CISSP Domain 5 - Flashcards

Question 1

Q

Introduction

Answer

A

Access: Flow of information between a subject and an object
Subject:
- Active entity that requests access to an object
- Can be a user, program or process
Object:
- Passive entity that contains the desired information of functionality
Access Control:
- Security feature that controls how subjects access objects
Example: Mike needs to make a duplicate of a document on a copier, and must enter his password. Mike is the subject, the copier is the object, and the access control is the requirement to enter a password

Question 2

Q

Introduction - Access

Answer

A

Flow of information between a subject and an object

Question 3

Q

Introduction - Subject

Answer

A

Active entity that requests access to an object

* Can be a user, program or process

Question 4

Q

Introduction - Object

Answer

A

Passive entity that contains the desired information of functionality

Question 5

Q

Introduction - Access Control

Answer

A

Security feature that controls how subjects access objects

Question 6

Q

Introduction - Example

Answer

A

Mike needs to make a duplicate of a document on a copier, and must enter his password. Mike is the subject, the copier is the object, and the access control is the requirement to enter a password

Question 7

Q

IAAA - Steps to Implement Access Controls

Answer

A

1) The subject must provide an identity
2) The subject must authenticate they are who they claim to be
3) The system validates the identity and authentication information, and then checks to see if the subject is authorized to access the object
4) The system records all activities between the subject and object for future accountability

Question 8

Q

IAAA - Logical Access Controls

Answer

A

Technical tools to carry out IAAA

Question 9

Q

IAAA - Identity - Definition

Answer

A

Uniquely represents a subject within a given environment

Question 10

Q

IAAA - Identity - Identity Attributes

Answer

A

Uniqueness: Should represent something unique about the subject
Non-descriptive: The identity name should not describe the role or purpose of the account
Issuance: How the identity is issued to the subject (email, ID card, etc)

Question 11

Q

IAAA - Identity - Best Practices

Answer

A

Each value should be unique for accountability
A standard naming scheme should be followed
The name should not describe the position or task
The name should not be shared among multiple subjects

Question 12

Q

IAAA - Identity - Identity Management - Definition

Answer

A

The process of creating, managing and retiring identities

Question 13

Q

IAAA - Identity - Identity Management - Directories - Definition

Answer

A

Central locations where all subjects and objects are tracked

Question 14

Q

IAAA - Identity - Identity Management - Directories - Namespace

Answer

A

Hierarchical naming convention that uniquely identifies a location or object

Question 15

Q

IAAA - Identity - Identity Management - Directories - Objects in a directory

Answer

A

Managed by a Directory Service

* Labeled and identified using a namespace

Question 16

Q

IAAA - Identity - Identity Management - Directories - X.500 and LDAP

Answer

A

Each object:
- Common Name (CN): Identifies that object uniquely in the directory
- Distinguished Name (DN):
  - Not required to be unique
  - Made of Domain Components (DC’s)
  - When you combine all of the DCs within a DN, you get back something that is unique in the entire directory
X.500 directory database rules
- All objects are arranged in a hierarchical parent-child relationship
- Every object has a unique name made up of unique identifiers called ‘distinguished names’
- The supported attributes for objects are defined by a schema

Question 17

Q

IAAA - Identity - Identity Management - Directories - Meta-Directory

Answer

A

Aggregates information from multiple sources and presents a unified view

Question 18

Q

IAAA - Identity - Identity Management - Directories - Virtual Directory

Answer

A

Does not aggregate the data into its own database

Question 19

Q

IAAA - Identity - Identity Management - Web Access Management (WAM)

Answer

A

Software layer that controls authentication and authorization within a web-based environment
Most often: Associated with a Single Sign-On (SSO) experience
Is coordinated authentication and authorization with external systems behind the scene
Most common sequence
1) Initial authentication
2) WAM stores a cookie on the user’s computer containing some type of session identifier
3) Each web application will use WAM to retrieve this cookie and validate that it is still valid
4) If so, the user does not need to log in again
Different sub-domains cannot access each other’s cookies

Question 20

Q

IAAA - Authentication - Introduction

Answer

A

Definition: Process of the subject proving it is who it claims to be
4 attributes for any authentication mechanism
- Transparent: User should not be aware of it
- Scalable: Not to create bottlenecks
- Reliable: No single point of failure
- Secure: Provides authentication and confidentiality

Question 21

Q

IAAA - Authentication - Factors

Answer

A

1) Something a person knows
2) Something a person has
3) Something a person is

Question 22

Q

IAAA - Authentication - Factors - 1) Something a person knows

Answer

A

Examples: Password, PIN, Lock combination

* Risk: An attacker could acquire this knowledge

Question 23

Q

IAAA - Authentication - Factors - 2) Something a person has

Answer

A

Examples: Swipe card, Smart token, Keys, Access badge

* Risk: An attacker could steal this

Question 24

Q

IAAA - Authentication - Factors - 3) Something a person is

Answer

A

Examples: Fingerprint, Retina pattern, Gait, Voice print

* Risk: An attacker could physically emulate this

Question 25

Q

IAAA - Authentication - Factors - Single Factor Authentication

Answer

A

Using one of the 3 factors

Question 26

Q

IAAA - Authentication - Factors - Multifactor Authentication

Answer

A

aka Strong Authentication

* Requires at least 2 factors

Question 27

Q

IAAA - Authentication - Managing Passwords - Introduction

Answer

A

Balance needs to be reached
- Stringent policies
- Usability

Question 28

Q

IAAA - Authentication - Managing Passwords - Password Synchronization

Answer

A

Definition: Having multiple systems update passwords at the same time
Goal: To avoid supporting multiple sets of credentials per user
Upside: If the password remains constant, the user is able to memorize a stronger password
Downside: By stealing one set of credentials, an attacker can have access multiple systems

