1
Q
What are the three components of AAA?
A
Authentication, Authorization, and Accounting.
2
Q
Define authentication.
A
Verifying a claimed identity (e.g., via password, token, certificate, biometric).
3
Q
Define authorization.
A
Granting rights/privileges to an authenticated identity to access resources.
4
Q
Define accounting (auditing).
A
Recording and tracking user activities for non-repudiation and forensics.
5
Q
List the five factor types for authentication.
A
Something you know, have, are, do, and where (location).
6
Q
What is MFA?
A
Using two or more different factor types (not two of the same) for authentication.
7
Q
What is 2FA vs MFA?
A
2FA uses exactly two factors; MFA uses two or more factors.
8
Q
What is SSO?
A
Single Sign-On—authenticate once to access multiple systems without re-entering credentials.
9
Q
What is federation?
A
Trust established between identity domains so identities can access resources across org boundaries.
10
Q
What are common federation standards?
A
SAML, OpenID Connect (OIDC), and OAuth 2.0 (for delegated authorization).
11
Q
What is least privilege?
A
Providing the minimum access necessary to complete a task.
12
Q
What is separation of duties (SoD)?
A
Splitting critical tasks across people to reduce fraud/error risk.
13
Q
What is need-to-know?
A
Limiting data access to what is required for a role or task.
14
Q
What is privilege bracketing?
A
Elevating privileges only for the duration of a task, then returning to normal.
15
Q
What is Just-In-Time (JIT) access?
A
Granting temporary privileged access on demand, time-bound and audited.
16
Q
What is PAM?
A
Privileged Access Management—controls and monitors privileged account use, often with a vault.
17
Q
What is zero trust (in access control)?
A
Never trust, always verify; continuous authentication and authorization with least privilege and microsegmentation.
18
Q
What is access recertification?
A
Periodic review of user entitlements to confirm they are appropriate.
19
Q
What is role mining?
A
Analyzing entitlements to design clean, least-privilege roles.
20
Q
What is the Joiner-Mover-Leaver model?
A
Lifecycle events for provisioning, modifying, and removing access as employees join, change roles, or leave.
21
Q
RBAC: what is it?
A
Role-Based Access Control—permissions grouped by role; users inherit via role membership.
22
Q
ABAC: what is it?
A
Attribute-Based Access Control—evaluates attributes of user, resource, action, and environment.
23
Q
DAC: what is it?
A
Discretionary Access Control—resource owners determine access (e.g., POSIX file permissions).
24
Q
MAC: what is it?
A
Mandatory Access Control—central authority enforces labels/clearances and compartments.
25
PBAC/Policy-based access control?
Decisions based on formal policies/rules (often XACML-style).
26
Bell–LaPadula model focus?
Confidentiality: no read up, no write down.
The Bell-LaPadula model focuses on confidentiality in multilevel security systems by preventing the flow of information from higher security levels to lower ones. It uses mandatory access control rules, such as the "no read up" and "no write down" properties, to protect classified information.
Key Priciples:
-Confidentiality: The models primary goal is to ensure that sensitive data is not disclosed to unauthorized users.
-No read up: A user (subject) cannot read infomation from an object with a higher security classification level than their own,
-No write down: A user cannot write information to an object with a lower security classification level than their own, This prevents information from a higher level from being accidentally or intenrionally leaked to a lower level.
-Subjects and objects: In this model, "subjects" are users, and "objects" are data or files. Both are assigned a security level (e.g. Confidential, Secret, Top Secret).
-Mandatory access control: Access decisions are based on comparing the security labels of the subjects and objects, not on the user's own discressionary choices.
27
Biba model focus?
Integrity: no read down, no write up.
The Biba model focuses on data integrity, which means ensuring data is trustworthy and preventing unauthorized modifications. It achieves this through two main rules: the no-write-up rule, which prevents subjects from writing to objects with a higher integrity level, and the no-read-down rule, which prevents subjects from reading objects at a lower integrity level.
Core principles
Focus on integrity: Unlike the Bell-LaPadula model which focuses on confidentiality, Biba's goal is to maintain the accuracy and reliability of information by preventing improper modification.
No-read-down property: Users cannot read data that is at a lower integrity level than their own. This prevents a user from relying on data that might be compromised or less reliable.
No-write-up property: Users cannot write to an object with a higher integrity level than their own. This stops a user from introducing potentially untrustworthy information into more critical data.
