CISSP - Domain 5. - Wireless & Access Control

(b) Context-dependent access control. - adds additional factors beyond username and password, such as the time of attempted access.

(1) What access control method weighs additional factors, such as time of attempted access, before granting access? (a) Content-dependent access control (b) Context-dependent access control (c) Role-based access control (d) Task-based access control

802.11 IEEE Standards

(Ref 30.3 Wireless Network)

Access Attacks on Wireless

(Ref 30.3 Wireless Network)

Denial Of Service on Wireless

(Ref 30.3 Wireless Network)

Sniffing attack on wireless

(Ref 30.3 Wireless Network)

Wireless Network Configurations

(Ref 30.3 Wireless Network)

SSO Implementations

- ADFS, - CAS (Center Authentication Service) - Kerberos

Avoiding Brute Force

- Best Increase the length of the password. - Next best is add different character sets.

Lattice Based Authentication Model. (BIBA)

- MAC is Lattice based authentication model. - These models use a matrix of Classification Labels to compartmentalize the data. - It is also called Biba access control. - Role Based Access Control (RBAC) is a group based access control. - Rule Based Access Control (RUBAC) is like firewall ACL's apply rules to all subjects they apply. - DAC : Data Owner based access control. Note: DAC provides flexibility and scalability, while MAC provides more security due to strong set of controls but doesn't scale.

B. Federated ID.

10. Which of the following is the best description of a situation where a user can sign up for a social media account such as Facebook, and then use their credentials to log in and access another organization's sites, such as Yahoo? A. Transitive trust B. Federated ID C. Non-transitive trust D. Single sign-on

B. Dictionary attacks

11. What type of attack targets pronounceable passwords? A. Brute-force attacks B. Dictionary attacks C. Hybrid attacks D. Rainbow tables

C. A one-way encryption process

12. Which of the following represents the best method of password storage? A. A cleartext file B. Symmetric encryption C. A one-way encryption process D. An XOR process

D. Lattice - makes use of a join and a meet. The lattice-based access control model (LBAC) is considered a complex model used to manage the interaction between subjects and objects

13. Which access control model makes use of a join and a meet? A. Rule-based access control B. MAC C. DAC D. Lattice

A. Rule-based access control

14. Which of the following access control models is commonly used with firewall and edge devices? A. Rule-based access control B. MAC C. DAC D. Lattice

D. Role-based access control. - It allows access to be assigned to groups and works well where there are high levels of turnover

15. Because of recent highly publicized hacking news reports, senior management has become more concerned about security. As the senior security administrator, you are asked to suggest changes that should be implemented. Which of the following access methods should you recommend if the method is to be one that is primarily based on pre-established access, can't be changed by users and works well in situations where there is high turnover? A. Discretionary access control B. Mandatory access control C. Rule-based access control D. Role-based access control

A. Retina scan

2. Which of the following biometric systems would be considered the most accurate? A. Retina scan CER 3 B. Fingerprint CER 4 C. Keyboard dynamics CER 5 D. Voice recognition CER 6

B. File and data ownership, and access rights and permissions

3. What are the two primary components of a DAC? A. Access rights and permissions, and security labels B. File and data ownership, and access rights and permissions C. Security labels and discretionary access lists D. File and data ownership, and security labels

Accountability

4. You have been hired as a contractor for a government agency. You have been cleared for secret access based on your need to know. Authentication, authorization, and accountability are also enforced. At the end of each week, the government security officer for whom you work is tasked with the review of security logs to ensure only authorized users have logged into the network and have not attempted to access unauthorized data. The process of ensuring accountability for access to an information system included four phases. What is this an example of?

A. Cognitive

5. When registering for a new service, you were asked the following questions: "What country were you born in? What's your pet's name? What is your mother's maiden name?" What type of password system is being used? A. Cognitive B. One-time C. Virtual D. Complex

D. DAC because is left to owners discretion.

6. Mark has just completed his new peer-to-peer network for the small insurance office he owns. Although he will allow Internet access, he does not want users to log in remotely. Which of the following models most closely match his design? A. TACACS+ B. MAC C. RADIUS D. DAC

C. TACACS+ features two-factor authentication and it is used for administration of CISCO devices.

7. Which of the following is the best answer: TACACS+ features what? A. One-factor authentication B. Decentralized access control C. Two-factor authentication D. Accountability

C. ACLs end with an implicit deny all statement.

8. A newly hired junior security administrator will assume your position temporarily while you are on vacation. You're trying to explain the basics of access control and the functionality of rule-based access control mechanisms like ACL. Which of the following best describes the order in which an ACL operates? A. ACLs apply all deny statements before allow statements. B. Rule-based access control and role-based access control is basically the same thing. C. ACLs end with an implicit deny all statement. D. ACLs are processed from the bottom up.