Question 29

Q

IAAA - Authentication - Managing Passwords - Self-Service Password Reset

Answer

A

Goal: To avoid manual reset process which results in resource drain
3-step process
1) The user provides an alternative means of authentication
2) An e-mail is sent with a link. The link contains a random globally-unique identifier (GUID) that is tied to the password reset request
3) The link is clicked. The system allows the user to enter a new password

Question 30

Q

IAAA - Authentication - Managing Passwords - Assisted Password Reset

Answer

A

1) The user interacts with a helpdesk person
2) The helpdesk agent enters the answers to the security questions into an application
3) A new password is generated known to both the helpdesk person and the user
4) When the user logs in the next time, the system requires a new valid password to be provided before access will be granted

Question 31

Q

IAAA - Authentication - Managing Passwords - Single Sign-On (SSO)

Answer

A

Keeps all passwords the same across multiple systems
Provides a single infrastructure to manage credentials that all system leverage
Thin clients:
- Can take advantage of SSO
  - On boot up the device prompts the user for credentials, which are then authenticated using SSO to a central server or mainframe
  - This allows the thin client to use multiple services with a single authentication step visible to the user
Issues
- Can be very expensive
- Single point of failure
- Possible bottleneck
- An attacker can access multiple systems with a single set of credentials

Question 32

Q

IAAA - Authentication - Account Management

Answer

A

Process of creating, modifying and decommissioning user accounts on all
appropriate systems
Automated process
-Required to effectively manage this activity
- Benefits
  - Reduces errors caused by manual data entry
  - Each step in the process is tracked and logged (accountability)
  - Ensures the appropriate amount of privileges are assigned
  - Eliminates orphaned user accounts when employees leave the company
  - Makes auditors happy
- Downside
  - Very expensive to implement

Question 33

Q

IAAA - Authentication - User Provisioning

Answer

A

Definition: The act of creating user objects and attributes
User account: Includes other metadata
User: Simply represents the object
Profile:
- Created to accompany a user account
- Contains data as
  - Addresses
  - Phone numbers

Question 34

Q

IAAA - Authentication - Biometrics - Definition

Answer

A

Act of verifying an individual’s identity based on physiological or behavioral attributes

Question 35

Q

IAAA - Authentication - Biometrics - Physiological traits

Answer

A

Physical attributes that are unique to the individual
What you are
Examples
- Fingerprints
- Voice print

Question 36

Q

IAAA - Authentication - Biometrics - Behavioral traits

Answer

A

What you do
Examples
- Handwriting signature
- Height

Question 37

Q

IAAA - Authentication - Biometrics - Error types

Answer

A

Type 1 error
- Rejects an authorized individual
- False Rejection Rate (FRR)
Type 2 error
- Accepts an unauthorized individual
- False Acceptance Rate (FAR)
- Much more concerning
Crossover Error Rate (CER)
- Measures the point at which the FRR equals the FAR
- Is expressed as a percentage

Question 38

Q

IAAA - Authentication - Biometrics - Biometric data types

Answer

A

Fingerprints: A complete record of ridges and valley on a finger
Finger scan: Certain features of a fingerprint
Palm scan: Fingerprint and the creases, ridges and grooves of the palm
Hand geometry: The shape, length and width of hand and fingers
Retina scan: Blood-vessel patterns on the back of an eyeball. Most invasive
Iris scan: The colored portion surrounding the pupil. Most accurate
Signature Dynamics: The speed and movements produced when signing a name
Keystroke dynamics: The speed and pauses between each keypress as a password is typed
Voice print:
- A number of words are recorded during enrollment
- During authentication the words are jumbled
- The user repeats them to prevent a recording from being played
Facial scan: Bone structure, nose ridge, eye widths, forehead size and chin shape
Hand topography: A side camera captures the contour of the palm and fingers; not unique enough to be sued alone but can often be used with hand geometry

Question 39

Q

IAAA - Authentication - Biometrics - Downsides

Answer

A

User acceptance
Enrollment timeframe: The enrollment phase may take a long time
Throughput: Acceptable elapsed time: 5 to 10 seconds
Accuracy over time

Question 40

Q

IAAA - Authentication - Passwords - Attacker tactics to get a password

Answer

A

Electronic monitoring
Password file
Brute-force attack
Dictionary attack
Rainbow table: Use all likely passwords in a table already hashed
Social engineering

Question 41

Q

IAAA - Authentication - Passwords - Mitigation tactics

Answer

A

After login, for the prior successful login attempt show
- Date/time
- How many unsuccessful attempts were made
- Location of the login
Set clipping level
Password aging: Limit the lifetime of a password
Password history: The last 5-10 passwords should be stored

