Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

My CISSP > Domain 5 > Flashcards

Domain 5 Flashcards

1
Q

Access Control

A

The objective of access control is to protect information and informaation systems from unauthorized access (confidentiality), modification (integrity), and disruption (availability).
Physical access focuses and facility, equipment and devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access management

A

Access management controls are security mechanisms that control how subjects and objects communicate and interact with each other and flow of information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Subject

A

A subject is an active entity that requests access to an object or to the data within the object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Object

A

An object is an entity being accessed or the item being acted upon.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Rights

A

Rights generally refer to the ability of a subject to take an action; for example, the right to log on remoely, install software, and create user accounts. Rights can be assigned to user accounts, group, accounts, or resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Permissions

A

Permissions are functions that a subject can perform on an object, a file or folder; for example, read, write, modify, and delete.

  • Access control lists are generally used to assign permissions.
  • Permissions can be assigned to a user account, group accounts, or resources depending upon the system or device.
  • Permissions are generally cumulative.
  • Permissions can be explicit ot inherited.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Privilege

A

Privilege relates to overriding capabilities.

  • Administrative, root, and super user.
  • Privilege trumps rights and permissions.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Need to know

A

Need to know means that the subject has a demonstrated and approved reason for being graned access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Least Privilege

A

Least Privilege means assigning subjects only the rights and permissions needed to complete their assignments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Default Allow

A

Default Allow means any access or action not explicitly forbidden is allowed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Default Deny

A

Default Deny means any access or action not explicitly allowed is forbidden.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Authorization Creep

A

Authorization Creep is the accumulation of access rights, permissions, and priviledges over time.
- Promotions, lateral moves, cross-training and temporary coverage may contribute to authorization creep.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Dual Control

A

Dual Control is the practive of having more than one subject or key required to complete a specific task (requestor and approver).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Separation of duties

A

Separation of duties is the breaking down of a task into processes that are assigned to different subjects so that no one subject is in complete control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Registration

A

Registration is a distinguishing characteristic (e.g. username)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Authentication

A

Authentication is the process of providing an identify to an authentication system.

  • The proof is referred to as a factor.
  • The combination of a user name and factor is referred to as credentials.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Authentication Factors

A
  • Something a user knows.
  • Something a user has.
  • Something a user is / something a user does.
  • Something a user is.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Something you know

A

Something you know is a shared secret known to the user and the authentication system.
- Passwords, passphrases, Cognitive passwords, out-of-wallet password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Cognitive Passwords

A

Cognitive Passwords (challange questions) utilize a preselected questions and answer based on fact, opinion, or memory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Out-of-Wallet passwords

A

Out-of-Wallet passwords (challange questions) are answers to questions derived from subscription databases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Something you have

A

Something you have requires physical possetion of a device.

- Secure token, Smart Card.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Secure Token

A

A secure token is a handheld device with a LED that displays a number and the number is synchronized with an authentication server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Smart Cards

A

A smart card is a credit card-sized card that has an integrated circuit and a certifiacte used to identify the holder.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Types of Smart Cards

A
  • Smart Card
  • Common Access Card (CAC)
  • Personal Identity Verification (PIV)
  • Contactless Card
  • Proximity Card
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Common Access Card (CAC)

A

Smart card that includes a picture of the user. Used for both visual identification and computer access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Personal Identify Verification (PIV)

A

Smart card that includes picture of the user. Used for both visual identification and computer access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Contactless Cards

A

Contactless smart cards that can be read without inserting into a reader device (Read range 1-3”)

28
Q

Proximity Card

A

Contactless smart card that can be read without inserting into a reader device. (Read range up to 15”)

29
Q

Biometric - Something you are

A

Biometric refers to human characteristics.
- Physiological biometric makers include fingerprints, fingerscans, retina scans, iris scans, facial recognition, vascular patterns, palm scans, and hand geometry.

30
Q

Biometric - Something you do

A

Something you do is a behavioral trait.

- Behavioral biometric traits include voice pattern recognition, keystroke dynamics, and signature dynamics.

31
Q

Single - Factor Authentication

A

Only one factor is required for authentication.

32
Q

Multi-Layer Authentication

A

Two or more of the same type of factor is required for authentication.

33
Q

Multi-factor Authentication

A

Two or more different types of factors are required for authentication.

34
Q

Out-of-band Authentication

A

Use of more thn one communication channel required for authentication.

35
Q

Session Management

A

Session management ensures that any instance of identification and authentication to a resource is managed properly.

36
Q

Broken Authentication

A

Broken Authentication attacks use leaks or flaws in the authentication or session management functions (e.g., expoused accounts, passwords, session IDs) to impersonate users and gain system access.

37
Q

Identity Management (IdM)

A

Identity Management (IdM) describes the technical management of user identities (including authentication and authorization) withn and/or across enterprise boundaries.

38
Q

Identity Management (IdM) technologies

A
  • Directory Services (LDAP,AD) - on/off premise
  • Single sign-on (SSO) - on/off premise
  • Identity-as-a-service (IDaaS) - cloud
  • Federated identity management (FIM) distributed.
39
Q

Directory Services

A

A directory service is the centralized collection and distributed database (domain) of user data, computers, and trusted entities. LDAP Attributes:

  • Scalability (billon + user entries)
  • Distrubuted and synchronizable.
40
Q

Direcotry Services Technologies

A
  • Lightweight Directory Access protocol (LDAP).

