Professional Documents
Culture Documents
CISSP Cheat Sheet Domain 5
CISSP Cheat Sheet Domain 5
Ownership factor Something that the user possesses, like a key or a token.
Subject An entity which requires access to an object or objects. Identity Management
Object Entity which consists information. IAAA – Identification - Authentication - Authorization - Accountability.
Characteristic A user characteristic, such as biometrics; fingerprints, face
• Registration verification of user identity and add an
factor scan, signature. Levels of Access & Control identifier to system.
Identification
Centralized Only one component can control access. Highly restricted • Assign user the proper controls
Knowledge –Type/category 1 – something you know administration level where control done centrally. • Commonly use user ID or username.
Password authentication, Secret questions such as mother’s maiden name, Decentralized Access is controlled by information owners, Can be less • User verification process
Authentication
favorite food, date of birth, key combination / PIN. administration consistent. • Commonly used passwords
Hybrid Combination of centralized and decentralized. Authorization • Defining resources for user access
Terminology and concepts Accountability • Person responsible for the controls, uses logs.
Access stances allow-by-default or deny-by-default
Random data added to a password before hashing and
• A.K.A federated ID management
SESAME (Secure European System for Applications in
storing in a database on a server. Used instead of
Salted hash
plaintext storage that can be verified without revealing
Single • Pros – ComplEg. passwords, easy administration, faster a Multi-vendor Environment)
password. Sign-On authentication. Public Key cryptology only authenticates initial segment without
(SSO) • Cons – Risk of all systems comprised by unauthorized authenticating full message. Two separate tickets are in use one for
Alphanumeric, more than 10 characters. Includes a access of a key or keys. authentication and other one defines the access privileges for user. Both
ComplEg.
combination of upper and lower case letters, numbers symmetric and asymmetric encryptions are used.
password
and symbols. Authorization Exchange authentication and authorization information
between security domains and systems.
One-time password Dynamically generated to be used for one session or SAML -
(OTP) transaction.
Access control policies: Level of access and controls granted for a user. • Components: Principal User • Identity provider • Service
(SOAP/XML)
provider.
Static password Password does not change. To be avoided. Separation of Assigning different users different levels of access to • Use in directory federation SSO.
duties protect privacy and security.
Something used to identify a person, i.e. pets name,
Access to perform specific functions is granted to two or
Authorization Concepts
Cognitive password favorite color, mother’s maiden name etc, place of birth Dual Controls
more users. Security
etc. Set of resources having the same security policies.
domain
Password Hacking Unauthorized access of a password file Split Knowledge No single user can have full information to perform a task. Federated Organization having a common set of policies and standards
Identity within the federation.
Multiple attempts using all possible password or pin Principle of Least User is given minimum access level needed to perform a
Brute force attack Privilege task.
combinations to guess the password. Federation Models
Type of brute force attack that uses all the words from Need-to-Know Minimum knowledge level to perform a task. Every organization is certified and trusted by the other
Dictionary attack Cross-Certification
the dictionary. organizations within the standards defined internally by
No Access User is not assigned any access for any object. Model
said organizations.
Gain access by impersonating a user by establishing Trusted
Social engineering Centrally managed database for user objects management. Every organization adheres to the standards set by a third
legitimate user credentials through social manipulation of Directory Service Third-Party /
attack i.e. LDAP party.
trusted parties or authorities. Bridge Model
Client /server model authentication protocol. IDaaS (Identity as Identity and access management is provided by a third
Precomputed table for reversing cryptographic hash
Rainbow Tables • Symmetric Key Cryptography a Service) party organization.
functions and cracking passwords.
Kerberos • Key Distribution Center (KDC) Access management for multiple similar, yet independant
• Confidentiality and integrity and authentication, SSO (Single
Ownership –Type/category 2 – Something you have systems. Primarily used for the cloud and SaaS based
symmetric key cryptography sign-on)
system access.
Synchronous token Create password at regular time intervals. Cloud Identity User account management (Office 365)
Authentication administrative domain. Uses symmetric-key
Realm Directory
cryptography On-premises identity provider (Microsoft Active directory)
Asynchronous Generate a password based on the challenge-response Synchronization
token technique. Issues tickets to client for server authentication
KDC (Key On-premises identity provider for managing login request.
• Stores secret keys of all clients and servers in the network Federated Identity
Memory card A swipe card containing user information. Distribution (MS AD)
• AS (Authentication Server)
Center)
Smart Cards or
A card or dongle that includes a chip and memory, like
• TGS (Ticket Granting Server) Access Control Models
Integrated Circuit
bank cards or credit cards. • User input username/password in client PC/Device. By default access to an object is denied unless explicitly
Card (ICC) Implicit Deny
• Client system encrypts credentials using AES to submit granted.
Contact Cards Swiped against a hardware device. for KDC. Access Control Table which included subjects, objects, and access
• KDC match input credentials against database. Matrix controls / privileges.
The Kerberos
Contactless Cards • KDC create a symmetric key and time-stamped TGT to be List access controls and privileges assigned to a subject.
Simply need to be within proximity to the reader device. logon process
or Proximity Cards used by the client and the Kerberos server. Capability Tables • ACLs focus on objects whereas capability lists focus on
• Key and TGT are encrypted using client password hash. subjects.
Allows a card to be used in both contact and contactless • Client installs the TGT and decrypts the symmetric key
Hybrid Cards Permissions Access granted for an object.
systems. using a hash.
Rights Ability/access to perform an action on an object.
USB drive Bespoke USB with access credentials Privileges Combination of rights and permissions.
Authorization Methods
Static password
token
Simplest type of security token where the password is
stored within the token. Discretionary Access Control (DAC) • Mandatory Access Control (MAC) • Access Control Categories
Role-based Access Control (role-BAC) • Rule-based Access Control (Rule-BAC). Category Scope / Purpose Example
Challenge/respons Two keys or key and
A challenge has to be met by the correct user response. Discretionary Access Control Uses access control lists (ACLs -
e token Compensative Risk mitigation action. combination to open a safety
(DAC) Access-control lists).
locker.
Characteristic –Type/category 3 – Something you do / are Subject authorize according to security labels.
Having fire extinguishers, having
Mandatory Access Control Used by owners to grant or deny access to Corrective Reduce attack impact.
offsite data backups.
Biometric technology allows the user to be authenticated based on (MAC) other users. ACL defines the level of access
physiological behavior or characteristics. Detect an attack before CCTV, intrusion detection
granted or denied to subjects. Detective
• Physiological i.e. Iris, retina, and fingerprints. happens. systems (IDS).
Task-based access controls - subjects require User identification and
• Behavioral i.e. Voice pattern
Role-BAC (RBAC) access an object based on its role or Deterrent Discourages an attacker.
authentication, fences
assigned tasks.
Physiological Characteristics Define and document
Uses a set of rules or filters to define what Directive acceptable practices within Acceptable Use Policy (AUP)
Fingerprint Scans the thumb or edge of the finger. Rule-BAC
can or cannot be done on a system. an organization.
Locks, biometric systems,
Size, shape, bone length, finger length, or other layout Hybrid RBAC Limited RBAC Preventative Stop an attack.
Hand Geometry encryption, IPS, passwords.
attributes of a user’s hand are taken.
Objects are classified based on control level Recovery of a system after Disaster recovery plans, data
Lattice based / Label Recovery
Hand Topography Hand peaks and valleys pattern. using a label. an attack. backups etc.