How it works
Integrity levels: Subjects and objects are assigned an integrity level, such as "untrusted," "trusted," or "highly trusted".
Mandatory access control: The model enforces these rules through mandatory access control, meaning that access is based on these predefined integrity levels, not just user permissions.
Information flow: The rules are designed to prevent information from flowing from lower to higher integrity levels in a way that could compromise the integrity of the higher level.
28
Clark–Wilson model key idea?
Well-formed transactions and separation of duties for integrity.
29
Brewer–Nash (Chinese Wall) model?
Dynamic separation of duties to prevent conflicts of interest.
30
Lattice-based access control?
Users and objects mapped to security levels with dominance relationships.
31
Capability-based access control?
Tokens (capabilities) grant specific rights to objects.
32
Discretionary vs Mandatory: key difference?
DAC allows resource owners to set permissions; MAC enforces central labels regardless of owner.
33
Coarse-grained vs fine-grained authorization?
Coarse: broad access at high level; Fine: detailed, attribute-based decisions per action/data.
34
SoD matrix purpose?
Identify conflicting roles/entitlements to prevent toxic combinations.
A Segregation of Duties (SoD) matrix is a tool that lists roles and responsibilities to identify and prevent a single person from having control over multiple critical steps in a process. Its main purpose is to prevent fraud and errors by creating a system of checks and balances, ensuring compliance with regulations, and improving operational integrity through clear role delineation.
Key purposes of an SoD matrix
Fraud prevention: It makes it difficult for one person to commit fraud, as multiple people are involved in a single process. For example, the person who sets up a new vendor should not be the same person who can approve and pay the vendor's invoices.
Error reduction: Having multiple people involved in a process increases accuracy and helps catch mistakes that a single individual might miss.
Regulatory compliance: Many regulations, such as SOX, require that internal controls are in place to prevent fraud and ensure accuracy. An SoD matrix provides evidence of these controls.
Improved operational integrity: By separating tasks, the matrix improves process accuracy, strengthens operational resilience by distributing knowledge, and promotes transparency in roles and responsibilities.
Streamlined processes: An SoD matrix can help identify redundancies and inefficiencies in a workflow, leading to a more streamlined and efficient process.
35
Compensating control for SoD constraints?
Enhanced monitoring, approvals, or independent review when full SoD not possible.
36
What is LDAP used for?
Querying and modifying directory services (e.g., user accounts, groups).
LDAP is a protocol used for accessing and managing directory services, which are essentially central databases of information. It is primarily used for centralizing user authentication, storing user and group information, and managing authorization to control access to network resources. This allows for single sign-on, simplifies user management, and enables applications to share data like user preferences.
Key uses of LDAP:
Centralized authentication: Instead of managing separate accounts on each system, LDAP allows a single set of credentials to be used for accessing multiple services across an organization.
Authorization and access control: It provides a central location for user and group information, which is used to control who can access specific network resources.
User and group information management: LDAP directories store user data like names, email addresses, phone numbers, and group memberships. This is also used for storing static data like printer connections.
Application integration: Applications can use LDAP to look up user information, retrieve configuration data, and manage user preferences across different systems.
Address book services: It serves as a centralized directory for contact information within an organization.
37
What is Kerberos used for?
Network authentication with tickets (TGT/TGS) in a trusted domain.
Kerberos is used for secure network authentication, allowing users and services to verify their identities to one another without sending passwords over an insecure network. It provides single sign-on (SSO) capabilities, so a user can log in once and access multiple services without re-entering their credentials.
How it works
Kerberos uses encrypted "tickets" to verify identity instead of passing passwords.
It provides mutual authentication, meaning both the client and the server can verify each other's identities.
Common uses
Windows login: It is the default authentication protocol for Windows and allows users to sign into their computers and access multiple applications without logging in again.
Cloud and hybrid environments: Modern implementations like Microsoft Entra Kerberos allow it to extend authentication to cloud resources from on-premises networks.
Enterprise networks: It is used for authenticating access to a wide range of resources, such as file servers, databases, and other applications within a corporate network.
Cross-platform authentication: It is supported by many operating systems and cloud platforms, including macOS, Linux, and services like AWS and Google Cloud
38
Kerberos: what is a TGT?
Ticket Granting Ticket is issued by KDC/AS after initial authentication to request service tickets.
A Ticket-Granting Ticket (TGT) is the initial credential a user receives from a Kerberos server to prove their identity and access network resources. It functions like an ID that is used to request other tickets, called service tickets, which grant access to specific services within the network. This process prevents users from having to authenticate for every single service, improving performance and security.
