software code

Can use machine learning to make predictive conclusions about current activity based on past activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

nondiscretionary Access controls

A

administrators centrally manage nondiscretionary access controls and can make changes that affect the entire environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

XML

A

Extensible Markup Language

Goes beyond describing how to display the data by actually describing the data

Can include tags to describe data as anything desired:

<ExamResults>Passed</ExamResults>

Databases from multiple vendors can import and export data to and from an XML format, making XML a common language used to exchange information

Many specific schemas exist, and if companies agree on what schemas to use, they can easily share information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

SAML

A

Security Assertion Markup Language

An open XML-based standard commonly used to exchange authentication and authorization (AA) information between federated organizations

Provides SSO capabilities for browser access

The Organization for the Advancement of Structured Information Standards (OASIS) adopted SAML 2.0 as a standard in 2005, and has maintained it since then

Utilizes three entities:

Principal or user agent

Service Provider (SP)

Identity Provider (IdP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

SP (SAML)

A

Service Provider (SP)

With service being accessed and requiring authentication + authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

IdP (SAML)

A

Identity Provider (IdP)

Third party that holds the user authentication and authorization information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

IdP assertions (SAML)

A

Authentication Assertion

Authorization Assertion

Attribute Association

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Authentication Assertion (SAML)

A

Provides proof that the user agent provided the proper credentials, identifies the identification method and identifies the time the user agent logged on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Authorization Assertion (SAML)

A

Indicates whether the user agent is authorized to access the requested service

If the message indicates access is denied, it indicates why

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Attribute association

A

Attributes can be any information about the user agent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

OAuth 2.0

A

An authorization framework (not an authentication protocol) described in RFC 6749 and maintained by the Internet Engineering Task Force (IETF)

Many companies on the internet use it to share account information with third-party websites by sending the third-party an authentication token in an API message

OAuth is not backward compatible with OAuth 1.0

30
Q

OpenID

A

An open standard maintained by the OpenID Foundation rather than as an RFC standard

Provides decentralized authentication, allowing users to log into multiple unrelated websites (i.e., a relying party) with one set of credentials maintained by a third-party service referred to as an OpenID provider

31
Q

OIDC

A

OpenID Connect

An authentication layer using the OAuth 2.0 authorization framework

Provides both authentication and authorization

Uses a JavaScript Object Notation (JSON) web token (JWT), also called an ID token

OpenID Connect uses a web service to retrieve the JWT

In addition to providing authentication, the JWT can also include profile information about the user

E.g., logging onto eBay with a Google account

32
Q

JSON

A

JavaScript Object Notation

33
Q

JWT

A

JavaScript Object Notation (JSON) web token, also called an ID token when used in OIDC

34
Q

Kerberos

A

Most common and well-known ticket authentication system – ticket authentication is a mechanism that employs a third-party to prove identification and provide authentication

Primary purpose of Kerberos is authentication – after users authenticate and prove their identity, Kerberos uses their proven identity to issues tickets, and user accounts present these tickets when accessing resources

Offers a SSO solution for users and protects logon credentials

Relies on symmetric-key cryptography using AES

Provides confidentiality and integrity for authentication traffic using end-to-end security and helps protect against eavesdropping and replay attacks

35
Q

Kerberos elements

A

KDC = Key Distribution Center

Kerberos Authentication Server

Ticket / service ticket (ST)

TGT = Ticket-Granting Ticket

Kerberos Principal

Kerberos Realm

36
Q

KDC (Kerberos)

A

Key Distribution Center

Trusted third party that provides authentication services

All clients and servers are registered with the KDC, and it maintains the secret keys for all network members

37
Q

TGS (Kerberos)

A

ticket granting service

38
Q

AS (Kerberos)

A

authentication service

39
Q

Kerberos authentication server

A

Hosts the functions of the KDC: a ticket granting service (TGS) and an authentication service (AS)

Authentication service verifies or rejects the authenticity and timeliness of tickets

40
Q

Ticket / Service ticket (Kerberos)

A

An encrypted message that provides proof that a subject is authorized to access an object

Sometimes called a service ticket (ST)

Subjects request tickets to access objects

Tickets have specific lifetimes and usage parameters

41
Q

TGT

A

Ticket-Granting Ticket

Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects

Encrypted, and includes a symmetric key, an expiration time and the user’s IP address

Subjects present the TGT when requesting tickets to access objects

42
Q

Kerberos Principal

A

A user/entity that requests a ticket

43
Q

Kerberos Realm

A

A logical area (e.g., domain or network) ruled by Kerberos

44
Q

AD

A

Microsoft’s Active Directory

Example of a directory service where database of accounts is stored

45
Q

DC

A

domain controller

46
Q

NTP server

A

Network Time Protocol server = is synchronized with the DC (domain controller) in an Active Directory domain

47
Q

RADIUS

A

Remote Authentication Dial-in User Service

Centralizes authentication for remote access connections

Used when an organization has more than one network access server

A user can connect to any network access server which then passes on the user’s credentials to the RADIUS server to verify authentication and authorization and to track accounting