- Microsoft Active Directory (AD) which is Microsoft’s implementation of LDAP.

41
Q

Single Sign-on

A

Single Sign-on (SSO) describes a unified login experience in which the user provides a set of credentials one time and is allowed to access multiple systems without needing to authenticate.

  • SSO system intercepts requrest for identification and authentication.
  • SSO can be a bottleneck or single point of failure (SPOF).
  • Legacy SSO rarely is a true enterprise solution.
42
Q

Identity-as-a-service (IDaaS)

A

(IDaaS) is a SaaS-based identity and access management solution.

43
Q

Identity-as-a-service (IDaaS) components

A
  • Identity and governance administration (IGA), which is the provisionning of users to cloud applications.
  • Access, which includes user authentication, SSO (single sign on) and authorization supporting federation standards.
  • Intelligence, which includes identity access log monitoring and reporting.
44
Q

Federated Identity Management

A

Federated Identity Management (FIM) is an arrangement made among multiple enterprises that allows users (and sometimes objects) to user the same identification data to obtain access to diparate resources (aka “portable identity”)

45
Q

Federated Identity Management technologies

A
  • Secure Assertion Markup Language (SAML)
  • OAuth
  • OpenID Connect
  • Shibboleth.
46
Q

Secure Assertion Markup Language (SAML)

A

Secure Assertion Markup Language (SAML) is an open standard that provides user authentication and authorization services.

47
Q

Shibboleth

A

Shibboleth is a standard-based, open source software for web single sign-on across or within organization boundaries.

  • The Shibboleth softwate immplements widely used federated identity standards, principally SAML, to provide a federated single sign-on and attribute exchange framework.
  • Shibboleth also provides extended privacy functinality allowing a user and their home site to control the attributes released to each application.
48
Q

OAuth 2.0

A

OAuth 2.0 is an authorization (not identification) framework that enables applications to obtain limited access to user accounts on an HTTP service such as Facebook ot Twitter.

49
Q

OpenID Connect

A

OpenID Connect is an identity layer on top of the OAuth 2.0 protocl which facilities authentication.

  • OpenID connect verifies the identity of the end user,
  • The id_token(secure token) includes information about the user.
  • Can be used by both mobile and static application.
50
Q

Access Control Model

A

An Access Control Model is a framework that dictateshow subjects access objects or how hobjects access objects.

51
Q

Subject-based Access Controls Models

A
  • Mandatory Access Control (MAC)
  • Discretionary Access Control (DAC)
  • Role-based Access Control (RBAC)
  • Attribute-based Access Control (ABAC)
52
Q

Object-base Access Control Models

A
  • Rule-based Access Control (RBAC)
  • Content-based Access Control
  • Context-based access control
  • Constrained interfaces.
53
Q

Mandatory Access Control (MAC)

A

Acces is based on the relationship between subject clearence and need to know and the object classification label.
- Enforcement: Security Level.

54
Q

Discretionary Access Control (DAC)

A

Data owners decide subject access.

- Enforcement: Access Control Lists, Capabilities tables.

55
Q

Role-based Access Control (RBAC) [Non-Discretionary]

A

Access is based on the subject’s assigned roles Many-may relationship allowed.
- Enforcement: Access Control Lists, Capabilities tables, Secuity Policies.

56
Q

Attribute-based Acess Control (ABAC)

A

Attribute-based Acess Control (ABAC) is a logical access control model that control access to objects by evaluating rules againts the attributes of entities (both subject and object), operations, and the environment relevant to a request.

57
Q

Rule-based Access Control

A

Access based on situational if/then statements

- Enforcement: Global policy, Rules

58
Q

Content Dependent

A

Filter based on the data being acted upon

- Enforcement: Keywords, Categories.

59
Q

Contect Dependent

A

Access based on a collection or sequnece of actions.

- Rules, Security Policy.

60
Q

Constrained Interface

A

Access restricted by functionality,

- Enforcement: Design, Configuration.

61
Q

Identity and Access Management (IAM)

A

Identity and Access Management (IAM) is a business process with the objective of ‘enabling the right individuals to access the roight resorces at the right times and for the right reasons’.

62
Q

Identity and Access Management (IAM) Characteristics

A
  • IAM functions including provisioning, education, auditing, and deprovisioning.
  • IAM functions take place throughout the employee lifecycle.
  • IAM functions are a shared responsability - managers, owners, HR, IT, Physical Security, information security and audit.
63
Q

Provisioning Lifecycle Phase 1

A
  • Onboarding.
  • Account Request.
  • User Agreement
  • Cedential Management
64
Q

Provisioning Lifecycle Phase 2

A
  • Authorization
  • Assignment of rights and permissions
  • User Training
65
Q

Provisioning Lifecycle Phase 3

A
  • User account auditing.
  • User access auditing
  • Change request.
  • User Training.
66
Q

Termination

A

Termination ends employment. How termination is handled depends upon the specific circumstances (firendly/unfriendly) and transition arrangements that have been made with the empoloyee.

My CISSP (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions