Wondershare EdrawMind
MindMap Gallery CISSP Study Notes-14 (Controlling and Monitoring Access)
- 60
CISSP Study Notes-14 (Controlling and Monitoring Access)
This is a mind map about CISSP study notes-14 (Controlling and Monitoring Access). The main content includes: review questions, exam key points, and knowledge points.
Edited at 2024-03-08 10:42:16
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP Study Notes-14 (Controlling and Monitoring Access)
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
CISSP Study Notes-14 (Controlling and Monitoring Access)
Knowledge points
Compare access control models
Compare permissions, rights and privileges
Permissions
Access rights to objects
right
The ability to take action on objects, such as backing up and restoring data
little difference
privilege
A combination of rights and permissions
Understand the authorization mechanism
Implicit rejection
Deny by default
access control matrix
List containing subjects, objects and permissions
Ability table
The way the subject assigns permissions, focusing on the subject, and ACL focusing on the object
constraint interface
content-based control
database
context-based control
If the purchase is not completed, you cannot browse the e-book content
Need to know
least privilege
Need-to-know - access authorization, least privilege - the right to perform operations
Segregation of Duties
Define requirements using security policies
Security policies do not describe how to meet security requirements or how to implement policies. Professionals use security policies as a guide to security requirements.
Introducing the access control model
Discretionary access control DAC
The object has an owner, and the owner allows or denies other subjects to access the object. Microsoft's NTFS uses DAC
Ability to delegate authority to data custodians
Identity-based access is a subset
ACL control object, win is
Role-based access control RBAC
Put the subject into the role and assign permissions to the role. Win is
group-role
Prevent privilege creep in environments with frequent personnel changes
The difference is TBAC - task-based access control, such as Project
Rule-based access control
global rules
firewall
Attribute-based access control ABAC
SDN uses ABAC
For example, allow users with mobile devices to log in to the device for a certain period of time
Strong access control MAC
label, grid
Both subject and object are represented by labels
Subject compounding must require obtaining a label, and according to the label, an object with access to the same label can be obtained.
Quarantine area-reinforcement will be known as needed
Environmental classification
layered environment
High can access low, but cannot access higher.
Partition environment
Domain, isolation, subject must have permission to access another domain
mixed environment
MAC is more secure than DAC, but less flexible and scalable
Risk-based access control
Use machine learning to make predictions based on past activity
mobile device
Multi-factor authentication
non-discretionary access
Implement authentication system
Implementing SSO on the Internet
XML
SAML
Based on XML, provide SSO that supports browser access
OAuth
open standards
2.0 is not compatible with 1.0
Only provide authorization
OpenID
open standards
OIDC
Using the OAuth2.0 authorization framework
Provides identity authentication and authorization at the same time
Compare SAML, OAuth, OpenID, OIDC
SAML
Provide authentication, authorization, and attribute information
Use three entities: principal, service provider, identity provider
OAuth
Authorization framework, not authentication protocol
Use API
token
OpenID
Identity Authentication Standard
Maintained by OpenID Foundation
OIDC
Provide identity authentication and authorization
Built on OpenID, but using JSON Web Tokens
Implement SSO on the internal network
AAA agreement
Kerberos
key distribution center
Identity authentication server
ticket
ticket-granting ticket
main body
field
RADIUS
TACACS
Understanding access control attacks
Common access control attacks
Steal credentials
Bypass authentication mechanism
privilege escalation
Using su and sudo commands
Minimize the use of sudo commands
Password attack
dictionary attack
Brute force attack
jet attack
Special brute force attack to bypass account lockout
Credential Stuffing Attack
Attack one website to download usernames and passwords, then attack the same person's accounts on other websites
birthday attack
rainbow table attack
Salt
black pepper
Mimikatz
Capture passwords, hashes, tickets, private keys
pass the hash attack
Win systems using NTLM or Kerberos are most vulnerable to attacks
Kerberros exploit attack
Pass-the-hash attack
ticket delivery
Get tickets in lsass.exe process
silver certificate
Intercept the NTLM hash value of the service account to create a ticket
Grant service TGS ticket, non-TGT
golden ticket
You can create tickets at will after getting the TGT hash value
Kerberos brute force cracking
ASREPRoast
Kerberos pre-authentication is not enabled
Kerberosting
Kerberos pre-authentication is not enabled
Collect encrypted TGS tickets
Sniffing attack
spoofing attack
Core protection methods
Exam points
Understand the schooling concepts of the role-based access control (RBAC) model. The RBAC model uses task-based roles, where users gain privileges when an administrator assigns a user account to a role or group. When a user is removed from a role, the permissions the user gained through role membership are revoked.