Question 42

Q

IAAA - Authentication - Passwords - Password Checker

Answer

A

Tool that checks the strength of passwords

Question 43

Q

IAAA - Authentication - Passwords - Password Cracker

Answer

A

Tool that tries to crack passwords using one or more attack techniques

Question 44

Q

IAAA - Authentication - Passwords - CAPTCHA

Answer

A

Forces a person to enter information about a graphical image that is very difficult for computers to process
This proves that a real person is entering information instead of a computer- based automated process

Question 45

Q

IAAA - Authentication - Passwords - One-Time Password (OTP)

Answer

A

Good for a one-time use only
Types
- Synchronous
- Asynchronous
Formats
- Physical
- Smartphone app
- Text message
Synchronous Token device
- Hand-held password generator with small screen and sometimes a keyboard
- Synchronized device: Both generate the same passwords simultaneously
- Counter-Synchronized Device: Requires the user to push a button
Asynchronous Token device
- Uses a challenge/response scheme
- The authentication service sends a random value called a nonce to the user
- The user enters the nonce into the token device, which encrypts the nonce with a secret key
- The user then sends the encrypted nonce to the authentication service, which attempts to decrypt it with the shared secret key
- If the original and encrypted nonce result in the same value, the user is authenticated

Question 46

Q

IAAA - Authentication - Passwords - Cryptographic Key

Answer

A

Highly secure way to authenticate
Sequence
1) The authentication service provides a nonce
2) The user encrypts the nonce with their private key
3) The user sends the encrypted nonce and his digital certificate to the authentication service
4) The authentication service decrypts the nonce using the public key from the digital certificate

Question 47

Q

IAAA - Authentication - Passwords - Passphrase

Answer

A

Made up of multiple words
- Reduced down via hashing or encryption into a simpler form
- Longer than a password
- Easier to remember

Question 48

Q

IAAA - Authentication - Cards - Memory Card

Answer

A

Only stores data
Examples
- Older ATM cards
- Older credit cards
Risks: If the data contents of the memory card are not properly encrypted: Easy to read the PIN

Question 49

Q

IAAA - Authentication - Cards - Smart Card - Definition/Examples

Answer

A

Memory Card with a tiny computer (chip)
Examples:
- Credit cards containing on-board chips
- ATM cards containing on-board chips

Question 50

Q

IAAA - Authentication - Cards - Smart Cards - Advantages

Answer

A

PIN number: Can be required before data can be read
Chip:
- Does the processing
- Doesn’t need an external system to perform validation
If tampering is detected: Some smartcards will erase its information

Question 51

Q

IAAA - Authentication - Cards - Smart Cards - DisadvantageMore expensive than memory cards

Answer

A

More expensive than memory cards

Question 52

Q

IAAA - Authentication - Cards - Smart Cards - Power management methods

Answer

A

Contact cards
- The reader
  - Provides power to the cheap
  - Establishes a 2-way communication path
- Contactless cards
  - Have an antenna running the entire perimeter
  - When the antenna comes very near an electromagnetic field, the field provides power and a communication path
  - It’s an example of Radio Frequency Identification (RFID)
  - May or may not employ encryption
- Combi cards: One chip that supports both methods
- Hybrid cards: Two chips. One for each method

Question 53

Q

IAAA - Authentication - Cards - Smart Cards - Smart-card specific attacks

Answer

A

Non-Invasive
- Side-channel attacks
  - Differential power analysis: Watch the power emissions during processing
  - Electromagnetic analysis: Watch the frequencies emitted
  - Timing: Watch how long a process takes
  - Software attacks: Provide instructions that exploit a vulnerability
Invasive
- Fault generation
  - Fault generation
    1) Change the environment of the card
    - Voltage
    - Temperature
    - Clock rate
    2) Watch for differences
  - Microprobing: Access the internal circuitry directly

Question 54

Q

IAAA - Authentication - Cards - ISO 14443 (Cards)

Answer

A

ISO 14443-1: Physical attributes
ISO 14443-2: Initialization and anti-collision
ISO 14443-3: Transmission protocol

Question 55

Q

IAAA - Authorization - Definition

Answer

A

Figuring if the authenticated subject is allowed to carry out the action he’s requesting

Question 56

Q

IAAA - Authorization - Access Criteria

Answer

A

Role-Based: Based on the tasks a subject or group might need to perform
Physical Location Restriction: Restricting access to a device
Logical Location Restriction: Might be based on an IP address
Time of Day Restriction: Perhaps certain functions are accessible only during business hours or week days
Temporal Restriction: Allow access based on an absolute date or time
Transaction-Type Restriction: Limit access to features or data depending on the activity that the subject is engaged in

Question 57

Q

IAAA - Authorization - Default to No Access

Answer

A

All access control mechanisms should built upon it
Disadvantage: It will take more work to properly configure the system for the first time
Advantage: Significant drop in the number of accidental security holes
Need-to-Know: Focused on permissions and ability to access information
Least Privilege: Focused on privileges
Authorization Creep:
- Tendency for an employee to gain more and more access over time as he changes positions
- Even if the old levels of access are no longer needed
- Typically, result of the lack of well-defined tasks and roles
- Solution
  - As an employee changes roles, he should be removed from the current role/group and assigned to a new one that matches his new responsibilities
  - Sarbanes-Oxley (SOX): Law that requires review of this process yearly