This 802.11 standard addresses security

802.11i (Ref 30.3 Wireless Network)

C. Authentication, authorization, and accountability RADIUS provides three services: authentication, authorization, and accountability. RADIUS facilitates centralized user administration and keeps all user profiles in one location that all remote services share.

9. RADIUS provides which of the following? A. Authorization and accountability B. Authentication C. Authentication, authorization, and accountability D. Authentication and authorization

Capability Table

A capability table list the privileges assigned to subject and identify objects. - A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.

Race Condition

A state where two subjects can access the same object without proper mediation. - In other words, when two or more processes need to access the same resource in the right order.

Authorization Creep (Ref 33.1 Access Control Fundamentals)

Accumulation of access rights, permissions and privileges over time

Wireless Modes inclue

Adhoc Mode - It is wireless peer to peer relationship. Infrastructure Mode - topology includes wireless devices, access points, and wired routers connected to the internet. (Ref 30.3 Wireless Network)

In Kerberos Negotiation, the Ticket Granting Ticket (TGT) is used for which of the following? A. Identification B. Authorization C. Authentication D. Multifactor authentication

Authentication Kerberos was designed to provide secure authentication to services over an insecure network. Kerberos uses tickets to authenticate a user and completely avoids sending passwords across the network.

This bluetooth attack exploits a protocol weakness to takeover a device.

Blueborne (Ref 30.3 Wireless Network)

Callback to landline in multifactor authenitication

Callback to Landline is considered as "Somewhere you are" Callback to Cellphone is considered as "Something you have"

D. MAC

Christine works for a government agency that is very concerned about the confidentiality of information. The government agency has strong controls for the process of identification, authentication, and authorization. Before Christine, the subject, can access her information the security label on objects and clearance on subjects are verified. What is this an example of what? A. DAC B. LBAC C. RBAC D. MAC

Dictionary Attacks

Compare passwords to a list of common words, and can search for multiword phrase combinations. Like Orange, Oranges, Orange123, etc.

Open standards protocol used in process automation environments

DNP3 (Ref 30.2 Non-IP Multi Layer Protocols)

Any action not explicitly allowed is denied

Default Deny (Ref 33.1 Access Control Fundamentals)

Any action that isn't explicitly denied is allowed

Default allow (Ref 33.1 Access Control Fundamentals)

The desired result of a jamming attack

Denial of Service (Ref 30.3 Wireless Network)

An attack used to force a wireless device offline

Disassociation (Ref 30.3 Wireless Network)

Requiring more than one subject or key to complete a task

Dual Control or Two person rule (Ref 33.1 Access Control Fundamentals)

This attack uses a rogue access point to spoof a SSID

Evil Twin (Ref 30.3 Wireless Network)

OpenID or SAML

FiDM uses what protocols for exchanging security information and authentication data.

Resource Based Access Control

In Cloud Computing, resource based access controls are used. S3 Bucket Policy, Key Policies in AWS.

DNP3 (Distributed Network Protocol)

It is MultiLayer an open standards based communication protocol used between components in the process automation like industrial control system (SCADA). Used for reliability and primarily used in electric, water, waste, transportation, oil and gas industries. Operates at OSI layer 2, 4 and 7 (Ref 30.2 Non-IP Multi Layer Protocols)

SAML (Security Assertion Markup Language)

It is XML based framework for exchanging security information, including authentication data. Primary goal of SAML is to enable web SSO at an internet scale.

FCoE (Fibre Channel over Ethernet)

It is a Layer 2 standards based protocol that allows Fibre Channel Frames to be carried over Ethernet links. - FCoE, IP and iSCSI data traffic can consolidated using a single network. - FCoE is not routable at IP layer. (Ref 30.2 Non-IP Multi Layer Protocols)

Dual Control Model

It is a practice of having more than one subject or key required to complete a specific task. (Requester and Approver) (Ref 33.1 Access Control Fundamentals)

Simple Object Access Protocol (SOAP)

It is a protocol that is used and designed for security of Web Services.