Understand the core concepts of the Discretionary Access Control DAC model. The rules-based access control model uses group rules, restrictions, or filters to determine access. A firewall's access control list defines a list of rules that allow access and block access.
Understand the core concepts of the role-based access control RBAC model. The RBAC model uses task-based roles. When an administrator assigns a user account to a role or group, the user gains privileges. Removing a user from a role will revoke the permissions the user gained through role membership
Understand the core concepts of the rules-based access control model. The rules-based access control model uses a set of rules, restrictions, or filters to determine access. A firewall's access control list defines the list of rules that allow access and organize access
Learn about single sign-on methods used on the Internet. Single sign-on (SSO) is a mechanism that allows a subject to authenticate once to access multiple objects without having to authenticate again. Security Assertion Markup Language (SAML) is an open XML-based standard for exchanging authentication and authorization information. OAuth 2.0 is an authorization framework described in RFC 6749 and supported by many online websites. OASIS maintains OpeniD and OpenID (ComecOIDC). OpenID provides identity authentication. OIDC uses the OAutb framework and is based on the OpenID standard to provide authentication and authorization.
Ding explains the core concepts of the attribute-based access control (ABAC) model. The ABAC-model is an advanced implementation of the rule-based access control model, using attribute-based rules. Software-defined networking (SDN) often adopts the ABAC model.
Understand the core concepts of the Mandatory Access Control (MAC) model. The MAC model uses labels to identify security domains. The subject needs to have matching tags to access the object. The MAC model enforces the need-to-know principle and supports layered environments, partitioned environments, or a hybrid environment that is a combination of the two. MAC models are often called lattice-based models.
Understand the core concepts of the risk-based access control model. The risk-based access control model evaluates the environment and scenarios and makes decisions based on software-based security policies. This model can control access based on a variety of factors, such as the user's location based on IP address, whether the user logged in using multi-factor authentication, and the device the user is using. Its advanced implementation can use machine learning to assess risk.
Learn about Kerberos. Kerberos is the single sign-on method most commonly used by organizations. The main purpose of Kerberos is identity authentication. Kerberos uses symmetric cryptography and ticket water to prove identity and provide identity authentication. The server and the Network Time Protocol (ANTP) service are synchronized in time, and all clients in the network are synchronized in time.
Understand the purpose of the AAa agreement. Some AAA protocols provide centralized authentication, authorization, and accounting services. Network access (or remote access) systems use the AAA protocol. For example, a network access server is a client of a RADIUS server, and a RADIU'S server provides AAA services. RADIUS uses the UDP protocol and only encrypts passwords. TACACS uses the TCP protocol and encrypts the entire session. Diameter is based on RADIUS and improves many of RADIUS's shortcomings, but Diameter is not compatible with RADIUS.
Learn about privilege escalation. After an attacker compromises a single system, they use privilege escalation techniques to gain additional privileges. Attackers often first try to gain additional privileges on a compromised system. The attacker could then also gain access to other systems on the network and attempt to gain higher privileges. By limiting the privileges of sub-service accounts, including minimizing the use of sudo accounts, the success rate of some privilege escalation attacks can be reduced.
Learn about pass-the-hash attacks. A pass-the-hash attack allows an attacker to impersonate a user by leveraging a captured hash of a user's password (instead of the user's password). Pass-the-hash attacks typically exploit NTLM vulnerabilities, but attackers can also launch similar attacks against other protocols, including Kerberos.