Question 58

Q

IAAA - Authorization - Default to No Access - Need to Know / Least Privilege

Answer

A

Need-to-Know: Focused on permissions and ability to access information
Least Privilege: Focused on privileges
They help provide protection for valuable assets by limiting access to these assets

Question 59

Q

IAAA - Authorization - Kerberos - Introduction

Answer

A

One of the most common implementations for SSO

* Developed in the 80’s

Question 60

Q

IAAA - Authorization - Kerberos - Main components

Answer

A

Key Distribution Center (KDC)
Authentication Server (AS): Authenticates a principal
Ticket Granting Service (TGS): Creates a ticket for a principal
Principals: Users, Applications, Network services
Realm
- Set of principals
- A KDC can be responsible for one or more realms
Tickets: Proof of identity passed from principal to principal
Authenticator: A packet of data containing:
- A principal’s information
- The principal’s IP address
- A timestamp
- A sequence number
- Timestamp and seq number help protect against replay attacks

Question 61

Q

IAAA - Authorization - Kerberos - Workflow

Answer

A

0) Bob wants to log in and send something to a printer
1) Bob logs into his workstation
2) Bob’s desktop send his username to the KDC’s AS. AS encrypts the password, generates a random session key and encrypts it with Bob’s password and sends it back. This is an AS ticket
3) Bob’s desktop will decrypt the session key using the password Bob entered. Now the KDC and Bob’s desktop share a session key
4) Bob sends something to a printer
5) Bob’s desktop sends the AS ticket obtained during login to the KDC’s TGS and asks for a ticket allowing it to print to the printer
6) The KDC validates Bob’s AS ticket
7) The KDC’s TGS generates a new random session key and sends back two copies to Bob’s Desktop and an authenticator and sends the print ticket to the printer
- One encrypted with Bob’s secret key
- One encrypted with the printer’s secret key
8) Bob’s desktop receives this new print ticket, decrypts the session key using Bob’s password, adds its own authenticator and sends the print ticket to the printer
9) The printer receives the ticket and decrypts the session key and the KDC’s authenticator using its secret key. If the decryption succeeds, it knows the ticket came from the KDC. If the decrypted authenticator matches Bob’s desktop authenticator, it knows Bob’s machine sent the message
10) The printer prints

Question 62

Q

IAAA - Authorization - Kerberos - SSO

Answer

A

After the first system authenticates, it will use a ticket from then on to represent the user’s identity and authentication. As the user moves from system to system, all we have to do is to pass the ticket along, and the authentication session will move with it

Question 63

Q

IAAA - Authorization - Kerberos - Weaknesses

Answer

A

The KDC can be a SPOF: Solution: provide failover
The KDC can be a bottleneck: Solution: provide sufficient hardware
Both secret and shared keys are temporarily stored on machines acting on behalf of the principal and could be stolen. Solution: normal security precautions
Is susceptible to password guessing. Solution: OS
Data not in tickets are not encrypted. Solution: ensure network traffic is encrypted
Short keys can be susceptible to brute-force attacks. Solution: enforce long keys by policy and configuration
Kerberos requires all server and client clocks to be synchronized. Solution: normal network administration

Question 64

Q

IAAA - Authorization - Security Domains

Answer

A

Definition: Logical groupings of resources that are managed by the same security policy and the same group who manages them (The same “security umbrella”)
Usually segmented by the level of trust that subjects within that domain need
Often arranged hierarchically

Answer 65

A

Federated Identity: Portable identity (along with any access rights) that can be used across organizational boundaries
Different than SSO, which is constrained to be used within an organization’s own boundaries
Requires two organizations to enter into a partnership to share information in real-time
Web portal:
- Made up of portlets: Browser-based plug-ins that are self-contained buckets of functionality usually served up by different organizations
- For all of the portlets to work correctly, they must all share the identity of the authenticated user and there must be a high level of trust between all owners of the portlets

Answer 66

A

Generalized Markup Language (GML): Back in the 80’s
Standard Generalized Markup Language (SGML): Created from GML
Hypertext Markup Language (HTML): The standard on which all browsers operate
Extensible Markup Language (XML): Later gathered together all of the previous ones

Answer 67

A

Service Provisioning Markup Language (SMPL):
- Provides a vehicle for automated configuration of users and entitlements
- 3 main entities
* Requesting Authority (RA): Software sending a change request to a PSP
* Provisioning Service Provider (PSP): Software that will validate and distribute the change request to one or more PSTs
* Provisioning Service Target (PST): The system acting on the change request
Security Assertion Markup Language (SAML): If a user wants to authenticate with Party 1 using Party 2’s credentials, SAML is used to carry out this request using the browser as the middle man
Extensible Access Control Markup Language (XACML): Standardized way of communicating access rights and security policies

Answer 68

A

Web Services:
- Services only accessible over the web
- Can be used by SAML and XACML
- Primary technologies
  - Representative State Transfer (REST)
    - Very simple format
    - Low overhead
    - Low security
  - Simple Object Access Protocol (SOAP)
    - Heavy format
    - Considerable security built-in
Service Oriented Approach (SOA): Pattern for creating independent services across business domains that can work together

