Cybersecurity professionals know that mastering identity and access management concepts is essential for CISSP certification success. This deep dive into Domain 5.2 tackles fifteen carefully crafted questions covering everything from just-in-time provisioning to federated identity systems and session security.
We begin by examining the accelerating adoption of generative AI in healthcare organizations, where approximately 85% are investigating or implementing these technologies. This trend spans industries from manufacturing to financial services, creating both opportunities and serious security challenges for professionals who must balance innovation with appropriate safeguards.
The heart of our discussion focuses on critical IAM concepts, including how just-in-time provisioning minimizes attack surfaces by limiting standing privileges, particularly vital in cloud environments. We explore SAML as the primary protocol enabling federated architectures, while highlighting their potential single point of failure risks. Session management security receives special attention, emphasizing secure token storage with appropriate expiration times, and protection against cross-site scripting attacks that target cookie theft.
Throughout our exploration, practical security principles are reinforced: the dangers of shared credentials, the necessity of multi-factor authentication, and the security benefits of automated access revocation. Whether you're preparing for the CISSP exam or looking to strengthen your security knowledge, these concepts represent core knowledge every practicing security professional must internalize.
Ready to accelerate your CISSP journey? Visit CISSP Cyber Training for additional resources and guidance from experienced security professionals who understand the practical applications beyond theoretical knowledge. Let's grow your cybersecurity expertise together!
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started,let's go cybersecurity knowledge
.
Speaker 2 (00:26):
All right, let's get started, hey all, sean Gerber,
with CISSP Cyber Training andhope you all are having a
beautifully blessed day today.
Today is guess what?
Yes, you all know it is CISSPQuestion Thursday, and today
we're going to be going overCISSP questions related to
domain 5.2.
But before we do, I want tokind of just talk about a quick
article that I saw in the news.
(00:46):
The reason I'm bringing thisone up is I'm actually getting
deeper into Gen AI and thevarious aspects around the LLMs
and the AI models in general.
One is kind of a researchproject, but two is to kind of
better understand some of thesecurity aspects around it.
But one of this article that Ijust saw in Computer World was
around Gen AI is alreadytransforming the healthcare
(01:08):
industry.
This article, again by ComputerWorld and it's set up there.
It came out April 2nd, so thisguy came out today and the
aspect around it is is thatthey're saying about 85% of
healthcare organizations arelooking to use it or
investigating the use of Gen AI,with about between 40 and
almost 60% that are activelyengaging in it.
(01:29):
Now, coming from the marketing,the manufacturing space, we
were getting into AI as well andwe see the definite increased
need for it from the marketingstandpoint.
Working now in the financialinstitutions as a consultant for
a couple of various differentkinds of financial aspects, they
too are getting pretty hot andheavy into the Gen AI piece.
So, as it comes to this overallarticle it relates, comes back
(01:52):
to is what they're seeing.
The benefits of.
It is around clinicaldocumentation, basically
automated note-taking, and Idon't know if you've all dealt
with automated note-taking I'vebeen in with the teams kind of
applications and you canactually record what you're
doing.
It then will spit out the teamskind of applications and you
can actually record what you'redoing.
It then will spit out the kindof a conversation of what you've
actually had, what you talkedabout, along with details around
what are some takeaways, whatare some tasks that have to be
(02:15):
done so you can see a definiteneed there, use it for
diagnostics.
As far as AI assistance,helping in medical imaging
that's what they had Rona aspectof it and then, as well as
patient engagement, I think oneof the pieces that you always
run into I just booked a flightwith Expedia and I worked with
an AI agent, obviously on thechat, and they helped resolve
all my issues for me and very,very quickly.
(02:36):
I say they, I mean it.
It basically did so.
The Gen AI is really growing ina better space and I would say,
from a cybersecurity standpoint,it's important that you do
understand this market, becauseit's going to do nothing but
expand.
Some of the benefits theyobviously they talked about is
operational efficienciesbasically the day-to-day stuff,
and then reducing theadministrative burden that goes
(02:58):
along with that.