How a TGT works
Initial Authentication: After a user logs in, the Kerberos authentication server verifies their identity and issues a TGT. This ticket is encrypted and contains information about the user.
Requesting Service Tickets: When the user wants to access a service (like a file server or an email server), they present their TGT to the Ticket-Granting Server (TGS).
Service Access: The TGS uses the TGT to create a separate service ticket, which is then presented to the specific service the user wants to access. This service ticket is encrypted with the service's secret key, allowing the user to access the resource without re-entering their password.
Automatic Issuance: In Windows environments, Active Directory automatically handles the process of obtaining a TGT for the user upon login. On other systems, users may need to use a command like kinit to manually obtain a TGT.
39
Kerberos: what is a service ticket?
Ticket used to access a specific service; issued by TGS.
A Kerberos service ticket is used to access a specific service after it has been issued by the Ticket Granting Service (TGS). This ticket is obtained using a Ticket Granting Ticket (TGT) and is presented to the service's host to authenticate and grant access.
How it works
TGT is obtained first: When a user logs in, they first receive a TGT from the Authentication Server, which authenticates their identity.
TGS is requested next: The user then presents this TGT to the TGS to request a service ticket for a specific service, such as a file share or printer.
Service access is granted: The TGS verifies the TGT and, if valid, issues a service ticket (also known as a session ticket) that is encrypted and sent to the user.
Final authentication: The user presents the service ticket to the server hosting the service, which uses it to verify the user's identity and grant access
40
Kerberos vs NTLM?
Kerberos is ticket-based and more secure; NTLM is challenge/response and older, prone to relay attacks.
41
What is RADIUS?
UDP-based AAA protocol commonly used for network access (802.1X).
42
What is TACACS+?
TCP-based AAA protocol (Cisco) with separate authentication/authorization and encryption of full payload.
43
RADIUS vs TACACS+: key difference?
RADIUS combines authN/authZ and uses UDP; TACACS+ separates them and uses TCP with full encryption.
44
SAML: who are IdP and SP?
Identity Provider authenticates; Service Provider consumes assertions to grant access.
45
SAML assertion carries what?
Authentication statements, attributes, and authorization decisions.
46
OIDC is built on what?
OpenID Connect is an identity layer on top of OAuth 2.0.
47
OIDC ID Token purpose?
Conveys authentication event and user claims to the client (RP).
48
OAuth 2.0: purpose?
Delegated authorization—grant limited access to resources on behalf of a resource owner.
49
OAuth 2.0: common grant types?
Authorization Code (with PKCE), Client Credentials, Device Code, Refresh Token, (ROPC deprecated).
50
What is PKCE and why use it?
Proof Key for Code Exchange—mitigates code interception in public clients.
51
What is scope in OAuth?
Specifies allowed permissions on the resource (least privilege).
52
What is a claim?
A statement about a subject (e.g., user email, role) in tokens like JWTs.
53
What is a JWT?
JSON Web Token—compact signed (and optionally encrypted) token conveying claims.
54
What is token expiration vs refresh?
Access tokens expire quickly; refresh tokens obtain new access tokens.
55
What is token revocation?
Invalidating tokens before natural expiry to remove access.
56
Modern password guidance highlights?
Use long passphrases, screen breached passwords, rate-limit, enable MFA; avoid frequent forced rotation unless compromised.
57
What is salting?
Adding unique random data to each password before hashing to prevent rainbow table attacks.
58
What is peppering?
Adding a secret global value to hashes stored separately to increase resistance to compromise.
59
Recommended password hashing algorithms?
Argon2id, scrypt, bcrypt (or PBKDF2 with strong parameters when others unavailable).
60
What is credential stuffing?
Automated use of breached username/password pairs; mitigate with MFA and rate limiting.
61
What is password spraying?
Trying common passwords against many accounts; mitigate with lockouts/throttling and MFA.
62
Account lockout policy components?
Threshold, duration, reset time, and alerting/monitoring.
63
What is passwordless authentication?
Using methods like FIDO2/WebAuthn, smart cards, or biometrics instead of passwords.
64
FIDO2/WebAuthn benefit?
Phishing-resistant, public-key-based authenticators bound to origin.
65
What is recovery risk in auth?
Account recovery flows can be weakest link; require strong verification and audit.