Network access server = RADIUS client

RADIUS server = authentication server

Many internet service providers (ISPs) use RADIUS for authentication

Uses UDP by default (port 1812 for RADIUS messages and port 1813 for RADIUS accounting messages) and encrypts only the password’s exchange

Current version is defined in RFC 2865

RFC 6614 (experimental) defines how RADIUS can use TLS over TCP (port 2083) to encrypt the entire session

48
Q

Diameter

A

remote access authentication

based on RADIUS and improves many of its weaknesses, but is not compatible with RADIUS

49
Q

TACACS+

A

remote access authentication

Terminal Access Controller Access Control System Plus

Originally developed by Cisco and later released as an open standard

Provides several improvements over RADIUS

Separates authentication, authorization and accounting into separate processes, which can be hosted on three different servers if desired

Encrypts all of the authentication information, not just the password

Uses TCP port 49, providing a higher level of reliability for the packet transmissions

50
Q

Root user / superuser

A

Linux equivalent of an administrator account on Windows

51
Q

su command (Linux)

A

switch user / substitute user command in Linux to access root user account

52
Q

sudo command (Linux)

A

superuser do command

administrators with root privileges can grant permission to any user to run the sudo command by adding them to the sudo group

users in sudo group don’t need root account password, just their own credentials

once part of sudo group, user can prefix commands with sudo to run the command as root

logs will record any commands using sudo with the user’s account, as opposed to logging everything under the su account when using su command

53
Q

SAM file

A

Security Account Manager file on Windows = where account database is stored

54
Q

/etc/ shadow file on Linux

A

where account database is stored

55
Q

spraying attack

A

brute force spread out across multiple accounts/system to avoid lockout

56
Q

birthday attack

A

focuses on finding hashing collisions

57
Q

Argon2

A

algorithm that adds salt

58
Q

bcrypt

A

algorithm that adds salt

59
Q

PBKDF2

A

Password-Based Key Derivation Function 2
algorithm that adds salt

60
Q

Pepper

A

a large constant number stored elsewhere, such as a configuration value on a server or a constant stored within application code

61
Q

Mimikatz capabilities

A

read stored credentials in memory (for SSO)

can read passwords from memory

> plaintext passwords and PINs stored in the Local Security Authority Subsystem Service (LSASS)

> or password hashes

extract Kerberos tickets

extract certificates and private keys

read LM and NTLM password hashes in memory

read cleartext passwords in local security authority subsystem service (LSASS)

> malware can modify the registry to enable digest authentication and read encrypted passwords

list running processes

be run as fileless malware on remote systems

62
Q

PtH attack

A

pass-the-hash attack

allows an attacker to send a captured hash of a password to an authenticating service

primarily associated with Windows systems using NT LAN Manager (NTLM) or Kerberos

63
Q

PxExec

A

popular tools used to execute commands on remote systems once logged into an account and moving laterally

64
Q

Rubeus

A

Open source tool written in C# and used on Windows systems

used in Kerberos exploitation attacks

65
Q

Impacket

A

Open source collection of modules written in Python and used on Linux systems

used in Kerberos exploitation attacks

66
Q

overpass the hash / pass the key (Kerberos)

A

alternative to the PtH attack when NTLM is disabled on a network; even when disabled, systems still create an NTLM hash and store it in memory

An attacker can request a ticket-granting ticket (TGT) with the user’s hash and use this TGT to access network resources

67
Q

pass the ticket (Kerberos)

A

Attackers attempt to harvest tickets held in the lasass.exe process

68
Q

Silver ticket (Kerberos)

A

Uses the captured NTLM hash of a service account to create a ticket-granting service (TGS) ticket

Service accounts uses TGS tickets instead of TGT tickets

Silver ticket grants the attacker all the privileges granted to the service account

69
Q

Golden ticket (Kerberos)

A

If an attacker gains the hash of the Kerberos service account (KRBTGT), they can create tickets at will within Active Directory

The KRBTGT account encrypts and signs all Kerberos tickets within a domain with a hash of its password; because the password never changes, the hash never changes, so an attacker only needs to learn the hash once

If an attacker gains access to a domain administrator account, they can then log on to a domain controller remotely and run Mimikatz to extract the hash; this allows attackers to create forged Kerberos tickets and request TGS tickets for any service

70
Q

Kerberos brute force

A

Attackers can use the Python script kerbrute.py on Linux systems or Rubeus on Windows systems

In addition to guessing passwords, these tools can guess usernames

71
Q

ASREPRoast (Kerberos)

A

(offline password guessing)

Identifies users that don’t have Kerberos preauthentication enabled

Kerberos preauthentication is a security feature within Kerberos that helps prevent password-guessing attacks

When preauthentication is disabled, attackers can send an authentication request to a KDC, which will reply with a ticket-granting ticket (TGT) encrypted with the client’s password as the key; the attacker can then perform an offline attack to decrypt the ticket and discover the client’s password

72
Q

Kerberoasting

A

offline password guessing

Collects encrypted ticket-granting service (TGS) tickets and crack them offline