I think it's gonna be anincredible part and it's gonna
save a lot of time.
Now, on the flip side, there'sgoing to be a lot of folks that
are going to be displacedbecause of this, and I think
it's important that there's thatis being thought of and
concerned about as well, and howdo you end up remedying that
situation?
So some of the challenges thatare coming out of this as well
as ensuring the data quality,managing it as far as the risks
(03:18):
and then one of them is a big,obviously security and privacy
risks that are associated withthis and then ensuring what is
occurring there, as well asbalancing the cost of the
overall programs along withregulatory risks.
Obviously, privacy is a bigfactor, but as you get into the
financial industry, there'sgoing to be regulations in the
financial industry as well.
So a lot of different thingsthat are going around the Gen AI
(03:38):
space.
So I would highly recommend youcheck this article out Again.
It's on Computer World and GenAI is already transforming the
healthcare industry industry.
Okay, so let's get started withtoday's questions.
So, again, this is focused ondomain 5.2 of the cissp.
It's the isc squared book thatyou can be studying for the
cissp exam.
If you need some sort ofassistance, go to cissp cyber
(04:01):
training and you can get accessto my site there.
There's a lot of free contenton my site, but there's also a
lot of great, wonderfully paidstuff that's out there that'll
help you shortcut the overallCISSP process.
The training is there and it'savailable to you.
All of it is there and you canget access to it.
All you got to do is justbasically go in.
You can purchase differenttiers that are available and you
(04:22):
can gain access to all thecontent that you want to help
you pass the exam.
But again, it depends on you ifthere's free stuff as well.
If you want to use that and,again, check it out, all right.
So let's start.
And one of these questionsagain, these questions you'll be
able to get at CISSP CyberTraining.
So let's start off with questionnumber one.
Which of the following bestdescribes just-in-time
provisioning?
(04:43):
Can we talk about that in thetraining?
What is the describesjust-in-time provisioning A
users are granted access onlywhen they are requesting it and
it is revoked immediately aftereach use.
B users are assigned long-termprivileges based on their roles.
C users must manually requestaccess each time they log in.
Or D access is automaticallyprovisioned based on predefined
(05:05):
attributes.
Again, which of the followingbest describes just-in-time
provisioning?
And the answer is A users aregranted access only when they
request it and it's revokedimmediately after use.
Now, one of the things is youmay want to have it, may not
want to have it necessarilyright after use.
You may make changes to that,but there are different options
available to you.
Just got to kind of decidewhich one works best for you and
(05:26):
your organization.
Question two what is the primarysecurity concern when using a
federated identity system?
So what is the primary securityconcern when using a federated
identity system?
A increased administrativeoverhead.
B lack of centralized controlcontrol.
C single point of failure foridentity providers.
Or d excessive userauthentication requests.
(05:48):
Again, what is the primarysecurity concern using fid or
fid federated ids?
And the answer is c singlepoint of failure.
If identity provider is, itgoes out.
So basically, it comes rightdown to is you have a federated
identity system, such as google,facebook, whatever that might
be?
If that system goes, you dolose the ability to have some
(06:09):
sort of access to yourenvironment, because that is the
main source of you getting youridentity.
So there is a concern whendealing with federated aspects.
Question three which protocolmost commonly used to enable
federated identity management?
A, ldap, b, oauth 2.0.
C, radius or D SAML, again,which is the most commonly used
to enable federated identity?
(06:30):
And it is D, not C.
It's D, d SAML, right.
So SAML is your securityassertion markup language, or
SAML.
It's an XML-based protocol thatdoes allow single sign-on,
right, and that's the ultimatebase behind it, that various
service providers will providethis for you.
So again, when it comes rightdown to it, this for you.
So again, when it comes rightdown to it, your federated
(06:51):
identity management the primaryprotocol that's used is called
SAML.
Question four what is theprimary advantage of using
just-in-time provisioning incloud environments?
A it reduces administrativeworkload by pre-assigning
permissions.