Learn about Kerberos exploit attacks. Kerberos attacks attempt to exploit vulnerabilities in Kerberos tickets. In some attacks, attackers capture tickets saved in the lsas.exe process and launch a pass-the-ticket attack. The silver ticket grants all permissions to the attacker's service account. Obtaining the password hash of the Kerberos service account (KRBTGT) allows an attacker to create a golden ticket, thereby creating arbitrary tickets within Active Directory.
Learn how brute force and dictionary attacks work. Brute force attacks and code attacks that target stolen password database files or system login prompts to obtain passwords. In a brute force attack, the attacker goes after all possible combinations of keyboard characters, while a dictionary attack uses a predefined list of possible passwords. Account lockout controls effectively protect against online attacks.
Learn how Salt and Pepper works to prevent password attacks. Salting helps protect against rainbow table attacks by adding extra bits to the password before hashing it. Some algorithms, such as Argon2, borypt, and Password-Based Key Derivation Function 2PBKDF2), add salt and perform the hash algorithm repeatedly several times. The salt is stored in the same database as the password hash. The pepper is a very large constant that further increases the security of the hashed password, stored somewhere outside of the database of hashed passwords.
Learn about sniffing attacks. In a sniffing attack (or snooping attack), an attacker uses a packet capture tool (such as a sniffer or protocol analyzer) to capture, analyze, and read the data sent over the network. Attackers can easily read data sent in clear text over the network, but encrypting the transmitted data can protect against such attacks.
Learn about spoofing attacks. Spoofing is pretending to be something or someone else and can be applied to various types of attacks, including access control attacks. Attackers often try to obtain a user's credentials and thereby assume their identity. Spoofing attacks include email spoofing, phone number spoofing and IP spoofing. Many phishing attacks use deception methods.
Review questions
1 Which of the following best describes the implicit rejection principle? A. Allow all operations not explicitly denied. B. All conduct not expressly permitted is prohibited. C. All actions must be explicitly rejected. D. None of the above.
B
2. A table includes multiple objects and subjects, identifying each subject's specific access rights to different objects. this form what is it call? A. Access control list B. Access Control Matrix C. Alliance D. Privilege creep
B
3 You are taking a closer look at access control models and want to implement a model that allows object owners to grant privileges to other users. Which of the following access control models meets this requirement? A. Mandatory Access Control (MAC) Model B. Discretionary Access Control (DAC) Model C. Role-based access control (RBAC) model D. Rule-based access control model
B
4.Which of the following access control models allows data owners to modify permissions? A. Discretionary Access Control (DAC) B. Mandatory Access Control (MAC) C. Rule-based access control D.Risk-based access control
A
5. Centralized authorization authority determines which files users can access based on the organization's hierarchy. Which of the following is most consistent with at this point? A. DAC model B. Access Control List (ACL) C. Rule-based access control model D. RBAC model
D
6. Which of the following statements about the RBAC model is correct? A. The RBAC model allows users to be members of multiple groups. B. The RBAC model allows users to be members of a single group. C. The RBAC model is not hierarchical. D.RBAC model uses labels.
A
7. You are taking a closer look at different access control models. Which of the following best describes the rules-based access control model? A. Use local rules that apply individually to users. B. Use global rules that apply individually to users. C. Use local rules that apply equally to all users. D. Use global rules that apply to all users equally.
D
8. Your organization is considering deploying software-defined networking (SDN) in the data center. What are the commonly used access control models in SDN? A. Mandatory Access Control (MAC) Model B. Attribute-based access control (ABAC) model C. Role-Based Access Control (RBAC) Model D. Discretionary Access Control (DAC) Model
B
9 MAC models support different types of environments. For specific tags, which of the following supports user access by assigning predefined tags? A. Partition environment B. Layered environment C. Centralized environment D.Mixed environment
B In a hierarchical environment, various classification labels are assigned in an ordered structure from low security to high security. The Mandatory Access Control (MAC) model supports three environments: layered, partitioned, and hybrid. A partitioned environment ignores levels and only allows access to a single isolated area of a level. A hybrid environment is a combination of layered and partitioned environments. The MAC model does not use a centralized environment.