Answer 69

A

SAML is wrapped in SOAP/REST, which is transmitted over HTTP

Answer 70

A

Similar communication method to SAML
3 entities
- End User
- Resource Party
- OpenID Provider
Example
- Facebook based authentication to web sites
  - Facebook: OpenID Provider
  - You: The end user
  - The site: Resource Party

Answer 71

A

OAuth
- Works with OpenID
- Provides OpenID Authorization mechanisms
OAuth2
- Replaces OpenID
- Provides Authentication and Authorization

Answer 72

A

Identity as a Service (IaaS)
- Offers: SSO, Federated IdM, Password-management services
  Drawbacks:
  - The provider may not be able to meet all regulatory requirements. Some regulated industries may be non-compliant
  - IdM: Among the most sensitive data a company maintains. This model moves this info out of the company’s control
  - Integration of legacy applications: Not always straightforward or possible
Objectives
- Connectivity
  - All connection points must be encrypted and monitored via IDS/IPS
  - Only IdM traffic should pass through these connection points
  - Firewalls and PKI must be properly configured
- Incremental Rollout
  - Implement a portion and test before continuing
  - This will uncover unforeseen issues and help isolate where a problem is occurring

Answer 73

A

Defines rules and how they are applied to subjects and objects

Answer 74

A

You can adjust access at your own discretion
Allows each user to control access to anything that user owns
Rights can be given to either named users or groups
Very flexible and not very secure
Most common desktop OS’s use it

Answer 75

A

Foundational part of a DAC
An ACL for an object contains
- A list of subjects who may access the object
- The permissions available for that subject
Inheritance
- An ACL for a parent is automatically applied to children as they are added
- Can be overridden. It’s commonly not, though

Answer 76

A

aka Nondiscretionary Access Control (NDAC)
Users have absolutely no ability to change the level of access granted to other users
Commonplace in government systems

Answer 77

A

Security Label
- Attached to every subject and object
- Contains:
  - A single classification (clearance level)
  - One or more categories
Classifications
- Hierarchical
- The level above is more trusted than the level below
Multilevel Security System (MLS)
- Allows a subject to access an object at a different classification
- A subject can access an object if the subject’s security clearance dominates the object’s classification
Examples
- SELinux
- Trusted Solaris

Answer 78

A

Middle ground between DAC and MAC
Takes away ACLs
Only allows centrally managed groups
Role
- Task within the organization
- Users are assigned a role
Rights are assigned directly to a role

Answer 79

A

Core RBAC
- When a user logs in
- Gathers all possible roles and permissions granted via those roles and make them available for access decisions
Hierarchical RBAC
- Allows the administrator to model the roles based on the actual organizational structure
- Benefit: Makes management even easier with inheritance
- Flavors:
  - Limited hierarchies: Inheritance only once
  - General hierarchies: Inheritance is allowed for multiple levels simultaneously

Answer 80

A

Important security tool to prevent fraud
Hierarchical RBAC can help
- Static separation of duty (SSD): Constrains the combination of privileges
- Dynamic separation of duty (DSD): Constrains the combination of privileges that can be active within the same session

Answer 81

A

Non-RBAC
- No roles
- Users: Mapped directly to applications
Limited RBAC
- Roles + No roles
- Users: Mapped to multiple roles as well as being mapped to application that do not have role-based support
Hybrid RBAC
- Pseudo Roles
- Users: Mapped to roles for multiple applications with only selected rights assigned
Full RBAC
- Enterprise roles
- Users: Mapped to enterprise roles

Answer 82

A

Built right on top of RBAC
Extends its capabilities to include if…then coding
Anti-spam and firewall filters operate using rule-based decisions every day

Answer 83

A

The user interface that can limit a user’s ability to access data or functionality
Primary methods
- Menus: Limit the options the user can chose from
- Shells: Limit the commands available on a shell
- Database views: Limit the data that can be viewed by creating a virtual view of the data
- Physical constraints: Limit the physical controls the user can access such as keys or touch-screen buttons

Answer 84

A

Table of subjects and objects on opposite axis
The intersection of each row and column dictates the level of access a subject has to the object
Normally used with DAC systems
Matrix types
- Capability Table
  - Specifies the rights a subject has to a specific object
  - A capability can take the form of a token, ticket or key
  - Used by Kerberos
- ACL: For a given object, a list of all subjects and their corresponding rights

Answer 85

A

Control access based on the content of an object
Drawback: The technique has no context on which to base decisions
Examples
- E-mail filters
- Web filters

Answer 86

A

Is able to dig deeper to understand the context in which information is being used
Stateful firewalls use this technique to determine if a SYN attack is underway

Answer 87

A

Requires that a single individual or department controls all access to resources

Answer 88

A

Well-established network protocol
Provides authentication and authorization services to remote clients
Normally used in conjunction with an access server that communicates directly with a client desiring remote connectivity

Answer 89

A

1) Remote client contacts the access server via PPP and provides credentials
2) The access server forwards the credentials to the RADUIS server using the RADIUS protocol
3) After the RADIUS server authenticates and authorizes the client, the access server an IP address to the client

Answer 90

A

Uses UDP for communication: It must contain a considerable amount of overhead to ensure proper delivery of data over a connectionless protocol
Encryption:
- RADIUS encrypts passwords between AS and server
- All other data is sent in clear text: Invitation to replay attacks
Only the PPP protocol is supported
It’s implemented in a client/server architecture: Only the client can initiate communication
Does not support a very large number of AVP’S (Attribute Value Pairs): It’s not useful for very granular rights

