CISSP ch 14 Flashcards
Permissions
the access granted for an object and determine what you can do with it
E.g., read and execute permissions for an application file, which gives you the right to run the application
Rights
the ability to take an action on an object
E.g., the right to modify the system on a computer or the right to restore backed-up data
Privileges
combination of rights and permissions
Capabilit tables
a way to identify privileges assigned to subjects (as opposed to ACLs, which are focused on objects)
ACL
access control list
constrained interface / restricted interface
used to restrict what users can do or see based on their privileges
Content dependent control
restricts access to data based on the content within an object
context dependent control
requires specific activity before granting users access
DAC model
Discretionary Access Control model
Every object has an owner and the owner can grant or deny access to any other subject
Windows’ New Technology File Systems (NTFS) uses the DAC model
Identity-based access control is a subset of DAC because systems identify users based on their identity and assign resource ownership to identities
Windows’ NTFS
Windows’ New Technology File Systems (NTFS) uses the DAC model (discretionary Access control)
RBAC
Role Based Access Control
The use of roles or groups, instead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles
Windows implements this model with the use of groups
TBAC
Task Based Access Control
Similar to RBAC, but instead of being assigned to one or more roles, each user is assigned an array of tasks
Control access by assigned tasks rather than by user identity
Rule based Access control
Applies global rules to all subjects
Rules within the rule-based access control model are sometimes referred to as restrictions or filters
E.g., firewall
ABAC
Attribute Based Access Control
Use of rules that can include multiple attributes, allowing more flexibility than a rule-based access control model
Many software defined networks (SDNs) uses the ABAC model
Mobile device management (MDM) systems can use attributes to identify mobile devices
MAC
Mandatory Access Control = a lattice-based model
Use of labels applied to both subjects and objects
E.g., if a user has a label of top secret, the user can be granted access to a top-secret document – both the object and subject have matching labels
Each classification label represents a security domain (e.g., Secret or Top Secret), or a realm of security
Types of MAC environments
Hierarchical
Compartmentalized
Hybrid
Hierarchical (MAC environment)
Relates various classification labels in an ordered structure from low security to high security, such as Confidential, Secret and Top Secret
Each level or classification label is related: Clearance in one level grants the subject access to objects in that level as well as to all objects in lower levels but prohibits access to all objects in higher levels
Compartmentalized (MAC environment)
No relationship between one security domain and another, each domain represents a specific isolated compartment
Risk-based Access control
Grants access after evaluating risk
Evaluates the environment and the situation and makes risk-based decisions using policies embedded within software code
Can use machine learning to make predictive conclusions about current activity based on past activity
nondiscretionary Access controls
administrators centrally manage nondiscretionary access controls and can make changes that affect the entire environment
XML
Extensible Markup Language
Goes beyond describing how to display the data by actually describing the data
Can include tags to describe data as anything desired:
<ExamResults>Passed</ExamResults>
Databases from multiple vendors can import and export data to and from an XML format, making XML a common language used to exchange information
Many specific schemas exist, and if companies agree on what schemas to use, they can easily share information
SAML
Security Assertion Markup Language
An open XML-based standard commonly used to exchange authentication and authorization (AA) information between federated organizations
Provides SSO capabilities for browser access
The Organization for the Advancement of Structured Information Standards (OASIS) adopted SAML 2.0 as a standard in 2005, and has maintained it since then
Utilizes three entities:
Principal or user agent
Service Provider (SP)
Identity Provider (IdP)
SP (SAML)
Service Provider (SP)
With service being accessed and requiring authentication + authorization
IdP (SAML)
Identity Provider (IdP)
Third party that holds the user authentication and authorization information
IdP assertions (SAML)
Authentication Assertion
Authorization Assertion
Attribute Association
Authentication Assertion (SAML)
