CISSP Domain 5 Flashcards

Question

Kerberos

Answer 1

based on symmetric key cryptography eliminates need to transmit passwords over the network Most implementations work with shared secret keys

Answer 2

Scalability Transparency Reliability Security

Answer 3

holds all users and services secret keys provides authentication as well as key distribution trust is the foundation of kerberos security

Answer 4

Principles | can be users, applications, or network services

Answer 5

an account for and share a secret key with each principal

Answer 6

a secret key value

Answer 7

is generated by the ticket granting service (TGS) Serves as CA like PKI

Answer 8

Credentials passed to Authentication service on the KDC. | User gets a ticket granting ticket

Answer 9

Once user is authenticated to AS (Authentication Service) User gets a ticket granting ticket Ticket is sent to Ticket granting Service Instead of sending passwords over the network, the Ticket Granting Ticket is sent to the Ticket Granting Service TGT has a time limit

Answer 10

principals do not trust each other enough to communicate directly Similar to PKI. TGS serves as CA

Answer 11

KDC can be a single point of failure must respond in a timely manner. must be scalable Secret keys are temporarily stored on user workstations Kerberos is subject to password guessing Network traffic is not protected by kerberos is encryption is not enabled Short keys are vulnerable to brute-force attacks Kerberos needs client and server clocks to be synchronized

Answer 12

facts, or attributes, of a user

Answer 13

can be used across multiple domains a portable identity allows a user to be authenticated across multiple systems and enterprises Is a key component of e commerce

Answer 14

parts of a website that act as a point of access to information presents information from diverse sources in a unified manner can offer various services, including email and news

Answer 15

portlets which are plugable user interface software components A portal is made up of individual portlets

Answer 16

Standard Generalized Markup Language

Answer 17

a universal, functional standard

Answer 18

Service Provisioning Markup Language allowed exchange of provisioning data between applications Could reside in one organization or many. Allows for automation of user management and access entitlement configuration related to electronically published services.

Answer 19

Requesting Authority Provisioning service Provider Provisioning Service Target

Answer 20

entity making a request to setup an account

Answer 21

software that responds to account requests

Answer 22

Carries out the provisioning activities on the requested system

Answer 23

Security Assertion Markup Language | XML standard that allowed exchange of authentication and authorization data to be shared between 2 security domains

Answer 24

authentication pieces to federated identity management systems to allow business to business and business to consumer transactions

Answer 25

collection of technologies and standards that allow services to be provided on distributed systems

Answer 26

SOAP a specification that outlines how information pertaining to web services is exchanged in a structured manner Provides a basic messaging framework.

Answer 27

Simple Object Access Protocol SOAP a specification that outlines how information pertaining to web services is exchanged in a structured manner Provides a basic messaging framework.

Answer 28

Service Oriented Architecture | Provide independent services residing on different systems in different domains

Answer 29

XACML used to express security policies and access rights to assets provided through web services Sends authentication information

Answer 30

standard for user authentication by third parties credentials are not maintained by the company, but a third party such as Google, Yahoo, or Facebook Frees up website developers from the need to setup authentication mechanisms

Answer 31

End User Resource Party Open ID provider

Answer 32

Open standard for authorization to third parties

Answer 33

type of software as a service | provides SSO, Federated IdM, password management

Answer 34

framework that dictates how subjects access objects

Answer 35

Discretionary Mandatory Role Based

Answer 36

restrict user abilities by not allowing certain functions

Answer 37

Menus and shells database views physical constrained interfaces

Answer 38

table of subjects and objects indicating what actions individual subjects can take upon individual objects

Answer 39

Specifies access rights a certain subject possesses pertaining to specific objects

Answer 40

filters according to strings

Answer 41

Remote Authentication Dial In User Service Network protocol that provides client/server authentication, and authorization, and audits remote users

Answer 42

Terminal Access Controller Access Control System Combines its authentication and authorization processes