Answer 91

A

Doesn’t address the issues that RADIUS has

Answer 92

A

Separates authentication and authorization steps: Better than TACACS and RADIUS

Answer 93

A

Not backwards compatible with TACACS or XTACACS
Advantages
- Uses TCP instead of UDP
- Encryption: Everything is encrypted, not just the password
- Supports a very large number of AVP’s: Very granular rights are possible
- Supports not only PPP. Appletalk, NetBIOS, IPX…
- Supports
  - 2-factor authorization
  - One-time (dynamic) passwords
- Design limitations: Implemented in a client/server architecture. Same as TACACS and XTACACS

Answer 94

A

Meant to replace RADIUS
Has all of the advantages of TACACS+
Based on a peer-to-peer model
Provides upgrade path for RADIUS and TACACS+
Adds error handling: Much better stability

Answer 95

A

Base protocol
- Secure communication between Diameter entities
- Feature discovery
- Version negotiation
- Header formats
- Security options
- A list of commands
- A large number of AVPs
Extensions
- Authentication
  - PAP, CHAP, EAP
  - End-to-end encryption
  - Replay attack protection
- Authorization
  - Supports redirects, secure proxies, relays, and brokers
  - Reauthorization on-demand
  - Unsolicited disconnects
  - State reconciliation
- Auditing
  - Reporting, roaming operations (ROAMOPS) accounting, monitoring

Answer 96

A

Technology that allows a mobile device to move from network to network without changing its IP address
Supported by assigning a quasi-permanent home IP address to the mobile device that all traffic can be sent to
The Mobile IP server tracks the current address of the mobile device, called the care-of address, and forwards all traffic sent to the home IP address to the care-of address in real-time

Answer 97

A

Introduction
- Data owners: Take care of managing access to data
- I own some data, so shouldn’t I know best who has need to access the data?
Advantage: Removes potential bottlenecks and bureaucracy
Disadvantages: For larger organizations, significantly increase the likelihood that employees will gain unneeded access

Answer 98

A

Senior management
- Responsible for providing the security goals
- But delegates the actual implementation
- Indicate the personnel controls that should be used
- Specify how testing of the controls are to be carried out

Answer 99

A

Existence of appropriate policies and procedures
Well-documented
Kept up-to-date

Answer 100

A

Covers the hiring, promotion, move, suspension, and termination of employees
Addresses
- How employees should interact with the various security mechanisms
- What will happen if an employee does not follow the policies

Answer 101

A

Ensures
- Every employee has a supervisor
- That the supervisor is responsible for the employee’s actions

Answer 102

A

People are the weakest link
So employees need to understand
- The proper use of security controls
- Why they exist
- The consequences of bypassing them

Answer 103

A

Defines how often periodic testing will be carried out
Examples
- Drills
- Physical disruptions
- Pentesting
- Quizzing employees to vet policy knowledge
- Required review of procedures to ensure relevancy

Answer 104

A

Require all hardware to be placed in a restricted areas behind secured doors, normally requiring access cards

Answer 105

A

Protects
- Individuals
- Facilities
- Components inside the facilities
Requiring
- Identification badges
- CCTV
- Fences
- Deterrent lighting
- Motion detectors
- Window and door sensors
- Alarms
- Indirect deterrent location and appearance of a building

Answer 106

A

Protects computer hardware
Providing cover locks
Removal of USB and optical drives to prevent unauthorized copying
Dampening of electrical emissions to prevent wireless eavesdropping

Answer 107

A

Restricting physical access to a walled-off area to only a few authorized people

Answer 108

A

Providing a secure method for the transfer and storage of data backups

Answer 109

A

Properly shielded: To prevent emissions and crosstalk

* Conceal: To prevent tampering and physical damage

Answer 110

A

Division of the physical facility into security zones with applicable access controls

Answer 111

A

May have a hardware component
Always have a software component
Ensure CIA

Answer 112

A

Access control models
Username/password mechanisms
Kerberos implementations
Biometrics devices
PKI
RADIUS/TACACS/Diameter servers

Answer 113

A

Logically separating network components by using
- Subnets
- VLANs
- DMZ’s
Implementing IDS/IPS

Answer 114

A

Methods implemented in
- Routers
- Switches
- Firewalls
- Gateways

Answer 115

A

Preserve
- Confidentiality
- Integrity
Enforces specific paths for communication

Answer 116

A

Tracking activity within
- Network
- Network device
- Computer
Used to point out weaknesses to be fixed

Answer 117

A

Result of implementing audit tracking

Answer 118

A

Detect intrusions
Track unauthorized activities back to the user
Reconstruct events and system conditions
Create problem reports
Provide material for legal actions

Answer 119

A

User Actions
- Logon attempts
- Security violations
- Resources and services used
- Commands executed
Application Events
- Error messages
- Files modified
- Security violations
System Activities
- Performance
- Logon attempts (ID, date/time)
- Lockouts if users and terminals
- Use of utilities
- Files altered
- Peripherals accessed

Answer 120

A

Monitor the health of a system or application

* Reconstruct events that lead to a system crash

Answer 121

A

Alert the administrator to suspicious activities to be investigated at a later time
After an attack has occurred
- How long/far an attack went on
- What damage may have been done