B it minimizes the attacksurface by limiting standing
provisions or privileges.
I should say C providespermanent access to resources,
or d eliminates the need forauthentication.
(07:12):
Again, what is the primaryadvantage of using just-in-time
provisioning in cloudenvironments?
And the answer is b minimizethe attack surface by limiting
standing privileges.
Again, all that really comesdown to is you don't have
predefined credentials that arejust basically waiting for them
to be used.
It uses it just as you need it.
Question five in credentialmanagement, which of the
(07:33):
following is an example ofsecure authentication method?
In the credential management,which of the following is an
example of a secureauthentication method?
A using same password acrossmultiple accounts yeah, no,
that's not a good idea.
B implementing the multi-factorauthentication or mfa.
C storing plain text passwordsin a database.
Or d allowing password resetvia email without verification.
(07:56):
And if you probably allprobably went through all those
going, well, if I don't knowthose, I can at least get rid of
the ones that are really bad.
And yeah, it would narrow itdown to.
The answer would be b right andcredential management.
Which of the following is themost secure?
It is implementing multi-factorauthentication.
That's pretty much a no-brainer.
Question six what is a keysecurity consideration when
managing session tokens?
(08:17):
A token should be validindefinitely for user
convenience.
B token should be transmittedover unencrypted channels.
C token should be hard hardcoded in the application source
code.
Or d token should be storedsecurely and have an expiration
time.
Again, what is a key securityconsideration when managing
session tokens?
The answer is D yes, tokensshould be stored securely and
(08:39):
have an expiration time.
That's the whole thing aboutsession management.
We talk about that where youwant to make sure that those
sessions are terminated after apredefined set up, a period that
you basically set aside.
So you want to make sure thatthat is how it's done.
Question seven in a federatedidentity management, which
component issues authenticationassertions?
In a federated identitymanagement, which component
(09:01):
issues authentication assertions?
A identity providers, b serviceproviders, c resource owners or
D authentication gateway.
So, in a federated identitymanagement, b service providers,
c resource owners or Dauthentication gateway.
So, in a federated identitymanagement, which component
issues authentication assertions?
And the answer is IDP identityprovider.
Yes, the identity provider isresponsible for authenticating
users, obviously then giving outthe authentication assertions.
(09:24):
So that's the main point thereyour identity providers,
obviously your Googles andFacebooks, and so forth.
Question eight which attacktargets sessions management by
stealing session cookies?
Which attack?
Which attack target?
Which attack targets sessionmanagement by stealing session
cookies?
(09:45):
I have a lot of big words,sorry.
A cross-site scripting or XSS.
You guys know what cross-sitescripting is?
B SQL injection, c man in themiddle.
Or D credential stuffing.
And the answer is A cross-sitescripting.
This allows attackers to injectmalicious scripts into web apps
, right, which then allows themto steal the session cookies
okay, and hijack their sessions.
So that is the one that targetsthe session management system
(10:09):
Session.
Yeah, whatever.
I can't say that word.
You know what I mean.
Question nine why is commonlanguage important in identity
and access management?
Again, why is common languageimportant in identity and access
management?
One or A, it helps reduce thelength of the security policies.
B, it eliminates the need forauthentication protocols.
C it ensures uniformcommunication across security
(10:32):
teams.
Or d, it allows passwords to besimplified.
You know, with common languageimportant, what is important?
Uh.
C, it ensures uniformcommunication across security
teams, right.
So common language ensures thatthe identity and access
management teams I am conceptsare clearly understood across
different teams.
Without, basically, thestandard terminology, a lot of
misconfigurations would occur.
(10:52):
So that is the whole purposebehind it.
Question 10, which of thefollowing is a key risk of using
shared credentials?
There's nothing wrong withusing shared credentials.
We know that.
Right, it's easy peasy, lemonsqueezy.
So which of the following is akey risk of using shared
credentials?
A users cannot multiply systemswith a single login.
B it increases accountability.
(11:14):
C it reduces the complexity ofaccess management.
Or.