Provides proof that the user agent provided the proper credentials, identifies the identification method and identifies the time the user agent logged on
Authorization Assertion (SAML)
Indicates whether the user agent is authorized to access the requested service
If the message indicates access is denied, it indicates why
Attribute association
Attributes can be any information about the user agent
OAuth 2.0
An authorization framework (not an authentication protocol) described in RFC 6749 and maintained by the Internet Engineering Task Force (IETF)
Many companies on the internet use it to share account information with third-party websites by sending the third-party an authentication token in an API message
OAuth is not backward compatible with OAuth 1.0
OpenID
An open standard maintained by the OpenID Foundation rather than as an RFC standard
Provides decentralized authentication, allowing users to log into multiple unrelated websites (i.e., a relying party) with one set of credentials maintained by a third-party service referred to as an OpenID provider
OIDC
OpenID Connect
An authentication layer using the OAuth 2.0 authorization framework
Provides both authentication and authorization
Uses a JavaScript Object Notation (JSON) web token (JWT), also called an ID token
OpenID Connect uses a web service to retrieve the JWT
In addition to providing authentication, the JWT can also include profile information about the user
E.g., logging onto eBay with a Google account
JSON
JavaScript Object Notation
JWT
JavaScript Object Notation (JSON) web token, also called an ID token when used in OIDC
Kerberos
Most common and well-known ticket authentication system – ticket authentication is a mechanism that employs a third-party to prove identification and provide authentication
Primary purpose of Kerberos is authentication – after users authenticate and prove their identity, Kerberos uses their proven identity to issues tickets, and user accounts present these tickets when accessing resources
Offers a SSO solution for users and protects logon credentials
Relies on symmetric-key cryptography using AES
Provides confidentiality and integrity for authentication traffic using end-to-end security and helps protect against eavesdropping and replay attacks
Kerberos elements
KDC = Key Distribution Center
Kerberos Authentication Server
Ticket / service ticket (ST)
TGT = Ticket-Granting Ticket
Kerberos Principal
Kerberos Realm
KDC (Kerberos)
Key Distribution Center
Trusted third party that provides authentication services
All clients and servers are registered with the KDC, and it maintains the secret keys for all network members
TGS (Kerberos)
ticket granting service
AS (Kerberos)
authentication service
Kerberos authentication server
Hosts the functions of the KDC: a ticket granting service (TGS) and an authentication service (AS)
Authentication service verifies or rejects the authenticity and timeliness of tickets
Ticket / Service ticket (Kerberos)
An encrypted message that provides proof that a subject is authorized to access an object
Sometimes called a service ticket (ST)
Subjects request tickets to access objects
Tickets have specific lifetimes and usage parameters
TGT
Ticket-Granting Ticket
Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects
Encrypted, and includes a symmetric key, an expiration time and the user’s IP address
Subjects present the TGT when requesting tickets to access objects
Kerberos Principal
A user/entity that requests a ticket
Kerberos Realm
A logical area (e.g., domain or network) ruled by Kerberos
AD
Microsoft’s Active Directory
Example of a directory service where database of accounts is stored
DC
domain controller
NTP server
Network Time Protocol server = is synchronized with the DC (domain controller) in an Active Directory domain
RADIUS
Remote Authentication Dial-in User Service
Centralizes authentication for remote access connections
Used when an organization has more than one network access server
A user can connect to any network access server which then passes on the user’s credentials to the RADIUS server to verify authentication and authorization and to track accounting
Network access server = RADIUS client
RADIUS server = authentication server
Many internet service providers (ISPs) use RADIUS for authentication
Uses UDP by default (port 1812 for RADIUS messages and port 1813 for RADIUS accounting messages) and encrypts only the password’s exchange
Current version is defined in RFC 2865
RFC 6614 (experimental) defines how RADIUS can use TLS over TCP (port 2083) to encrypt the entire session
Diameter
remote access authentication
based on RADIUS and improves many of its weaknesses, but is not compatible with RADIUS
TACACS+
remote access authentication
Terminal Access Controller Access Control System Plus
