CISSP Domain 5 Flashcards
Identity and Access Management
Identification methods and technologies
Authentication methods, methods, models, technologies
Accountability, monitoring, and auditing practices
Registration and proof of identity
Identity as a service
Threats to access control practices and technologies
Access is
the flow of information between a subject and an object
A subject is
an active entity that requests access to an object or data within an object
Availability
Information, systems, and resources must be available to users in a timely manner so productivity will not be affected
Integrity
Information must be accurate, complete, and protected from unauthorized modification
Confidentiality
assurance that information will not be disclosed to unauthorized individuals, programs, or processes
Identification
describes a method by which a subject claims and identity. Username, account number, email address
Authentication
Proof the subject is the one with the identity claimed
A second piece of a credential set
Authorization
The system determines the subject has permission to access the object
Accountability
The subject is identified, authenticated, authorized, and actions are recorded
Race Condition
When processes carry our tasks on a shared resource in an incorrect order.
when two or more processes use the same resource and the sequence of steps withing the software can be carried our in an improper order
Factors for Authentication
Something a person knows
Something a person has
something a person is
Knowledge
Ownership
Characteristic
Secure identities
uniqueness
Nondescript
issuance
User provisioning
creation,, maintenance, and deactivation of user objects and attributes
Biometric type one error
False Rejection Rate
FRR
Biometric type two error
False Acceptance Rate
Crossover Error Rate
also called equal error rate (EER)
Salts
random values added to the encryption process to add ore complexity and randomness
Cognitive passwords
fact or opinion based information used to verify an individuals identity
One Time Password
also called dynamic password
used only once
asynchronous and Asynchronous
Synchronous token
uses time or a counter
Asynchronous Token
employs a challenge response scheme
random value called a nonce
Memory Cards and Smart card difference
capacity to process information
Memory card holds information, but cannot process
Smart card holds information and can process
Smart Card types
contact and contactless
Contact has a seal or chip
Contactless has antenna wire
antenna generates power
Kerberos
based on symmetric key cryptography
eliminates need to transmit passwords over the network
Most implementations work with shared secret keys
Kerberos four elements for enterprise access control
Scalability
Transparency
Reliability
Security
Key distribution Center (KDC)
holds all users and services secret keys
provides authentication as well as key distribution
trust is the foundation of kerberos security
Kerberos provides security service to
Principles
can be users, applications, or network services
Kerberos must have
an account for and share a secret key with each principal
Kerberos password is transformed into
a secret key value
Kerberos ticket service
is generated by the ticket granting service (TGS)
Serves as CA like PKI
When a user logs into Kerberos
Credentials passed to Authentication service on the KDC.
User gets a ticket granting ticket
Kerberos Ticket Granting TIcket
Once user is authenticated to AS (Authentication Service)
User gets a ticket granting ticket
Ticket is sent to Ticket granting Service
Instead of sending passwords over the network, the Ticket Granting Ticket is sent to the Ticket Granting Service
TGT has a time limit
Reason to use Kerberos
principals do not trust each other enough to communicate directly
Similar to PKI. TGS serves as CA
Weak
KDC can be a single point of failure
must respond in a timely manner.
must be scalable
Secret keys are temporarily stored on user workstations
Kerberos is subject to password guessing
Network traffic is not protected by kerberos is encryption is not enabled
Short keys are vulnerable to brute-force attacks
Kerberos needs client and server clocks to be synchronized
Digital Identity
facts, or attributes, of a user
Federated identity
can be used across multiple domains
a portable identity
allows a user to be authenticated across multiple systems and enterprises
Is a key component of e commerce
Web portal
parts of a website that act as a point of access to information
presents information from diverse sources in a unified manner
can offer various services, including email and news
Web portals are made up of
portlets which are plugable user interface software components
A portal is made up of individual portlets