Answer 43

TACACS, Extended TACACS, and TACAS+ TACACS combines authentication and authorization XTACACS separates authentication, authorization processes, TACACS+ is XTACACS with 2 factor

Answer 44

TACACS uses fixed passwords TACACS+ allows users to employ dynamic passwords

Answer 45

RADIUS only encrypts password only as it is being transmitted from the RADIUS client to server. Username, accounting and authorized services are transmitted in clear text. RADIUS is subject to replay attacks

Answer 46

TACACS encrypts all authentication data between the client and server

Answer 47

builds upon the functionality of RADIUS | Is another AAA protocol but provides more flexibility and capabilities

Answer 48

allows a user to move from one network to another with the same IP address. Allows a user to have a home IP Address

Answer 49

first is base protocol that provides secure and communication among Diameter entities, feature discovery, and version negotiation Second is extensions built on top of base protocol to allow various technologies to use.

Answer 50

Authentication PAP, CHAP, EAP End to end protection of authentication information Replay attack protection Authorization Redirects, secure proxies, relays, and brokers State reconciliation Unsolicited disconnect Reauthorization on demand Accounting Reporting, roaming operations, accounting, event monitoring

Answer 51

Administrative Controls Physical Controls Technical Controls

Answer 52

started out as a DOD study and turned into a standard that outlines how to develop countermeasures. TEMPEST remediates picking up information through the airways.

Answer 53

white noise or control zone

Answer 54

designed to detect a security breach | Process of detecting unauthorized use or attack on a computer network

Answer 55

Sensors Analyzers Administrator interfaces

Answer 56

Every change is a state transition. Logon, application, etc State is a snapshot

Answer 57

behavioral based system | In learning mode to build a profile of an environment's normal

Answer 58

Rule based IDS made up of a knowledge base, inference engine and rule based programming

Answer 59

computer setup as a sacrificial lamb on the network | no locked down, ports enabled.

Answer 60

redirects a victim to a seemingly legitimate site. Attacker then carries out DNS poisoning

Answer 61

allows attackers and administrators to dial large blocks of phone numbers in search of modems

Answer 62

potential vulnerabilities Penetration testing is required to identify vulnerabilities that can be exploited

Answer 63

``` Kernal flaws Buffer Overflows Symbolic Links File Descriptor attacks Race conditions File and directory permissions ```

Answer 64

below the level of the user interface | Countermeasure: Ensure that security patches, after testing, are applied to keep the window of opportunity small

Answer 65

bugs allowing more input than the program has space for. Overwrites data at the end of a buffer allows attacker to inject program code and cause processor to execute it. Gives attacker the same level of access as the program Countermeasure developer education, automated source code scanners, enhanced programming libraries and strongly typed languages that disallow buffer overflows

Answer 66

A program follows a link. Attacker can compromise the link. Might be used to delete or edit a password database Countermeasure Programs, and especially scripts, must be written to ensure the full path to the file cannot be circumvented

Answer 67

Numbers many operating systems use to represent open files in a process. Violated by unexpected input to provided to the program Countermeasure Good programming and developer education, automated source code scanners, and application testing reduce vulnerability

Answer 68

Design of a program puts it in a vulnerable condition before ensuring those conditions are mitigated. Countermeasure Good programming practices and developer education. automated source code scanners and application security testing reduce this type of vulnerability

Answer 69

errors in access control Countermeasures File integrity checkers

Answer 70

Examination of system log files to detect security events or to verify the effectiveness of security controls

Answer 71

time is sent in a UDP datagram that carries a 64 bit time stamp to port 123

Answer 72

``` Remote Logging Simplex communication Replication Write Once Media Cryptographic hash ```

Answer 73

Stratum 0 Government standard Stratum 1 core (maybe ISP) Stratum 2 another core, maybe domain Stratum 3 etc passes down for synchronization

Answer 74

Transaction generated by a script systematically test the behavior and performance of critical services

Answer 75

differs from synthetic transactions passively.