Answer 122

A

What we are protecting against: Log scrubbing
- Last step of carrying out an intrusion
- The attacker will try and remove any information from log files that will alert an administrator to his presence or activity
Store on a remote host
No one should be able to view, modify or delete log files except for an administrator
Integrity must be ensured by using digital signatures, hashing and implementing proper access controls
Loss of the data must be prevented by secure storage and committing to write-once media (such as CD-ROM)
Any unauthorized attempt to access logs should be captured and reported
A chain of custody should be securely stored to prove who had access to audit logs and when for legal reasons
Implement simplex communication: Severing the “receive” pairs in an Ethernet cable to force one-way communication only to prevent retrieval of log information by the source who is writing the data
Replicate log files to ensure a backup in case of deletion of the primary copy
Implement cryptographic hash chaining: Each log entry contains the hash of the previous entry, allowing the removal or modification of previous entries to become detectable

Answer 123

A

Applying the proper level of filtering, such that only important details are logged
Reduces the impact of logging on system/application performance
Keeps log file sizes down

Answer 124

A

Event Oriented: Results from a disruption or security breach
Audit Trails: Periodic reviews to detect unusual behavior from users, applications or systems
Real-Time Analysis: An automated system correlates logs from various systems
Audit-Reduction Tool:
- Discards irrelevant data to make reviews easier
- Security Information and Event Management (SIEM): To automate the sifting and correlation of all logs
- Situational awareness
  - Ability to make sense of the current state in spite of a large number of data points and complex relationships
  - Result of correct usage of a SIEM

Answer 125

A

Captures each keystroke and records the resulting characters in a file
Unusual
Done in case an employee is suspected of wrong-doing
Usually done with care: It can constitute a violation of an employee’s privacy if it has not been clearly spelled out in some type of employee training or an on-screen banner that monitoring of this type may take place
Attackers use this technique to capture credentials: Usually through a trojan horse

Answer 126

A

Ensure that access criteria is well-defined and strict
Enforce need-to-know and least-privilege patterns
Reduce and monitor any type of unlimited access
Look for and remove redundant access rules, user accounts and roles
Audit user, application and system logs on a recurring basis
Protect audit logs properly
Only known and non-anonymous accounts should be given access
Limit and monitor usage by highly-privileged accounts
Enforce lockouts after unsuccessful login attempts
Never leave default passwords
Make sure that passwords are required to be changed periodically, only strong passwords are allowed, are not shared and are always encrypted both in-transit and at-rest
Ensure accounts are removed that are no longer after an employee leaves
Suspend inactive accounts after 30 to 60 days
Disable ports, feature and services that are not absolutely required

Answer 127

A

Social engineering
Covert channels
Malicious code
Sniffing (wired, wireless)
Object reuse (not properly erasing previous contents)
Capturing electromagnetic emissions

Answer 128

A

Standard created by DoD to combat the capturing of electromagnetic emissions
Limits electrical emissions by wrapping the product in a metal shield called a Faraday cage
Very expensive process

Answer 129

A

White Noise
- Random electrical signals are created across the entire communication band
- An attacker is unable to distinguish valid signals from the background noise
Control Zones: Housing rooms or even buildings in a Faraday cage

Answer 130

A

Detects intrusion attempts, which are the unauthorized use of, or attack upon, a network or devices attached to the network
Passive component that does not take any action other than generating alerts
It looks for passing traffic that is suspicious, or monitors logs in real-time, and any anomalous behavior can trigger an alarm

Answer 131

A

Sensor: Collects information and sends it to the analyzer
Analyzer: Looks for suspicious activity and send alerts to the administration interface
Administration Interface: Processes alerts, which can result in
- E-mail
- Visual message
- Text message
- Phone call
- SNMP alert

Answer 132

A

Highlight vulnerabilities in a network
Expose techniques used by an attacker
Produce evidence for subsequent legal action

Answer 133

A

Watches network traffic

Answer 134

A

Can be: Hardware devices or software in a server
Has to have a NIC that is in promiscuous mode
Sniffs packets as they pass by
Uses a protocol analyzer: To examine each packet based on the protocol the packet is using
Switching problem:
- Most networks are switched, so not all traffic can be seen
- To overcome this: Connect to a spanning port in the switch

Answer 135

A

Sometimes: NIDS can be self-contained within a firewall or other dedicated device
Normally: Distributed solution with various sensors scattered across the network at strategic points
Good practices
- A sensor in the DMZ
- A sensor inside of the intranet
- Sensors in sensitive entry points, such as a wireless AP connection
- Resources requirements
  - Depends on how deep a sensor digs into each passing packet
  - Good idea:
    - Place multiple sensors in each location
    - Each sensor analyzing packets for a subset of signatures or patterns

Answer 136

A

Definition: Can see anything that goes on inside of an operating system running on a “host” computer
High cost: Normally only installed in servers

Answer 137

A

Have very intimate knowledge of the inner-workings of a given application
Are useful if the application uses encryption that would hide activity from NIDS or HIDS

Answer 138

A

aka Knowledge-Based or Pattern-Matching
Most popular detection type
Requires that its “signatures” be constantly updated in order to remain effective
Cannot detect “zero-day” attacks
Compares traffic patterns in real-time to a list of patterns known to represent an attack
If a match is found it will generate an alert

