CISSP Domain 5 Flashcards

1
Q

Identity and Access Management

A

Identification methods and technologies
Authentication methods, methods, models, technologies
Accountability, monitoring, and auditing practices
Registration and proof of identity
Identity as a service
Threats to access control practices and technologies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access is

A

the flow of information between a subject and an object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A subject is

A

an active entity that requests access to an object or data within an object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Availability

A

Information, systems, and resources must be available to users in a timely manner so productivity will not be affected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Integrity

A

Information must be accurate, complete, and protected from unauthorized modification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Confidentiality

A

assurance that information will not be disclosed to unauthorized individuals, programs, or processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Identification

A

describes a method by which a subject claims and identity. Username, account number, email address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Authentication

A

Proof the subject is the one with the identity claimed

A second piece of a credential set

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Authorization

A

The system determines the subject has permission to access the object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Accountability

A

The subject is identified, authenticated, authorized, and actions are recorded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Race Condition

A

When processes carry our tasks on a shared resource in an incorrect order.

when two or more processes use the same resource and the sequence of steps withing the software can be carried our in an improper order

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Factors for Authentication

A

Something a person knows
Something a person has
something a person is

Knowledge
Ownership
Characteristic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Secure identities

A

uniqueness
Nondescript
issuance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

User provisioning

A

creation,, maintenance, and deactivation of user objects and attributes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Biometric type one error

A

False Rejection Rate

FRR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Biometric type two error

A

False Acceptance Rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Crossover Error Rate

A

also called equal error rate (EER)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Salts

A

random values added to the encryption process to add ore complexity and randomness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Cognitive passwords

A

fact or opinion based information used to verify an individuals identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

One Time Password

A

also called dynamic password
used only once
asynchronous and Asynchronous

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Synchronous token

A

uses time or a counter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Asynchronous Token

A

employs a challenge response scheme

random value called a nonce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Memory Cards and Smart card difference

A

capacity to process information
Memory card holds information, but cannot process
Smart card holds information and can process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Smart Card types

A

contact and contactless
Contact has a seal or chip
Contactless has antenna wire
antenna generates power

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Kerberos

A

based on symmetric key cryptography
eliminates need to transmit passwords over the network

Most implementations work with shared secret keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Kerberos four elements for enterprise access control

A

Scalability
Transparency
Reliability
Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Key distribution Center (KDC)

A

holds all users and services secret keys
provides authentication as well as key distribution
trust is the foundation of kerberos security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Kerberos provides security service to

A

Principles

can be users, applications, or network services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Kerberos must have

A

an account for and share a secret key with each principal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Kerberos password is transformed into

A

a secret key value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Kerberos ticket service

A

is generated by the ticket granting service (TGS)

Serves as CA like PKI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

When a user logs into Kerberos

A

Credentials passed to Authentication service on the KDC.

User gets a ticket granting ticket

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Kerberos Ticket Granting TIcket

A

Once user is authenticated to AS (Authentication Service)

User gets a ticket granting ticket
Ticket is sent to Ticket granting Service

Instead of sending passwords over the network, the Ticket Granting Ticket is sent to the Ticket Granting Service

TGT has a time limit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Reason to use Kerberos

A

principals do not trust each other enough to communicate directly

Similar to PKI. TGS serves as CA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Weak

A

KDC can be a single point of failure
must respond in a timely manner.
must be scalable
Secret keys are temporarily stored on user workstations
Kerberos is subject to password guessing
Network traffic is not protected by kerberos is encryption is not enabled
Short keys are vulnerable to brute-force attacks
Kerberos needs client and server clocks to be synchronized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Digital Identity

A

facts, or attributes, of a user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Federated identity

A

can be used across multiple domains
a portable identity

allows a user to be authenticated across multiple systems and enterprises

Is a key component of e commerce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Web portal

A

parts of a website that act as a point of access to information
presents information from diverse sources in a unified manner
can offer various services, including email and news

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Web portals are made up of

A

portlets which are plugable user interface software components
A portal is made up of individual portlets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

HTML came from

A

Standard Generalized Markup Language

41
Q

Extensible Markup Language

A

a universal, functional standard

42
Q

SPML

A

Service Provisioning Markup Language
allowed exchange of provisioning data between applications
Could reside in one organization or many.
Allows for automation of user management and access entitlement configuration related to electronically published services.