D it makes it extremelydifficult to track user activity
and detect misuse.
Okay, which of the following isa key risk when using shared
credentials?
Yes, it is.
D it makes it difficult fortrack users and activity and
detect misuse.
Now, there's a lot of badthings with using shared
credentials, right.
So using shared credentials,it's just.
(11:34):
All those are bad, right.
But when it comes to thequestions, users cannot access
multiple systems with a singlelogon.
Well, okay, yeah, they can.
Right, it's a negative.
The point was it comes down tois that you don't want to use
shared credentials, right?
Bad idea, just don't do it.
Question 11, which is theauthentication mechanism is most
(11:54):
secure for protectingcredentials?
So which authenticationmechanism is most secure for
protecting credentials?
A basic authentication.
B token-based authenticationwith short-lived tokens.
C username and password storedin plain text or D security
questions.
Again, which authenticationmechanism is the most secure for
protecting credentials?
(12:14):
And the answer is B token-basedauthentication, obviously with
a very short lifespan, is animportant part.
Right, token-based are good,you want to have them, but you
also want to have them ashort-lived, so that they die
and then you don't have moresecurity issues following up
later.
Question 12.
In just-in-time provisioning,which factor is the most
critical to security?
So, in just-in-timeprovisioning, which factor is
(12:36):
the most critical in security?
A Automating access revocation.
C Providing indefinite access.
C reducing authenticationrequirements or D storing
credentials permanently.
So which factor is the mostcritical to security?
And the answer is A automatingaccess revocation.
So one of the big things aboutjust-in-time well, it's
(12:57):
just-in-time provisioning,just-in-time removal.
But if you don't have some sortof automated revocation process
, you can't do the automatedremoval and that causes problems
.
So just-in-time, one of themost secure reasons are the most
critical to security isautomating access revocation.
Question 13 how can sessionhijacking be prevented?
(13:17):
How can session hijacking beprevented?
A use http versus httpsdisabling.
B disabling multi-factorauthentication.
C implementing default admincredentials or.
D encrypting session tokens andenforcing session timeouts.
Okay, if it's all about sessionhijacking, somebody comes in
and takes over your session.
(13:38):
What should you do?
Obviously, tokens that have atime to die.
I've been watching the MissionImpossible thing right.
So Ethan Hunt, as he's pushinga button or doing whatever he
says, this message willself-destruct.
Same thing with recession youwant them to self-destruct
because you don't want someoneto hijack them.
Question 14, what is the mostcommon vulnerability in
federated identity systems?
(13:59):
A using multi-factorauthentication.
B weak assertion validation.
C strong cryptographicalgorithms or D secure session
management.
So the answer is what is?
Or?
Well, the question again iswhat is the most common
vulnerability in federatedidentity systems?
And it is B weak assertionvalidation.
So, again, these rely onassertions as part of the SAML
(14:21):
right.
This is to confirm the user'sidentity.
These assertions, if they'renot properly validated,
attackers can forge them,obviously, and then gain
unauthorized access.
So it's an important part thatyou have strong assertion
validation, not weak.
Okay, the last question, thelast melon what is the role of
identity provider in a federatedidentity?
(14:42):
Again, what is the role of anidentity provider, or IDP, in
federated identity?
A it issues authenticationtokens for users to access
service providers.
B it enforces network firewallrules.
C it manages database storage.
Or.
D it generates session logs.
What is the role of an identityprovider in a federated
(15:02):
identity?
And the answer is A.
It issues authentication tokensfor users to access service
providers.
Okay, that is all I have foryou today.
I hope you guys got a lot outof it.
Again, go to CISSP CyberTraining.
Get access to my content.
All of it is not that expensive.
It will help you if you'repassing the CISSP and on top of
it, there's just really goodstuff in there.
(15:24):
I mean, you're dealing with aguy that's been doing security
for a long time and the part isnot about me.
I want to pass that informationon to you all Because you know
what Getting in the securityspace there's so many
opportunities there.
