CISSP Domain 5: Questions & Answers: A+ Score Guide
Access controls - ANSWERsecurity features control how users and system scomm
and interact w/ other system sand resources. protect from unauthorized access and
can participate in determine level of authorization.
Access - ANSWERflow of info btwn subject and object.
subject v object - ANSWERsubject can be user, program, process that accesses object
to accomplish a task.
Object is a passive entity containing info or needed functionality; can be a computer,
database, file, program, directory, field in a table w/ in a database.
*4 steps for subject to access object: identification, authentication, authorization,
accountability.
Availability - ANSWERresources must be available to users in timely manner, fault
tolerance and recovery in place to ensure continuity of availability of resources.
Integrity - ANSWERInfo must be accurate, complete, and protected from
unauthorized modification.
Confidentiality - ANSWERassurance that info is not disclosed to unauthorized
individuals, programs, or processes. activities need to be controlled, audited,
monitored.
*confidential info could be health records, financial account info, criminal records,
source code, trade secrets, military tactical plans.
Identification - ANSWERdescribes method by which subject (user, program, process)
claims to have specific identity (username, acct number, email address).
secure identities should have 3 aspects: uniqueness, nondescriptive (credential set
not indicate purpose of account; ex: administrator), issuance (elements provided by
authority; ex: ID cards issued by security/HR).
digital identity made up of attributes (dept, role, clearance, etc), entitlements
(resources available to them, authoritative rights in company, etc), traits (biometric
info, height, sex, etc).
Identity Management (IdM) - ANSWERdescribes use of products to identify,
authenticate, authorize users thru automated means; user acct mgmt, access
control, credential mgmt, SSO, right and permissions mgmt. IdM reqs mgmt of
identified entities, attributes, credentials, entitlements.
,Can be directories, web access management, PW mgmt, legacy sign-on, acct mgmt,
profile update.
Authentication - ANSWERprocess by which system verifies identity of the subject,
usually by requiring piece of info only the claimed identity should have. could be
password, passphrase, cryptographic key, personal ID number (PIN), anatomical
attribute, or token.
*Identification and authentication make up subject's 'credentials'.
race condition - ANSWERTwo or more processes use shared resource, as in data w/in
variable, but process 2 carried out task on data before process 1; result much diff
than if process 1 carried it out first.
In software, authentication and authorization steps split into two functions;
possibility attacker use race condition to force authorization step 'before'
authentication step.
logical access controls - ANSWERtechnical tools for identification, authentication,
authorization, accountability. Logical access controls can be embedded w/in OS,
apps, add-on security pkgs, database and telecom management systems.
*logical and technical can be used interchangeably
when person enters public info (employee number, username, account number) that
is the identification step. when person enters private info (password, smart card,
OTP, PIN, etc) that is the authentication step.
3 Authentication factors - ANSWER- Something you know (ex: PIN, maiden name,
lock combination, etc); is least expensive.
- Something you have (ex: key, swipe card, badge); common for accessing facilities.
- Something you are (ex: based on physical attribute, biometrics); most expensive.
* authentication by knowledge, ownership, characteristic, respectively.
* 'strong authentication (MFA, 2FA, 3FA): two or more factors used to authenticate a
person's identity.
Verification one-to-one v one-to-many - ANSWERVerification 1:1: measurement of
identity against a single claimed identity (ex: is this person who he/she claims to
be?).
Verification 1:n: measurement of a single identity compared against multiple
identities (who is this person?).
Directories - ANSWER- directory of info pertaining to company's network resources
and users, follows hierarchical database format, based on X.500 standard (ISO 9594)
, and type of protocol (ex: LDAP) allowing subjects and applications to interact w/ the
directory.
- objects managed by X.500 directory service. Directory service allows admin config
and manage how ID, authentication, authorization, access control take place w/in
network and w/ indiv systems.
- objects labeled and identified w/ namespaces. each directory service has way
identifying and naming objects, the directory service assigns distinguished names
(DN) to each object, each DN represents collection of attributes (ex: domain
component and common name) and is stored as an entry in the directory.
- dc: .com
- dc: .logicalSecurity
- cn: .brett p
Directories' Role in Identity Management - ANSWERA directory used for IdM is
specialized database software optimized for reading and searching b/c all resource
info, user attributes, authorization profiles, roles, access control policies, etc stored
in this one location. Some IdM apps need know user's authorization rights, role,
employee status, clearance level so instead of app making requests to several
databases it does it to one directory (ex: user attribute info (status, job desc, dept,
etc.) in HR database, authentication info in Kerberos, role and group ID in SQL,
resource-oriented authentication in AD on a DC -- these are commonly called
'identity stores' and located around network).
'meta-directory' gathers info from multiple sources and stores it on central directory;
unified view of all users' digital identity info, syncs itself w/ identity stores
periodically.
'virtual directory' same role as meta-directory but does not store info physically in it,
only points to the physical location of where data resides.
X.500 directory standard rules - ANSWER- directory has tree structure w/ parent-
child configuration.
- each entry has unique name made up of attributes of specific object.
- attributes dictated by defined schema.
- unique identifiers called distinguished names.
- OU = org unit, used as container of other OUs, users, resources. provide parent-
child (or tree-leaf) org structure.
web access management (WAM) - ANSWERweb access management controls what
users can access using web browsers to interact w/ web-based enterprise assets;
main gateway btwn users and corporate web-based resources. commonly a plug-in
for web server, will query directory, authentication server, potentially a back-end
database before serving up resource. Also provides SSO. Basic components: browser,
web server w/ WAM front processor, policy server on back end connected to policy
database and directory, policy manager on a PC.
