still need work cissp Flashcards
nail down less know cards
RSA, cypher type, keys generated by…, key sizes, provides what services (4), common use
Rivest Shamir Adleman,
RSA
block cipher, (Roblox)
block size in general is 1024 but is dependent on the number of bytes in the rsa modulus
new keypair using very large prime numbers, (Supersized prime number keys)
1094-4096 bit keys ( of Amount)
services
authentication, key encryption, digital signatures, encryption
uses
AES symmetric encryption
PGP used for 4 things and uses what model
used for:
file encryption,
directory encryption &
whole disk encryption,
email,
uses Web of Trust model (if you trust me you trust those I trust)
TCP/IP - PDU - OSI mapped
OSI TCP PDU
1 physical 1 link & physical bits
2 data link 1 link & physical frames
3 network 2 internetwork packets
4 transport 3 transport segments
5 session 4 application / data data
6 presentation 4 application / data data
7 application 4 application / data data
IPv4 Header
Very Intelligent Quarterbacks Identify Top Pass Catchers Strethcing Defense Out
Version
IHL/IP Header Length
QoS
ID/Flags/Offset for fragmentation
TTL
Protocol number
Checksum
Source address
Destination address
Options
IPv6 Header
Vicious Tacklers Frighten Passers Needing To Score Deep
Version
Traffic class/ Priority
Flow label (QoS)
Payload length
Next header
TTL
Source address
Destination address
EDRM process (9 steps)
Internet-Games Involve People Chanting Pretentious R A P P
(Electronic Discovery Reference Model)
Information Governance
Identification
Preservation
Collection
Processing
Review
Analysis
Production
Presentation
Change Management Process steps (9)
In Practice All Players Try Something Not In Playbook
IPA PT SNIP
Identify
Propose
Assess risk, impact
Provisional change approval
Test the change
Schedule the change
Notification of change
Implementation of change
Post implementation reporting
DRP Lifecycle (4 phases)
Preparation
Response
Recovery
Mitigation
Developing BCP/DRP (10 steps)
prepare salvation by instituting real plans in the tomorrow mindset
P S B I R P I T T M
Project Initiation
Scoping Project
BIA (business impact analysis)
Identify Preventive Controls
Recovery Strategy
Plan Design
Implementation
Training
Testing
Maintenance
OWASP current Top 10
Best Coaches Intend Immediate Success Visionary Inspire Spur Stimulate Sacrifice
Broken Access Control
Cryptographic Failures
Injection
Insecure Design (new)
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures (new)
Security Logging and Monitoring Failures
Server-Side Request Forgery (new)
Agile Software Development Umbrella of Methodologies, Principles (12), how does it work (5)
Principles:
(FF PEWT CCC SSS)
1 Face to Face communication is best
2 Frequent delivery
3 Primary measure of progress is working software
4 Early continuous delivery
5 Welcome changes
6 Trusted individuals
7 Cooperation between business and developers
8 Continuous attention to good design
9 Continuous improvement
10 Self-organizing teams produce best results
11 Simplicity
12 Sustainable development at constant pace
How it works:
CFUIL
Agile does not deliver prototypes, but breaks product down to individual features and features are Continuously delivered
does not follow rigid processes, but focuses on getting the product Finished Faster
focus on User stories,
small Incremental deliveries
Less documentation, more focus on delivering right software
Extreme Programming Characteristics (7), relation to Scrum, result
(PU CAFFE) - only somebody EXTREMEly stupid would eat at the pu caffe)
Pair programming (continuous code reviewing, or taking code reviews to the EXTREME)
Unit testing
Code clarity and simplicity
Avoidance of features until they are needed
Flat management
Frequent communication between dev and bus
Expecting changes as problem is better understood
“take away regularity of scrum and add alot of code reviewig you get Extreme Programming”
Results in less errors, better code
Spiral Model phases, what does angular aspect represent, what does diameter of spiral represent
PREE
Planning
Risk Analysis
Engineering
Evaluation
angular aspect is progress
diameter of spiral is cost
Secure Coding Techniques (12)
VOMIT SCiEnCE DB
Validation Points
Obfuscation / Camouflage
Memory Management
Input Validation
Third Party Libraries and SDKs
Stored Procedures
Code Reuse / Dead Code
Encryption
Code Signing
Error and Exception Handling
Data Exposure (Applications)
Balancing Time and Quality
CSF what does it mean, phases (5)