But again, getting aroundsecurity professionals, ones
that understand the market,understand that world that is
what you need to do.
And again, I'm just trying totell you I've done a lot of
(15:46):
different things.
I can help you in your securitypath and your security journey.
Just go to CISSP Cyber Trainingand check it out.
Also, go to ReduceCyberRiskcom.
You can get access to my othersite there.
That's my consulting site ifyou need any sort of consulting
services.
No-transcript.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started,let's go cybersecurity knowledge
.
Speaker 2 (00:26):
All right, let's get started, hey all, sean Gerber,
with CISSP Cyber Training andhope you all are having a
beautifully blessed day today.
Today is guess what?
Yes, you all know it is CISSPQuestion Thursday, and today
we're going to be going overCISSP questions related to
domain 5.2.
But before we do, I want tokind of just talk about a quick
article that I saw in the news.
(00:46):
The reason I'm bringing thisone up is I'm actually getting
deeper into Gen AI and thevarious aspects around the LLMs
and the AI models in general.
One is kind of a researchproject, but two is to kind of
better understand some of thesecurity aspects around it.
But one of this article that Ijust saw in Computer World was
around Gen AI is alreadytransforming the healthcare
(01:08):
industry.
This article, again by ComputerWorld and it's set up there.
It came out April 2nd, so thisguy came out today and the
aspect around it is is thatthey're saying about 85% of
healthcare organizations arelooking to use it or
investigating the use of Gen AI,with about between 40 and
almost 60% that are activelyengaging in it.
(01:29):
Now, coming from the marketing,the manufacturing space, we
were getting into AI as well andwe see the definite increased
need for it from the marketingstandpoint.
Working now in the financialinstitutions as a consultant for
a couple of various differentkinds of financial aspects, they
too are getting pretty hot andheavy into the Gen AI piece.
So, as it comes to this overallarticle it relates, comes back
(01:52):
to is what they're seeing.
The benefits of.
It is around clinicaldocumentation, basically
automated note-taking, and Idon't know if you've all dealt
with automated note-taking I'vebeen in with the teams kind of
applications and you canactually record what you're
doing.
It then will spit out the teamskind of applications and you
can actually record what you'redoing.
It then will spit out the kindof a conversation of what you've
actually had, what you talkedabout, along with details around
what are some takeaways, whatare some tasks that have to be
(02:15):
done so you can see a definiteneed there, use it for
diagnostics.
As far as AI assistance,helping in medical imaging
that's what they had Rona aspectof it and then, as well as
patient engagement, I think oneof the pieces that you always
run into I just booked a flightwith Expedia and I worked with
an AI agent, obviously on thechat, and they helped resolve
all my issues for me and very,very quickly.
(02:36):
I say they, I mean it.
It basically did so.
The Gen AI is really growing ina better space and I would say,
from a cybersecurity standpoint,it's important that you do
understand this market, becauseit's going to do nothing but
expand.
Some of the benefits theyobviously they talked about is
operational efficienciesbasically the day-to-day stuff,
and then reducing theadministrative burden that goes
(02:58):
along with that.
I think it's gonna be anincredible part and it's gonna
save a lot of time.
Now, on the flip side, there'sgoing to be a lot of folks that
are going to be displacedbecause of this, and I think
it's important that there's thatis being thought of and
concerned about as well, and howdo you end up remedying that
situation?
So some of the challenges thatare coming out of this as well
as ensuring the data quality,managing it as far as the risks
(03:18):
and then one of them is a big,obviously security and privacy
risks that are associated withthis and then ensuring what is
occurring there, as well asbalancing the cost of the
overall programs along withregulatory risks.
Obviously, privacy is a bigfactor, but as you get into the
financial industry, there'sgoing to be regulations in the
financial industry as well.
So a lot of different thingsthat are going around the Gen AI
(03:38):
space.
So I would highly recommend youcheck this article out Again.
It's on Computer World and GenAI is already transforming the
healthcare industry industry.
Okay, so let's get started withtoday's questions.
So, again, this is focused ondomain 5.2 of the cissp.
