CISSP Domain 5

Question 1

Synchronous dynamic password tokens

Answer 1

Time based synchronised with authentication server

Generate pin periodically

Question 2

Asynchronous dynamic password tokens

Answer 2

Generates pin based on an algorithm+Incrementing counter

Question 3

Face scan

Answer 3

Geometric pattern of faces

Question 4

Fingerprint

Answer 4

Visible pattern in hands

Question 5

Retina scans and accuracy level ?

Answer 5

Focus onpattern of blood vessels at back of eye

Question 6

Iris scans and accuracy level .?

Answer 6

Coloured area around the pupil ( second most accurate after retina)

Question 7

2 types of OTP

Answer 7

HOTP : Uses hmac to create OTP of 6 digits

Valid until used

TOTP: Timestamp and remains valid for certain time

Question 8

What is Service account and how to manage password

Answer 8

Non user account
Password to be changed manually
Configure it to be non interactive for user

Question 9

Directory services

Answer 9

Centralised database that includes into of Subject and object including authentication data

Based on LDAP services

Question 10

Security domain and how can trust be established?

Answer 10

collection of subjects and objects that share a common security policy

Trusts are established can be one way or two way

Question 11

Federated identity management and can you give examples of cloud based FIM

Answer 11

Sso is common in internal network but can be implemented in external using FIM

Cloud based - udemy, LinkedIn

Works on trust relationship between: User, IdP and service provider

Question 12

Type of FIM

Answer 12

On premise

Cloud

Hybrid

Just in time

Question 13

Just in time

Answer 13

Food app in CG offer not only food but other benefits

Exchange of data happens from CG to food using SAML

Ephemeral or broker and remove access

Question 14

Excessive Prevlige Vs prevlige creep

Answer 14

More than what is required

Accumulation of prevlige

Question 15

What are Identity management implementation techniques

Answer 15

Centralised access control - Single entity performs all Authorization verification - GAS

Decentralised access control- Various entities located throughout perform Authorization verification

Question 16

Kerberos steps

Answer 16

1. Client requests access to Kerberos environment
2. Client sends username to TGT ( Authentication service) - Domain controller
3. AS encrypts TGT with clients password
4. Only the client can decrypt TGT using password
5. Enters Realm with TGT
6. Client sends request to TGS to access printer
7. Verifies TGT and grants a Ticket
8. Cool thing about this ticket:
   -2 copies of the exact same session key

Key 1: Encrypted with clients password
Key 2:Print server password

9. Only the print server can decrypt the session key using its password
10. This proves the client has been authenticated and can establish a session to fulfill the desired requirement of client -Mutual authentication

Question 17

Secured network design - Bastion host, screened host and subnet

Answer 17

Bastion host: Exposed to the internet but Hardened

Screened host: Firewall protected system logically positioned inside network

Screened subnet : 3 way

Question 18

Vertical prevlige escalation

Answer 18

Greater privilege than what is required like admin privilege

Question 19

Horizontal prevlige

Answer 19

Lateral movement that is access other computers within the network

Question 20

Mimikatz

Answer 20

Attackers use this tool to gain admin and then vertical privilege

Question 21

Salt

Answer 21

Adding random values to a password before it’s hashed

Question 22

Pepper

Answer 22

Salt is still in db along with hash adding pepper increases security which is large constant values stored in server or app code

Question 23

Sniffing attack

Answer 23

Captures information (packet) traveling across the network

Question 24

What is the purpose of implementing sso ?

Answer 24

You should never give your credentials to third party instead use SAML, open Id OAuth, OIDC to solve this problem

They share AA and profile info with third party

Question 25

XML

Answer 25

Data will be in multiple format XML standardizes it by using common language to share information between vendors

Question 26

SAML, 3 entities

Answer 26

XML based standard to exchange information about Authentication and Authorization attributes information information between federated organisations. Provides SSO capabilities

Service provider, Principal, identity provider

Used in AD

Question 27

In SAML IdP can send 3 types of XML messages ( Assertions)

Answer 27

Authentication assertion

Authorization assertion

Attributes assertion

Question 28

O Auth

Answer 28

Authorization framework not Authentication protocols

It exchanges API messages and uses a token to show that access is authorised

Question 29

Open ID

Answer 29

Provides decentralised authentication allowing users to log into multiple unrelated websites with one set of credentials maintained by open ID provider

User to enter open ID identifier whereas others it happens backend

Question 30

OIDC

Answer 30

Authentication layer which users OAuth 2.0 Authorization framework

It provides both authentication and authorisation

Google account to login to LinkedIn

Uses JSON

Question 31

Risk based access control

Answer 31

Risk based decision based on availability of data

Evaluates the environment , situation and security policies

Sometime uses binary rules to control access

Question 32

MAC and 3 types of environment

Answer 32

Based on label (security clearance) and security Domain

User would need both label and security Domain to access need to know data

Implicit deny

Hierarchical- label
Comportmatlized - Security domain
Hybrid - combination of both

Question 33

Rule based access control

Answer 33

Uses global rules applied to all users and other subjects equally

Question 34

Role based access control

Answer 34

Based on role or Group memberships

Users can be part of members of multiple groups

Question 35

Radius

Answer 35

AAA protocol services
Users udp and encrypts password only

Question 36

TACACS+

Answer 36

Uses TCP and encrypts entire session

Admin access to network devices

Question 37

Pass the hash

Answer 37

NTLM legacy protocol

Question 38

Pass the ticket

Answer 38

Kerberos

Question 39

Accountability

Answer 39

I+A+A

Question 40

Smartcards

Answer 40

Microprocessor+ cryptography certificates

Question 41

Gait analysis

Answer 41

Way one walks

Question 42

3 types of Security controls

Answer 42

Assets
1. Administrative - policies
2. Logical/ Technical - Protect against attacks and exploits
3. Physical

Question 43

Tempest

Answer 43

Electronic emanations that every monitor produces to be read from a distance (effective on CRT monitors)

Shoulder surfing for monitor displays

Question 44

How do we reduce physical asset theft?

Answer 44

RFID , barcode and inventory

Question 45

Reference monitor

Answer 45

Access control is all about subject access to objects through meditation known as rules.

It’s called reference monitor

Implementation of RM is through security kernel

Question 46

Who does authentication and authorisation in SSO ?

Answer 46

Authentication is done by authentication server and authorisation by application using ticket