SPML (Service Provisioning Markup Language)

It is an XML-based framework that can be used to exchange access control information between organizations so that a user logged into one entity can have the access rights passed to the other.

Kerberos Negotiation with KDC

KDC is comprised of AS and TGS. https://medium.com/identity-beyond-borders/kerberos-explained-3bc2ddb7b0eb https://www.youtube.com/watch?v=5N242XcKAsM Note - Kerberos uses AES to encrypt Username etc.

What type of Active Directory Trust allow authentication with an existing Kerberos K5 domain?

Kerberos uses realms, The proper type of trust to setup Active Directory environment that needs to connect to a K5 domain is realm trust.

MPLS device that makes packet forwarding

LER. (Label Edge Router) (Ref 30.2 Non-IP Multi Layer Protocols)

FCoE OSI Layer

Layer 2 (Ref 30.2 Non-IP Multi Layer Protocols)

Minimum set of permissions needed to perform a task

Least Privilege Policy (Ref 33.1 Access Control Fundamentals)

Scalable protocol-independent transport technique for high performance networks

MPLS (Ref 30.2 Non-IP Multi Layer Protocols)

What are Multilayer Protocols

MPLS, DNP3 and FCoE (Ref 30.2 Non-IP Multi Layer Protocols)

MPLS (Multiprotocol Label Switching)

Multi Layer Protocol, which scalable and protocol independent transportation technique. Used for high performance network. Operates at OSI layer 2 and 3. Packet forwarding decisions are based on Short Path Label and QoS using Label Edge Router (LER) (Ref 30.2 Non-IP Multi Layer Protocols)

This attack can occur kid two NFC devices are in close enough range

NFC Bumping (Ref 30.3 Wireless Network)

Demonstrated reason for access

Need to know (Ref 33.1 Access Control Fundamentals)

It means that the subject has demonstrated and approved reason for being granted access.

Need to know (Ref 33.1 Access Control Fundamentals)

Determines what actions a subject can perform on a file or folder (Read/Write)

Permission (Ref 33.1 Access Control Fundamentals)

This is access control category focuses on facilities, equipment and devices.

Physical Access Control (Ref 33.1 Access Control Fundamentals)

Common attack with privileged accounts

Privileged credential theft and privilege escalation are two most common attacks. - Pass the Hash is a technique in which an attacker captures hashed account credentials on one computer and reuse the credentials to authenticate to another computer. (Ref 33.1 Access Control Fundamentals)

RADIUS

Remote Authentication Dial-In User Service - It provides centralized Authentication, Authorization and Accounting Management for remote users. It is NOT SSO. - Widely used with ISP's, AP's, VPN's, PPP and 802.1x protocol. - Uses Application Layer and defaults to UDP Port 1812 for Authentication and 1813 for Accounting. - Uses authentication schemes such as PAP, CHAP or EAP

The objective of this attack is to capture and reuse data packets

Replay Attack (Ref 30.3 Wireless Network)

Constrained Interface

Restrictions on interfaces that restrict users on what they can see and do based on their privileges. Like Menus, Shells, Databases are constrained Interfaces, while Keyboard is not.

Ability of a subject to take an action like install a software or login into a system

Rights (Ref 33.1 Access Control Fundamentals)

Rights vs. Permissions vs privileges

Rights generally refer to the ability of a subject to take an action; Like right to login remotely, install software, create user account. Permissions are functions that a subject can perform on an object. For example read/write/modify/delete permissions on file or folder. ACL are generally used to assign permissions. - Permissions are generally cumulative and can be explicit or inherited. - Permissions should be audited on regular basis. Privileges relates to overriding capabilities like Administrative, root or super user privileges. This can trump rights and privileges. (Ref 33.1 Access Control Fundamentals)

SAML, SPML, XACML, SOAP

SPML - Service Provisioning Markup Language (XML Based). It is designed to allow platforms to generate and respond to provisioning requests. SAML - Security Assertion Markup Language - It is used for Authentication and Authorization. XACML - - It is used to describe access control. SOAP - Simple Object Access Protocol - used for Messaging.