43
Q

SPML 3 main entities

A

Requesting Authority
Provisioning service Provider
Provisioning Service Target

44
Q

SPML requesting authority

A

entity making a request to setup an account

45
Q

SPML Provisioning Service Provider

A

software that responds to account requests

46
Q

SPML Provisioning Service Target

A

Carries out the provisioning activities on the requested system

47
Q

SAML

A

Security Assertion Markup Language

XML standard that allowed exchange of authentication and authorization data to be shared between 2 security domains

48
Q

SAML provides

A

authentication pieces to federated identity management systems to allow business to business and business to consumer transactions

49
Q

Web Services

A

collection of technologies and standards that allow services to be provided on distributed systems

50
Q

Transmission of SAML data

A

SOAP
a specification that outlines how information pertaining to web services is exchanged in a structured manner
Provides a basic messaging framework.

51
Q

SOAP

A

Simple Object Access Protocol
SOAP
a specification that outlines how information pertaining to web services is exchanged in a structured manner
Provides a basic messaging framework.

52
Q

SOA

A

Service Oriented Architecture

Provide independent services residing on different systems in different domains

53
Q

Extensible Access Control Markup Language

A

XACML
used to express security policies and access rights to assets provided through web services
Sends authentication information

54
Q

Open ID

A

standard for user authentication by third parties
credentials are not maintained by the company, but a third party such as Google, Yahoo, or Facebook
Frees up website developers from the need to setup authentication mechanisms

55
Q

Open ID roles

A

End User
Resource Party
Open ID provider

56
Q

OAuth

A

Open standard for authorization to third parties

57
Q

Identity as a Service

A

type of software as a service

provides SSO, Federated IdM, password management

58
Q

Access Control Models

A

framework that dictates how subjects access objects

59
Q

Three types of access control models

A

Discretionary
Mandatory
Role Based

60
Q

Constrained User Interfaces

A

restrict user abilities by not allowing certain functions

61
Q

Three major types of Constrained User Inferfaces

A

Menus and shells
database views
physical constrained interfaces

62
Q

Access Control Matrix

A

table of subjects and objects indicating what actions individual subjects can take upon individual objects

63
Q

Capability Table

A

Specifies access rights a certain subject possesses pertaining to specific objects

64
Q

Content dependent access control

A

filters according to strings

65
Q

RADIUS

A

Remote Authentication Dial In User Service

Network protocol that provides client/server authentication, and authorization, and audits remote users

66
Q

TACACS

A

Terminal Access Controller Access Control System

Combines its authentication and authorization processes

67
Q

Three generations of TACACS

A

TACACS, Extended TACACS, and TACAS+

TACACS combines authentication and authorization

XTACACS separates authentication, authorization processes,

TACACS+ is XTACACS with 2 factor

68
Q

TCACS vs TACACS+

A

TACACS uses fixed passwords

TACACS+ allows users to employ dynamic passwords

69
Q

RADIUS encryption

A

RADIUS only encrypts password only as it is being transmitted from the RADIUS client to server.

Username, accounting and authorized services are transmitted in clear text.

RADIUS is subject to replay attacks

70
Q

TACACS+ encryption

A

TACACS encrypts all authentication data between the client and server

71
Q

Diameter

A

builds upon the functionality of RADIUS

Is another AAA protocol but provides more flexibility and capabilities

72
Q

Mobile IP

A

allows a user to move from one network to another with the same IP address.

