CISSP-2022 Exam Cram Domain 5
CISSP-2022 Exam Cram Domain 5
CISSP-2022 Exam Cram Domain 5
For more cybersecurity exam prep tutorials, follow us on Youtube at Inside Cloud and Security
DOMAIN 5: CERTIFICATE-BASEDAUTHENTICATION
Least Privilege
ensures that subjects are granted only the privileges they need to perform their work
tasks and job functions. Sometimes lumped together with need to know. The only
difference is that least privilege will also include rights to take action on a system.
Fingerprint Scanner
Fingerprint scanners are now very common, and used not only in
MFA, but various travel, financial, and legal situations.
Retina Scanner
With appropriate lighting, the retina can be accurately identified as
the blood vessels of the retina absorb light more readily than the
surrounding tissue.
Biometrics
a method of authentication using an individual’s physical
characteristics, which are unique to the individual.
Iris Scanner
Confirms the identity of the user by scanning of their iris.
Both retina and iris scanners are physical devices.
Voice Recognition
The voice patterns can be stored in a database and used for
authentication.
Biometrics
a method of authentication using an individual’s physical
characteristics, which are unique to the individual.
Facial Recognition
Looks at the shape of the face and characteristics such as mouth, jaw,
cheekbone, and nose.
Light and angle/direction can be a factor, especially in software.
Microsoft facial recognition, called Windows Hello, was released with
Windows 10.
It uses a special USB infrared camera and, as such, is better than other
facial recognition programs that can have problems with light.
Biometrics
a method of authentication using an individual’s physical
characteristics, which are unique to the individual.
Vein
Using blood vessels in the palm can be used as a biometric factor of
authentication.
Gait Analysis
gait is the way an individual walks. Identification and/or authentication
using gait is possible even with lower resolution video
BIOMETRIC authentication FAILURES
The three to know for the exam are SAML, Oauth 2.0, and OpenID.
saml, oauth, and openiD
Security Assertion Markup Language (SAML)
is an XML-based, open-standard data format for exchanging authentication
and authorization data between parties, in particular, between an identity
provider and a service provider. common in federation scenarios
RADIUS
uses UDP and encrypts the password only.
TACACS+
uses TCP and encrypts the entire session.
Diameter
is based on RADIUS and improves many of the weaknesses of
RADIUS, but Diameter is not compatible with RADIUS.
creation creation
management creation
deletion
Implicit Deny
A basic principle of access control is implicit deny and most authorization
mechanisms use it. The implicit deny principle ensures that access to an object is
denied unless access has been explicitly granted to a subject.
Capability Tables
are another way to identify privileges assigned to subjects. They are different from
ACLs in that a capability table is focused on subjects (such as users, groups, or roles).
Constrained Interface
use constrained interfaces or restricted interfaces to restrict what users can do or
see based on their privileges. Users with full privileges have access. Applications
constrain the interface using different methods.
Content-Dependent Control
restrict access to data based on the content within an object. A database view is a
content-dependent control.
authorization mechanisms
Access control models use many different types of authorization
mechanisms, or methods to control who can access specific objects
Context-Dependent Control
require specific activity before granting users access.
example: data flow for a transaction selling digital products
authorization mechanisms
Need to Know
This principle ensures that subjects are granted access only to what they need to
know for their work tasks and job functions. Subjects with clearance to access is only
granted if they actually need it to perform a job.
Least Privilege
ensures that subjects are granted only the privileges they need to perform their work
tasks and job functions. Sometimes lumped together with need to know. The only
difference is that least privilege will also include rights to take action on a system.
The three primary control types are preventative, detective, and corrective.
Categories of security controls
Logical / Technical
the hardware or software mechanisms used to manage access to resources
and systems and provide protection for those resources and systems.
EXAMPLES: encryption, smart cards, passwords, biometrics, constrained
interfaces, access control lists (ACLs), protocols, firewalls, routers,
intrusion detection systems, and clipping levels.
Physical
security mechanisms focused on providing protection to the
facility and real-world objects.
Administrative
policies
ASSETS
Types of Security controls
Security controls, countermeasures, and safeguards can be
implemented administratively, logically/technically, or physically.
Types of security controls include Categories of controls include
— Preventative — Compensating — Logical/Technical
— Detective — Directive — Physical
— Corrective — Recovery — Administrative
— Deterrent
The three primary control types are preventative, detective, and corrective.
Types of Security controls
Preventative
deployed to stop unwanted or unauthorized activity from occurring.
EXAMPLES: fences, locks, biometrics, mantraps, alarm systems, job
rotation, data classification, penetration testing, access control methods,
Detective
deployed to discover unwanted or unauthorized activity. Often are
after-the-fact controls rather than real-time controls.
EXAMPLES: security guards, guard dogs, motion detectors, job rotation,
mandatory vacations, audit trails, intrusion detection systems, violation
reports, honey pots, and incident investigations,
Types of Security controls
Corrective
deployed to restore systems to normal after an unwanted or
unauthorized activity has occurred, such as a security incident.
EXAMPLES: intrusion detection systems, antivirus solutions, alarms,
mantraps, business continuity planning, and security policies,
Compensating
deployed to provide options to other existing controls to aid in the
enforcement and support of a security policy.
EXAMPLES: a disaster recovery plan with an alternate office
location in the event fire suppression fails and building is damaged
Types of Security controls
Directive
deployed to direct, confine, or control the actions of subject to force or
encourage compliance with security policies.
EXAMPLES: security guards, guard dogs, security policy, posted
notifications, escape route exit signs, monitoring, supervising, work
task procedures, and awareness training.
Recovery
deployed to repair or restore resources, functions, and capabilities after
a violation of security policies. more advanced or complex capability to
respond to access violations than a corrective access control.
EXAMPLES: backups and restores, fault tolerant drive systems,
server clustering, antivirus software, and database shadowing.
Types of Security controls
Deterrent
deployed to discourage the violation of security policies. A deterrent
control picks up where prevention leaves off.
Risk
is the possibility or likelihood that a threat can exploit a vulnerability and
cause damage to assets.
Asset valuation
identifies value of assets, threat modeling identifies threats against these
assets.
Vulnerability analysis
identifies weaknesses in an organization’s valuable assets.
access control attacks
Dictionary attacks
These are programs with built in dictionaries. They would use all dictionary
words to attempt and find the correct password, in the hope that a user
would have used a standard dictionary word.
Brute force
This type of attack is attempting to break the password by trying all possible
words.
Spoofing Attacks
Spoofing is pretending to be something or someone else, and it is used in many types of
attacks, including access control attacks. Attackers often try to obtain the credentials of
users so that they can spoof the user’s identity.
Spoofing attacks include email spoofing, phone number spoofing, and IP spoofing.
Many phishing attacks use spoofing methods.
access control attacks
Social Engineering
an attempt by an attacker to convince someone to provide info (like a password) or
perform an action they wouldn’t normally perform (such as clicking on a malicious link)
Social engineers often try to gain access to the IT infrastructure or the physical facility.
Best defense is security awareness training (user education)
Phishing
commonly used to try to trick users into giving up personal information (such as user
accounts and passwords), click a malicious link, or open a malicious attachment.
Spear phishing targets specific groups of users.
phishing is #1 cyber attack!
Whaling targets high-level executives.
Know these three variants!
Vishing uses VoIP technologies.
access control attacks
Access aggregation
is a type of attack that combines, or aggregates, non-sensitive information to learn
sensitive information and is used in reconnaissance attacks.