Breaking a task into processes that are assigned to different subjects so that no one subject is in complete control

Separation of Duties (Ref 33.1 Access Control Fundamentals)

Separation of duty. vs Authorization Creep

SoD - Breaking a task into separate processes that are assigned to different subjects so that no one subject is in complete control. Authorization Creep - Accumulation of access rights, permissions, and privileges overtime. It happens because of promotions, lateral moves etc. (Ref 33.1 Access Control Fundamentals)

Kerberos (Strength & Weaknesses)

Strength: - Kerberos encrypts messages using the secret keys. Weakness: - Single point of failure - Compromised, the attacker can impersonate.

Reference Profile

The digitally stored sample of a biometric factor.

Primary Strength of DNP3

This protocol is used in Industrial operations and known for Reliability & Error Checking. (Ref 30.2 Non-IP Multi Layer Protocols)

Circuits can be Permanent (PVC's) programmed in advance. Or Switched (SVC's) meaning circuit is quickly built when it is needed and torn down when it is no longer needed. When customer decides to pay CIR, a PVC is programmed for the bandwidth and SVC's requires steps similar to establish dial connection. In nutshell, in PVC's, the permanent path is setup and programmed beforehand, while in SV's the circuit is built upon request.

Virtual Circuits - Frame Relay and X.25 forwards frames across virtual circuits. What is the difference between PVC's and SVC's?

This wireless protocol is broken and is considered inscure

WEP (Ref 30.3 Wireless Network)

This wireless network configuration is based on 802.11 standard

WLAN (Ref 30.3 Wireless Network)

802.11 Security Protocols

WPA and WPA2 uses separate keys for users and services. (Ref 30.3 Wireless Network)

This wireless security protocol uses AES encryption

WPA2 (Ref 30.3 Wireless Network) Also studied

Wireless Attack

War Driving - It is a physical scanning for unprotected wireless networks. War Chalking - is marking a physical area to indicate a free, open, and insecure wireless network or access point. Rogue Access Point - When an unauthorized access point (AP) appears on a network. Evil twin attack - Rogue access point with same SSID. Enable an attacker to trick a user into connecting to a attacker controlled network. He may also impersonate captive portal to capture credentials or payment information. Used in MiTM attack. Categories - Access - Authentication Exploit Spoofing - Impersonating a wireless device Sniffing - Capturing wireless packets. Denial of Service - Overwhelming system resources. (Ref 30.3 Wireless Network)

SESAME (Secure European System for Applications in a Multi-Vendor Environment)

What is European system that overcomes weaknesses of Kerberos of symmetric encryption and incorporates Hashing and uses certificates. It is also used for multi vendor setup.

C) SAML. - is an XML-based framework for exchanging security information, including authentication data.

What is an XML-based framework for exchanging security information, including authentication data? (a) Kerberos (b) OpenID (c) SAML (d) SESAME

PAP (Password Authentication Protocol)

What is insecure mechanism that sends password in clear test across the network?

(b) LDAP. - is an open protocol for interfacing and querying directory service information from network operating systems using port 389 TCP or UDP.

What protocol is a common open protocol for interfacing and querying directory service information provided by network operating systems using port 389 via TCP or UDP? (a) CHAP (b) LDAP (c) PAP (d) RADIUS

A. Decreasing the amount of minutiae will make the accuracy of the system lower, which lower false rejects but raises false accepts.

What technique would raise the false accept rate (FAR) and lower the false reject rate (FRR) in a fingerprint scanning system? (a) Decrease the amount of minutiae that is verified (b) Increase the amount of minutiae that is verified (c) Lengthen the enrollment time (d) Lower the throughput time

Privilege Creep

When users move around within the organization and retain privileges even when they no longer need them.

TLS. - Transport Layer Security Note - - SAML doesn't have security mode of its own and uses TLS and Digital Signatures to ensure Security.

Which network protocol provides - confidentiality and Integrity - Prevents eavesdropping and MIM - When paired with Digital Signatures, it provides Integrity with Authentication.

CHAP (Challenge Handshake Authentication Protocol)

Which one is the authentication mechanism that provides protection against replay attacks and uses central location that challenges remote users. The secret in this case is not sent over the network in this case.

WPS attack

WiFi was introduced In 2006 with objective to easily add new devices to an existing network without entering long passphrase and use PIN instead. - The PIN flaw allows attacker to brute force and recover the PIN in few hours and secure WPA/WPA2 pre-shared keys. (Ref 30.3 Wireless Network)

LDAP (Lightweight Directory Access Protocol)

dn: cn=John Doe,dc=example,dc=com cn: John Doe;