Allows a user to have a home IP Address

73
Q

Two portions of diameter

A

first is base protocol that provides secure and communication among Diameter entities, feature discovery, and version negotiation

Second is extensions built on top of base protocol to allow various technologies to use.

74
Q

Diameter provides AAA functionality

A

Authentication
PAP, CHAP, EAP
End to end protection of authentication information
Replay attack protection
Authorization
Redirects, secure proxies, relays, and brokers
State reconciliation
Unsolicited disconnect
Reauthorization on demand
Accounting
Reporting, roaming operations, accounting, event monitoring

75
Q

Access Control Layers

A

Administrative Controls
Physical Controls
Technical Controls

76
Q

Tempest

A

started out as a DOD study and turned into a standard that outlines how to develop countermeasures.
TEMPEST remediates picking up information through the airways.

77
Q

Alternatives to TEMPEST

A

white noise or control zone

78
Q

IDS

A

designed to detect a security breach

Process of detecting unauthorized use or attack on a computer network

79
Q

IDS components

A

Sensors
Analyzers
Administrator interfaces

80
Q

State based IDS

A

Every change is a state transition.
Logon, application, etc
State is a snapshot

81
Q

Statistical Anomaly IDS

A

behavioral based system

In learning mode to build a profile of an environment’s normal

82
Q

Expert System

A

Rule based IDS made up of a knowledge base, inference engine and rule based programming

83
Q

Honeypot

A

computer setup as a sacrificial lamb on the network

no locked down, ports enabled.

84
Q

Pharming

A

redirects a victim to a seemingly legitimate site. Attacker then carries out DNS poisoning

85
Q

War dialing

A

allows attackers and administrators to dial large blocks of phone numbers in search of modems

86
Q

Vulnerability scans find

A

potential vulnerabilities Penetration testing is required to identify vulnerabilities that can be exploited

87
Q

Common Vulnerabilities

A
Kernal flaws
Buffer Overflows
Symbolic Links
File Descriptor attacks
Race conditions
File and directory permissions
88
Q

Kernel flaws

A

below the level of the user interface

Countermeasure: Ensure that security patches, after testing, are applied to keep the window of opportunity small

89
Q

Buffer Overflows

A

bugs allowing more input than the program has space for. Overwrites data at the end of a buffer allows attacker to inject program code and cause processor to execute it. Gives attacker the same level of access as the program

Countermeasure
developer education, automated source code scanners, enhanced programming libraries and strongly typed languages that disallow buffer overflows

90
Q

Symbolic Links

A

A program follows a link. Attacker can compromise the link. Might be used to delete or edit a password database

Countermeasure
Programs, and especially scripts, must be written to ensure the full path to the file cannot be circumvented

91
Q

File Descriptor Attacks

A

Numbers many operating systems use to represent open files in a process. Violated by unexpected input to provided to the program

Countermeasure
Good programming and developer education, automated source code scanners, and application testing reduce vulnerability

92
Q

Race condition

A

Design of a program puts it in a vulnerable condition before ensuring those conditions are mitigated.

Countermeasure
Good programming practices and developer education. automated source code scanners and application security testing reduce this type of vulnerability

93
Q

File and directory permissions

A

errors in access control

Countermeasures
File integrity checkers

94
Q

Log reviews

A

Examination of system log files to detect security events or to verify the effectiveness of security controls

95
Q

Network Time Protocol

A

time is sent in a UDP datagram that carries a 64 bit time stamp to port 123

96
Q

Preventing Log tampering

A
Remote Logging
Simplex communication
Replication
Write Once Media
Cryptographic hash
97
Q

Network Time Protocol stratums

A

Stratum 0 Government standard
Stratum 1 core (maybe ISP)
Stratum 2 another core, maybe domain
Stratum 3 etc passes down for synchronization

98
Q

Synthetic Transactions

A

Transaction generated by a script systematically test the behavior and performance of critical services

99
Q

Real User Monitoring RUM

A

differs from synthetic transactions passively.