Answer 139

A

Upside: Very low false-positive rate

* Downside: High false-negative rate

Answer 140

A

Land attack: Source and destination IP addresses are the same
Xmas attack: Sets all TCP header flags to 1

Answer 141

A

Monitors the contents of memory on a host
Take continuous snapshots, called a state, of the contents of volatile and non-volatile memory within a host and compare it with the last captured state
The difference between the two states is then compared to a database and if the changes match a pattern, an alert is generated

Answer 142

A

When an anomaly-based IDS is first installed, it is put into a learning mode for a while, where it watches all traffic passing by and assumes the traffic is “normal”
It then creates a database of these normal traffic patterns, and when it is taken out of learning mode, it will alert if the network traffic deviates from this baseline

Answer 143

A

Advantage: It can detect new attacks
Disadvantage: Any alert requires a very skilled engineer to analyze the data to determine if the anomaly is indeed an attack

Answer 144

A

When the IDS detects patterns outside of the norm
- It will assign a degree of irregularity to the pattern and continue to monitor it
- If the pattern continues the assigned degree increases to the point at which it passes a given threshold, resulting in an alert
Because of this algorithm, anomaly-based IDSs can detect attacks that are designed to fly under the radar to avoid attention

Answer 145

A

High number of false positives
Low number of false-negatives
Fine tuning the threshold is important to achieve a reliable ratio

Answer 146

A

Understands the various protocols passing by: Allowing it to dig a little deeper and add some context to patterns
This is a very useful filter because most attacks happen at the protocol level
Attacks it can detect
- ARP poisoning:
  - Data Link Layer attack
  - A rogue client pretends to own an IP it does not
- Loki attacks
  - Network Layer attack
  - ICMP packets are used to hide data
- Session Hijacking
  - Transport Layer attack
  - An attacker uses sequence numbers to jump in and take over a socket connection

Answer 147

A

Watch for changes in relative patterns: Looks for acceptable patterns that do match the normal frequency or time range
Examples
- Notices login activity in the middle of the night and generates an alert that would be ignored in the middle of a week day
- Notices a significant increase in traffic that is considered to be normal, but decide that a DoS attack is underway

Answer 148

A

aka Heuristic-Based IDS
It’s an expert system
Components:
- Facts: Data that comes in from a sensor or system that is being monitored
- Knowledge Base: If…then rules that analyze facts and take action
- Inference Engine: Uses artificial intelligence to infer relationships
- Advantage: Improved levels of false-positives and false-negatives
- Disadvantages:
  - Cannot detect new attacks
  - If the rules are overly complex: Excessive resource consumption

Answer 149

A

Identify which IDS is in use and adapt to avoid discovery

* Flood the network with bogus data to distract the IDS

Answer 150

A

Vendors allow malicious software to execute on a host and then gather the changes that were made to the system
Antimalware systems then can use this behavior to detect malicious activity

Answer 151

A

It’s an IDS with a reactive behavior

Answer 152

A

Introduction
- A server that has purposefully been left vulnerable
- Contains no data or services that is of value to the company
- Not connected to any other systems except for the ability to let a network administrator know that it is being attacked
Reasons to use it
- It distracts the attacker so that our real systems are left alone
- It allows us to study the attack in real-time so that we can harden other areas on-the-fly based on the activities
- It gives us time to discover the identity of the attacker
- We can collect evidence from the attack for subsequent legal action
Entrapment
- Tricking an attacker to encourage him to make the attack
- It’s illegal
Enticement
- Redirecting the attacker’s efforts that he has already determined to carry out
- It’s OK

Answer 153

A

Definition
- Carried out by a program that is fed a list of commonly used words or combinations of characters
- The program will iterate through all possible combinations and attempt to guess the password
Countermeasures
- Perform dictionary attacks to find weak passwords, and force the user to change it
- Require strong passwords
- Require passwords to be changed frequently
- For attacks against a user interface
  - Use lockout thresholds
  - Use one-time password tokens
  - Use an IDS to detect this type of activity
- For attacks directly against a file
  - Never store passwords in clear text
  - Protect password files

Answer 154

A

Definition
- aka Exhaustive attack
- Iterates through every possible character until a match is found
- Guaranteed to be 100% successful (With time)
- Countermeasures: Same as Dictionary

Answer 155

A

Automatically dialing through a list of phone numbers until a modem answers
Countermeasures
- Perform brute-force attacks against all company phone number ranges to find hanging modems
- Make sure only necessary phone numbers are public

Answer 156

A

Combination of dictionary and brute-force attacks
Dictionary attack is used to discover at least a part of the password
Then a brute-force attack is used to discover the remaining portion

Answer 157

A

Can be Dictionary or brute force
The hashes for all relevant values are pre-computed into a “rainbow table”
Only useful against files
User interface will be the limiting factor

Answer 158

A

Requires a malicious program to be installed on a workstation or server
User attempts to login, the malicious program will prompt for credentials instead of the OS logon screen
The malicious program claims that credentials were invalid and immediately hands control over to OS
End result: The user never realizes that credentials were just stolen

Brainscape's Knowledge GenomeTM

CISSP Domain 5 - Flashcards

Brainscape's Knowledge Genome^TM