10. Which of the following access control models identifies upper and lower access limits for subjects carrying tags? A. Non-discretionary access control B. Mandatory Access Control (MAC) C. Discretionary Access Control (DAC) D. Attribute-based access control (ABAC)
B MAC models use labels to identify upper and lower bounds on classification levels
11.Which of the following access control models uses tags and is often referred to as a lattice-based model? A.DAC B. Non-autonomous C.MAC D.RBAC
C
12. Management expects users to use multi-factor authentication when accessing cloud resources. Which of the following access control models satisfies this requirement? A. Risk-based access control B. Mandatory Access Control (MAC) C. Role-based access control (RBAC) D. Discretionary Access Control (DAC)
A A risk-based access control model can require users to authenticate using factor authentication. None of the other access pull models listed in the question can evaluate how a user logs in.
13.Which of the following access control models determines access rights based on environment and context? A. Risk-based access control B. Mandatory Access Control (MAC) C. Role-Based Access Control (RBAC) D. Attribute-based access control (ABAC)
A
14. A cloud service provider has implemented SSO technology using JSON Web Tokens. The token provides authentication information and includes the user profile. Which of the following best identifies this technology? A. OIDC B.OAuth C.SAML D.OpenID
A
15. Some users on your network are having problems authenticating with the Kerberos server. While troubleshooting, you verify that you can log in to your usual work computer. However, you cannot log in to a user's computer using your own credentials. Which of the following is most likely to solve this problem? A. Advanced Encryption Standard (AES) B. Network Access Control (VAC) C. Security Assertion Markup Language (SAML) D.Network Time Protocol (NTP)
D By configuring the central computer to time synchronize with an external NTP server and having all other systems NTP keeps the time synchronized, solves the problem, and is the best choice. Kerberos requires that computers be within 5 minutes of each other, and this scenario and available options indicate that the user's computer is out of sync with the Kerberos server. Kerberos uses AES encryption. However, since the user successfully logged into a computer, this indicates that Kerberos is working and AES is installed. NAC checks the health of the system after a user authenticates. NAC does not prevent users from logging in. Some federated identity management systems use SAML, but Kerberos does not require SAML.
16 Your organization has a large network supporting thousands of employees and uses Kerberos. Which of the following is a primary use? A. Confidentiality B. Completeness C. Identity authentication D.Accountability
C
17. What is the role of the network access server in the RADIUS architecture? A. Authentication server B. Client C.AAA server D. Firewall
B Network access servers are clients in the RADIUS architecture. The RADTUS server is an identity authentication server that provides identity authentication, authorization, and accounting (AAA) services. The network access server may have a host firewall enabled, but this is not its primary functionality.
18. Larry manages a Linux server. Lary sometimes needs to execute commands with root-level privileges. If an attacker compromises Larry's account, management wants to ensure that the attacker cannot run commands with root-level privileges. Which of the following is the best option? A. Grant Larry sudo access. B. Give Larry the root password. C. Add Larry's account to the Administrators group. D. Add Larry's account to the LocalSystem account.
B
19. Attackers use tools to exploit vulnerabilities in NTLM. They identify the administrator's account. Although the administrator's password was not obtained, the attacker did gain access to the remote system by impersonating the administrator. Which of the following best describes this attack? A. Ticket delivery B. Golden Ticket C.Rainbow table D. Hash pass
D NTLM is known to be vulnerable to a pass-the-hash attack, which is best described by this field. Kerberos attacks attempt to manipulate tickets, such as pass-the-ticket attacks and golden ticket attacks, but these are not NTLM attacks. Rainbow table attacks use rainbow tables in offline brute force attacks.
20. Your organization's services recently suffered a major data breach. After investigation, security analysts discovered that attackers were using golden tickets to access network resources. The attacker exploited the vulnerability in which item? A. RADIUS B. SAML C. Kerberos D. OIDC
C