Cybersecurity Framework NIST
(industrious physiques don’t ruin reputations)
Identify
Protect
Detect
Respond
Recover
RMF process NIST 800-37, 7 steps
Risk Management Framework (RMF)
NIST 800-37 Steps
(Perilous Cases Start In An Angry Mob)
Prepare - establish context and priorities
Categorize - based on impact of loss
Select - set of controls for a system based on risk assessment
Implement - controls and describe how they fit
Assess - controls for propiety
Authorize - system of controls to determine if risk is acceptable / reasonable
Monitor - system and controls for changes
DRM Tools (3)
Digital Rights Management
Tools:
[CAP]
Continuous Audit Trail
Automatic Expiration
Persistent Online Authentication
Supported Digital Signature Standards
NIST
DSA (FIPS 186-4)
RSA (ANSI x9.31)
ECDSA (ANSI x9.62)
Authorizing Official Decisions (RMF) (4)
[ACAD]
ATO authorization to operate
CCA common control authorization - used for inheritance when risk is acceptable
ATU authorization to use - used when third party providers servers are acceptable risks or for reciprocity of another AO’s ATO
DOA denial of authoriztion
Heirarchical MAC, grants … using predefined … for specific …
MAC is based on a … model. The … is based on … …
All users are assigned a … or … level.
All objects are assigned a … … Users can only access resources that correspond to a … … … to or … than theirs in the hierarchy.
grants access using predefined labels for specific labels
MAC is based on a hierarchical model. The hierarchy is based on security level. All users are assigned a security or clearance level. All objects are assigned a security label. Users can only access resources that correspond to a security level equal to or lower than theirs in the hierarchy.
OIDC, uses … , provides (2), is built on …
uses JSON web tokens
provides authentication and profile information for internet SSO,
it is built on OAuth 2.0 framework
Kerberos Process (6 steps), port, benefits (3)
Kerberos process:
See diagram
port 88
Easy for end users;
centralized control and
easy to administer.
KERBEROASTING
a …-… attack technique that attempts to obtain a … … of an … … account that has a … … … (“…”).
In such an attack, an … domain user requests a … ticket for an … , solutions (4)
a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a Service Principal Name (“SPN”).
In such an attack, an authenticated domain user requests a Kerberos ticket for an SPN.
Prevention: HER G (Hygiene, Extraction, Restrict, Governance)
Practice good password hygiene for service accounts
Use long passwords (at least 25 characters) for service accounts
Regularly rotate passwords every 30 days
Implement group managed service accounts (gMSAs) or third-party solutions for automated password management
Institute proper governance for service accounts
Keep track of service accounts and their usage
Enforce the principle of least privilege for all service accounts
Follow NIST guidelines for password security, prioritizing password length over complexity and avoiding frequent password changes
Restrict access to the KRBTGT account password
Limit access to the KRBTGT password hash to minimize vulnerability to Golden Ticket attacks
Identify accounts with rights to extract password hashes and remove unnecessary permissions
Regularly change the KRBTGT password to invalidate any existing Golden Tickets
Use Microsoft’s KRBTGT account password reset script every 180 days
Prevent the extraction of service accounts
Create an inventory of all service accounts and their details
Maintain documentation for when accounts should be reviewed, deactivated, or deleted
Grant minimum privileges necessary for each service account
Change default passwords of service accounts
Use automated password management solutions to regularly rotate passwords
Use separate accounts for different services
Avoid using the same password for multiple service accounts
Promptly decommission service accounts that are no longer needed
Use tools to detect and manage inactive service accounts
Monitor service accounts for suspicious activity
Use a real-time auditing solution with machine learning for anomaly detection and response
Kerberos User Enumeration (attack), solution
brute-force attack on Kerberos
has a distinct advantage over attacks on other authentication methods: no domain account is required to perform the attack, just a connection to the KDC
there is a u in both enumeration and brute force and unrealistic
solution: detect unrealistic amounts of AS-REQ requests without follow-up requests