Originally developed by Cisco and later released as an open standard
Provides several improvements over RADIUS
Separates authentication, authorization and accounting into separate processes, which can be hosted on three different servers if desired
Encrypts all of the authentication information, not just the password
Uses TCP port 49, providing a higher level of reliability for the packet transmissions
Root user / superuser
Linux equivalent of an administrator account on Windows
su command (Linux)
switch user / substitute user command in Linux to access root user account
sudo command (Linux)
superuser do command
administrators with root privileges can grant permission to any user to run the sudo command by adding them to the sudo group
users in sudo group don’t need root account password, just their own credentials
once part of sudo group, user can prefix commands with sudo to run the command as root
logs will record any commands using sudo with the user’s account, as opposed to logging everything under the su account when using su command
SAM file
Security Account Manager file on Windows = where account database is stored
/etc/ shadow file on Linux
where account database is stored
spraying attack
brute force spread out across multiple accounts/system to avoid lockout
birthday attack
focuses on finding hashing collisions
Argon2
algorithm that adds salt
bcrypt
algorithm that adds salt
PBKDF2
Password-Based Key Derivation Function 2
algorithm that adds salt
Pepper
a large constant number stored elsewhere, such as a configuration value on a server or a constant stored within application code
Mimikatz capabilities
read stored credentials in memory (for SSO)
can read passwords from memory
> plaintext passwords and PINs stored in the Local Security Authority Subsystem Service (LSASS)
> or password hashes
extract Kerberos tickets
extract certificates and private keys
read LM and NTLM password hashes in memory
read cleartext passwords in local security authority subsystem service (LSASS)
> malware can modify the registry to enable digest authentication and read encrypted passwords
list running processes
be run as fileless malware on remote systems
PtH attack
pass-the-hash attack
allows an attacker to send a captured hash of a password to an authenticating service
primarily associated with Windows systems using NT LAN Manager (NTLM) or Kerberos
PxExec
popular tools used to execute commands on remote systems once logged into an account and moving laterally
Rubeus
Open source tool written in C# and used on Windows systems
used in Kerberos exploitation attacks
Impacket
Open source collection of modules written in Python and used on Linux systems
used in Kerberos exploitation attacks
overpass the hash / pass the key (Kerberos)
alternative to the PtH attack when NTLM is disabled on a network; even when disabled, systems still create an NTLM hash and store it in memory
An attacker can request a ticket-granting ticket (TGT) with the user’s hash and use this TGT to access network resources
pass the ticket (Kerberos)
Attackers attempt to harvest tickets held in the lasass.exe process
Silver ticket (Kerberos)
Uses the captured NTLM hash of a service account to create a ticket-granting service (TGS) ticket
Service accounts uses TGS tickets instead of TGT tickets
Silver ticket grants the attacker all the privileges granted to the service account
Golden ticket (Kerberos)
If an attacker gains the hash of the Kerberos service account (KRBTGT), they can create tickets at will within Active Directory
The KRBTGT account encrypts and signs all Kerberos tickets within a domain with a hash of its password; because the password never changes, the hash never changes, so an attacker only needs to learn the hash once
If an attacker gains access to a domain administrator account, they can then log on to a domain controller remotely and run Mimikatz to extract the hash; this allows attackers to create forged Kerberos tickets and request TGS tickets for any service
Kerberos brute force
Attackers can use the Python script kerbrute.py on Linux systems or Rubeus on Windows systems
In addition to guessing passwords, these tools can guess usernames
ASREPRoast (Kerberos)
(offline password guessing)
Identifies users that don’t have Kerberos preauthentication enabled
Kerberos preauthentication is a security feature within Kerberos that helps prevent password-guessing attacks
When preauthentication is disabled, attackers can send an authentication request to a KDC, which will reply with a ticket-granting ticket (TGT) encrypted with the client’s password as the key; the attacker can then perform an offline attack to decrypt the ticket and discover the client’s password
Kerberoasting
offline password guessing
Collects encrypted ticket-granting service (TGS) tickets and crack them offline