Access controls - ANSWERsecurity features control how users and system scomm
and interact w/ other system sand resources. protect from unauthorized access and
can participate in determine level of authorization.
Access - ANSWERflow of info btwn subject and object.
subject v object - ANSWERsubject can be user, program, process that accesses object
to accomplish a task.
Object is a passive entity containing info or needed functionality; can be a computer,
database, file, program, directory, field in a table w/ in a database.
*4 steps for subject to access object: identification, authentication, authorization,
accountability.
Availability - ANSWERresources must be available to users in timely manner, fault
tolerance and recovery in place to ensure continuity of availability of resources.
Integrity - ANSWERInfo must be accurate, complete, and protected from
unauthorized modification.
Confidentiality - ANSWERassurance that info is not disclosed to unauthorized
individuals, programs, or processes. activities need to be controlled, audited,
monitored.
*confidential info could be health records, financial account info, criminal records,
source code, trade secrets, military tactical plans.
Identification - ANSWERdescribes method by which subject (user, program, process)
claims to have specific identity (username, acct number, email address).
secure identities should have 3 aspects: uniqueness, nondescriptive (credential set
not indicate purpose of account; ex: administrator), issuance (elements provided by
authority; ex: ID cards issued by security/HR).
digital identity made up of attributes (dept, role, clearance, etc), entitlements
(resources available to them, authoritative rights in company, etc), traits (biometric
info, height, sex, etc).
Identity Management (IdM) - ANSWERdescribes use of products to identify,
authenticate, authorize users thru automated means; user acct mgmt, access
control, credential mgmt, SSO, right and permissions mgmt. IdM reqs mgmt of
identified entities, attributes, credentials, entitlements.
,Can be directories, web access management, PW mgmt, legacy sign-on, acct mgmt,
profile update.
Authentication - ANSWERprocess by which system verifies identity of the subject,
usually by requiring piece of info only the claimed identity should have. could be
password, passphrase, cryptographic key, personal ID number (PIN), anatomical
attribute, or token.
*Identification and authentication make up subject's 'credentials'.
race condition - ANSWERTwo or more processes use shared resource, as in data w/in
variable, but process 2 carried out task on data before process 1; result much diff
than if process 1 carried it out first.
In software, authentication and authorization steps split into two functions;
possibility attacker use race condition to force authorization step 'before'
authentication step.
logical access controls - ANSWERtechnical tools for identification, authentication,
authorization, accountability. Logical access controls can be embedded w/in OS,
apps, add-on security pkgs, database and telecom management systems.
*logical and technical can be used interchangeably
when person enters public info (employee number, username, account number) that
is the identification step. when person enters private info (password, smart card,
OTP, PIN, etc) that is the authentication step.
3 Authentication factors - ANSWER- Something you know (ex: PIN, maiden name,
lock combination, etc); is least expensive.
- Something you have (ex: key, swipe card, badge); common for accessing facilities.
- Something you are (ex: based on physical attribute, biometrics); most expensive.
* authentication by knowledge, ownership, characteristic, respectively.
* 'strong authentication (MFA, 2FA, 3FA): two or more factors used to authenticate a
person's identity.
Verification one-to-one v one-to-many - ANSWERVerification 1:1: measurement of
identity against a single claimed identity (ex: is this person who he/she claims to
be?).
Verification 1:n: measurement of a single identity compared against multiple
identities (who is this person?).
Directories - ANSWER- directory of info pertaining to company's network resources
and users, follows hierarchical database format, based on X.500 standard (ISO 9594)
, and type of protocol (ex: LDAP) allowing subjects and applications to interact w/ the
directory.
- objects managed by X.500 directory service. Directory service allows admin config
and manage how ID, authentication, authorization, access control take place w/in
network and w/ indiv systems.
- objects labeled and identified w/ namespaces. each directory service has way
identifying and naming objects, the directory service assigns distinguished names
(DN) to each object, each DN represents collection of attributes (ex: domain
component and common name) and is stored as an entry in the directory.
- dc: .com
- dc: .logicalSecurity
- cn: .brett p
Directories' Role in Identity Management - ANSWERA directory used for IdM is
specialized database software optimized for reading and searching b/c all resource
info, user attributes, authorization profiles, roles, access control policies, etc stored
in this one location. Some IdM apps need know user's authorization rights, role,
employee status, clearance level so instead of app making requests to several
databases it does it to one directory (ex: user attribute info (status, job desc, dept,
etc.) in HR database, authentication info in Kerberos, role and group ID in SQL,
resource-oriented authentication in AD on a DC -- these are commonly called
'identity stores' and located around network).
'meta-directory' gathers info from multiple sources and stores it on central directory;
unified view of all users' digital identity info, syncs itself w/ identity stores
periodically.
'virtual directory' same role as meta-directory but does not store info physically in it,
only points to the physical location of where data resides.
X.500 directory standard rules - ANSWER- directory has tree structure w/ parent-
child configuration.
- each entry has unique name made up of attributes of specific object.
- attributes dictated by defined schema.
- unique identifiers called distinguished names.
- OU = org unit, used as container of other OUs, users, resources. provide parent-
child (or tree-leaf) org structure.
web access management (WAM) - ANSWERweb access management controls what
users can access using web browsers to interact w/ web-based enterprise assets;
main gateway btwn users and corporate web-based resources. commonly a plug-in
for web server, will query directory, authentication server, potentially a back-end
database before serving up resource. Also provides SSO. Basic components: browser,
web server w/ WAM front processor, policy server on back end connected to policy
database and directory, policy manager on a PC.