66
Biometric FAR vs FRR?
False Acceptance Rate vs False Rejection Rate.
67
What is CER/EER?
Crossover/Equal Error Rate—point where FAR equals FRR; lower is better.
68
What is liveness detection?
Techniques to ensure a biometric sample comes from a live person, not a spoof.
69
Biometrics: advantages?
Difficult to share/lose; convenient for users.
70
Biometrics: drawbacks?
Revocation difficulty, privacy concerns, spoofing risk without liveness, sensor variance.
71
Multi-factor vs multi-step?
Multi-factor: different factor types; Multi-step: multiple prompts but could be same factor type.
72
Risk-based authentication?
Adapts requirements based on context like device, location, time, or behavior.
73
What is NAC?
Network Access Control—assesses device/user posture and grants appropriate access.
74
802.1X roles?
Supplicant (client), Authenticator (switch/AP), Authentication Server (RADIUS).
75
Common EAP methods?
EAP-TLS (cert-based), PEAP (server cert + inner password), EAP-TTLS, EAP-FAST.
76
EAP-TLS key strength?
Mutual authentication with client/server certs; strong against phishing.
77
Posture assessment examples?
Patch level, EDR running, firewall enabled, disk encryption status.
78
Guest vs corporate VLANs?
Guests get isolated, limited access; corporate users get internal resources.
79
MAC filtering security?
Weak—MAC addresses can be spoofed; rely on 802.1X instead.
80
Session management best practices?
Strong IDs, regenerate on privilege change, idle/absolute timeouts, server-side invalidation.
81
Secure cookie attributes?
Secure, HttpOnly, SameSite, minimal scope and lifetime.
82
What is an access token vs ID token?
Access token authorizes resource access; ID token conveys authentication details about the user.
83
Scopes vs claims?
Scopes define permissions; claims carry identity/authorization data.
84
What is CSRF protection based on tokens?
Use anti-CSRF tokens tied to user session and verify on sensitive requests.
85
Role explosion problem?
Too many roles make management hard; solve with ABAC or role mining and consolidation.
86
What is least functionality?
Enable only necessary features and permissions; disable defaults/samples.
87
POSIX permission bits?
Read (r), write (w), execute (x) for owner, group, others.
88
What is umask?
Default permission mask applied when files/directories are created.
89
What is setuid/setgid?
Special bits to run with file owner's or group's privileges.
90
What is the sticky bit?
Prevents users from deleting others' files in shared dirs (e.g., /tmp).
91
What are ACLs?
Access Control Lists—fine-grained permissions beyond basic bits.
92
Windows ACL components?
DACL (allow/deny ACEs) and SACL (auditing).
93
What is a SID?
Security Identifier—unique identifier for users/groups in Windows.
94
What is UAC?
User Account Control—prompts to elevate privileges in Windows.
95
What is a security group vs distribution group?
Security groups assign permissions; distribution groups are for email only.
96
Nested groups risk?
Can unintentionally grant broad privileges; review effective permissions.
97
Group policy purpose?
Centralized configuration and security settings deployment (e.g., in Active Directory).
98
Service account best practices?
Unique, least privilege, no interactive login, strong rotation, monitoring.
99
Shared account risk?
Lack of accountability; avoid except for break-glass with strong controls.
100
Break-glass account controls?
Strong MFA, vault, strict monitoring, short use windows, post-use review.
101
Orphaned account risk?
Former users retain access; mitigate with leaver process and periodic reviews.
102
Cloud IAM principle?
Grant least privilege to identities (users, roles, service accounts) per resource.
103
AWS users vs roles?
Users have long-term credentials; roles are assumed for temporary credentials.
104
AWS STS purpose?
Security Token Service issues temporary credentials (assume role).
105
Azure AD Conditional Access?
Policies that evaluate conditions (risk, device, location) to control access.
106
GCP IAM bindings?
Grant roles to members on specific resources (project/folder/org).
107
What is identity federation to cloud?
Use external IdP (e.g., SAML/OIDC) to authenticate and map to cloud roles.
108
What is SCIM used for?
System for Cross-domain Identity Management—automates provisioning/deprovisioning.
109
What is an API key risk?
Often long-lived and hard-coded; rotate, scope, and store in a vault.
110
mTLS purpose?
Mutual TLS authenticates both client and server via certificates.
111
What is SPIFFE/SPIRE?
Framework/services to issue and manage workload identities with X.509/SVIDs.
