CISSP Domain 5 Flashcards
Synchronous dynamic password tokens
Time based synchronised with authentication server
Generate pin periodically
Asynchronous dynamic password tokens
Generates pin based on an algorithm+Incrementing counter
Face scan
Geometric pattern of faces
Fingerprint
Visible pattern in hands
Retina scans and accuracy level ?
Focus onpattern of blood vessels at back of eye
Iris scans and accuracy level .?
Coloured area around the pupil ( second most accurate after retina)
2 types of OTP
HOTP : Uses hmac to create OTP of 6 digits
Valid until used
TOTP: Timestamp and remains valid for certain time
What is Service account and how to manage password
Non user account
Password to be changed manually
Configure it to be non interactive for user
Directory services
Centralised database that includes into of Subject and object including authentication data
Based on LDAP services
Security domain and how can trust be established?
collection of subjects and objects that share a common security policy
Trusts are established can be one way or two way
Federated identity management and can you give examples of cloud based FIM
Sso is common in internal network but can be implemented in external using FIM
Cloud based - udemy, LinkedIn
Works on trust relationship between: User, IdP and service provider
Type of FIM
On premise
Cloud
Hybrid
Just in time
Just in time
Food app in CG offer not only food but other benefits
Exchange of data happens from CG to food using SAML
Ephemeral or broker and remove access
Excessive Prevlige Vs prevlige creep
More than what is required
Accumulation of prevlige
What are Identity management implementation techniques
Centralised access control - Single entity performs all Authorization verification - GAS
Decentralised access control- Various entities located throughout perform Authorization verification
Kerberos steps
- Client requests access to Kerberos environment
- Client sends username to TGT ( Authentication service) - Domain controller
- AS encrypts TGT with clients password
- Only the client can decrypt TGT using password
- Enters Realm with TGT
- Client sends request to TGS to access printer
- Verifies TGT and grants a Ticket
- Cool thing about this ticket:
-2 copies of the exact same session key
Key 1: Encrypted with clients password
Key 2:Print server password
- Only the print server can decrypt the session key using its password
- This proves the client has been authenticated and can establish a session to fulfill the desired requirement of client -Mutual authentication
Secured network design - Bastion host, screened host and subnet
Bastion host: Exposed to the internet but Hardened
Screened host: Firewall protected system logically positioned inside network
Screened subnet : 3 way
Vertical prevlige escalation
Greater privilege than what is required like admin privilege
Horizontal prevlige
Lateral movement that is access other computers within the network
Mimikatz
Attackers use this tool to gain admin and then vertical privilege
Salt
Adding random values to a password before it’s hashed
Pepper
Salt is still in db along with hash adding pepper increases security which is large constant values stored in server or app code
Sniffing attack
Captures information (packet) traveling across the network
What is the purpose of implementing sso ?
You should never give your credentials to third party instead use SAML, open Id OAuth, OIDC to solve this problem
They share AA and profile info with third party
XML
Data will be in multiple format XML standardizes it by using common language to share information between vendors
SAML, 3 entities
XML based standard to exchange information about Authentication and Authorization attributes information information between federated organisations. Provides SSO capabilities
Service provider, Principal, identity provider
Used in AD
In SAML IdP can send 3 types of XML messages ( Assertions)
Authentication assertion
Authorization assertion
Attributes assertion
O Auth
Authorization framework not Authentication protocols
It exchanges API messages and uses a token to show that access is authorised
Open ID
Provides decentralised authentication allowing users to log into multiple unrelated websites with one set of credentials maintained by open ID provider
User to enter open ID identifier whereas others it happens backend
OIDC
Authentication layer which users OAuth 2.0 Authorization framework
It provides both authentication and authorisation
Google account to login to LinkedIn
Uses JSON
Risk based access control
Risk based decision based on availability of data
Evaluates the environment , situation and security policies
Sometime uses binary rules to control access
MAC and 3 types of environment
Based on label (security clearance) and security Domain
User would need both label and security Domain to access need to know data
Implicit deny
Hierarchical- label
Comportmatlized - Security domain
Hybrid - combination of both
Rule based access control
Uses global rules applied to all users and other subjects equally
Role based access control
Based on role or Group memberships
Users can be part of members of multiple groups
Radius
AAA protocol services
Users udp and encrypts password only
TACACS+
Uses TCP and encrypts entire session
Admin access to network devices
Pass the hash
NTLM legacy protocol
Pass the ticket
Kerberos
Accountability
I+A+A
Smartcards
Microprocessor+ cryptography certificates
Gait analysis
Way one walks
3 types of Security controls
Assets
1. Administrative - policies
2. Logical/ Technical - Protect against attacks and exploits
3. Physical
Tempest
Electronic emanations that every monitor produces to be read from a distance (effective on CRT monitors)
Shoulder surfing for monitor displays
How do we reduce physical asset theft?
RFID , barcode and inventory
Reference monitor
Access control is all about subject access to objects through meditation known as rules.
It’s called reference monitor
Implementation of RM is through security kernel
Who does authentication and authorisation in SSO ?
Authentication is done by authentication server and authorisation by application using ticket