112
SSH key management best practices?
Use SSH certificates or scoped keys, rotate, avoid reuse, centralize in PAM/vault.
113
Secrets in CI/CD best practice?
Use vaults/secret stores, avoid plaintext in repos, rotate on exposure, least privilege.
114
SAML signature wrapping risk?
Altering the message to trick SP validation; mitigate with strict signature verification and library patches.
115
IdP-initiated SSO risk?
Less context and CSRF protections; prefer SP-initiated with state/nonce checks.
116
JWT none algorithm attack?
Accepting unsigned tokens; mitigate by enforcing allowed algorithms and key validation.
117
OAuth phishing risk?
Deceptive consent screens; educate users and validate redirect URIs and scopes.
118
Refresh token theft impact?
Long-lived access; mitigate with rotation, binding, and anomaly detection.
119
Replay attack mitigation?
Use nonces, timestamps, TLS, and token binding.
120
Credential stuffing mitigation?
MFA, rate limiting, bot detection, breached password checks.
121
Password spraying mitigation?
Throttling, lockouts with alerting, MFA, and monitoring.
122
Kerberoasting attack?
Extracting service tickets to crack service account hashes; mitigate with strong SPNs/passwords, AES, and monitoring.
123
Pass-the-hash attack?
Reuse of hashed credentials; mitigate with credential guard, local admin isolation, and strong segmentation.
124
Access request workflow steps?
Request → Manager approval → Risk/SoD review → Provision → Notify → Review/recertify.
125
What is access attestation?
Managers/system owners confirm users' access is appropriate.
126
How often to review privileged access?
More frequently (e.g., monthly/quarterly) than standard access based on risk.
127
What is an access control standard?
Document defining how access is requested, approved, provisioned, reviewed, and removed.
128
What is an entitlement catalog?
Authoritative list of available roles/permissions and their purposes/owners.
129
What is an access token lifetime policy?
Defines default and maximum lifetimes for tokens and sessions (idle/absolute).
130
What is an authorization boundary?
Limit around systems/resources where policies are enforced and audited.
131
Geovelocity check purpose?
Detect impossible travel to flag risky sign-ins.
132
Device trust in access decisions?
Only allow compliant, registered, or healthy devices (certificate/MDM posture).
133
Attribute sources for ABAC?
Directory attributes, device posture, resource labels, environment (time/location).
134
What is step-up authentication?
Requiring stronger auth for sensitive actions or higher-risk contexts.
135
What is continuous access evaluation?
Near-real-time revocation and policy re-evaluation on events (e.g., token invalidation).
136
What is consent in OAuth/OIDC?
End-user approval of scopes and data sharing to the client application.
137
What is delegated administration?
Granting specific admin rights without full administrative privileges.
138
What is privilege escalation?
Gaining higher permissions than intended; control via patching, least privilege, and monitoring.
139
Vertical vs horizontal privilege escalation?
Vertical: to higher role; Horizontal: to another user's resources at same level.
140
What is session fixation?
Attacker sets a known session ID; mitigate by regenerating IDs on login/privilege change.
141
Quick check #141: What principle limits access to only what's necessary?
Least privilege.
142
Quick check #142: What principle limits access to only what's necessary?
Least privilege.
143
Quick check #143: What principle limits access to only what's necessary?
Least privilege.
144
Quick check #144: What principle limits access to only what's necessary?
Least privilege.
145
Quick check #145: What principle limits access to only what's necessary?
Least privilege.
146
Quick check #146: What principle limits access to only what's necessary?
Least privilege.
147
Quick check #147: What principle limits access to only what's necessary?
Least privilege.
148
Quick check #148: What principle limits access to only what's necessary?
Least privilege.
149
Quick check #149: What principle limits access to only what's necessary?
Least privilege.
150
Quick check #150: What principle limits access to only what's necessary?
Least privilege.
ISC2 SSCP
flashcards
Decks in class (11)
# Cards
-
ISC2 SSCP practice test 151
-
Sscp125
-
SSCP_D1_Security_Concepts_and_Practices_200200
-
SSCP_D2_Access_Controls150
-
SSCP_D3_Risk_Identification_Monitoring_Analysis117
-
SSCP-D4-Incident Response and Recovery150
-
SSCP_D5_Cryptography_150139
-
SSCP_D6_Network_and_Communications_Security146
-
SSCP_D7_Systems_and_Application_Security147
-
ch 1 test review14
-
ch 2 review16