It's the isc squared book thatyou can be studying for the
cissp exam.
If you need some sort ofassistance, go to cissp cyber
(04:01):
training and you can get accessto my site there.
There's a lot of free contenton my site, but there's also a
lot of great, wonderfully paidstuff that's out there that'll
help you shortcut the overallCISSP process.
The training is there and it'savailable to you.
All of it is there and you canget access to it.
All you got to do is justbasically go in.
You can purchase differenttiers that are available and you
(04:22):
can gain access to all thecontent that you want to help
you pass the exam.
But again, it depends on you ifthere's free stuff as well.
If you want to use that and,again, check it out, all right.
So let's start.
And one of these questionsagain, these questions you'll be
able to get at CISSP CyberTraining.
So let's start off with questionnumber one.
Which of the following bestdescribes just-in-time
provisioning?
(04:43):
Can we talk about that in thetraining?
What is the describesjust-in-time provisioning A
users are granted access onlywhen they are requesting it and
it is revoked immediately aftereach use.
B users are assigned long-termprivileges based on their roles.
C users must manually requestaccess each time they log in.
Or D access is automaticallyprovisioned based on predefined
(05:05):
attributes.
Again, which of the followingbest describes just-in-time
provisioning?
And the answer is A users aregranted access only when they
request it and it's revokedimmediately after use.
Now, one of the things is youmay want to have it, may not
want to have it necessarilyright after use.
You may make changes to that,but there are different options
available to you.
Just got to kind of decidewhich one works best for you and
(05:26):
your organization.
Question two what is the primarysecurity concern when using a
federated identity system?
So what is the primary securityconcern when using a federated
identity system?
A increased administrativeoverhead.
B lack of centralized controlcontrol.
C single point of failure foridentity providers.
Or d excessive userauthentication requests.
(05:48):
Again, what is the primarysecurity concern using fid or
fid federated ids?
And the answer is c singlepoint of failure.
If identity provider is, itgoes out.
So basically, it comes rightdown to is you have a federated
identity system, such as google,facebook, whatever that might
be?
If that system goes, you dolose the ability to have some
(06:09):
sort of access to yourenvironment, because that is the
main source of you getting youridentity.
So there is a concern whendealing with federated aspects.
Question three which protocolmost commonly used to enable
federated identity management?
A, ldap, b, oauth 2.0.
C, radius or D SAML, again,which is the most commonly used
to enable federated identity?
(06:30):
And it is D, not C.
It's D, d SAML, right.
So SAML is your securityassertion markup language, or
SAML.
It's an XML-based protocol thatdoes allow single sign-on,
right, and that's the ultimatebase behind it, that various
service providers will providethis for you.
So again, when it comes rightdown to it, this for you.
So again, when it comes rightdown to it, your federated
(06:51):
identity management the primaryprotocol that's used is called
SAML.
Question four what is theprimary advantage of using
just-in-time provisioning incloud environments?
A it reduces administrativeworkload by pre-assigning
permissions.
B it minimizes the attacksurface by limiting standing
provisions or privileges.
I should say C providespermanent access to resources,
or d eliminates the need forauthentication.
(07:12):
Again, what is the primaryadvantage of using just-in-time
provisioning in cloudenvironments?
And the answer is b minimizethe attack surface by limiting
standing privileges.
Again, all that really comesdown to is you don't have
predefined credentials that arejust basically waiting for them
to be used.
It uses it just as you need it.
Question five in credentialmanagement, which of the
(07:33):
following is an example ofsecure authentication method?
In the credential management,which of the following is an
example of a secureauthentication method?
A using same password acrossmultiple accounts yeah, no,
that's not a good idea.
B implementing the multi-factorauthentication or mfa.
C storing plain text passwordsin a database.
Or d allowing password resetvia email without verification.
(07:56):
And if you probably allprobably went through all those
going, well, if I don't knowthose, I can at least get rid of
the ones that are really bad.
And yeah, it would narrow itdown to.
The answer would be b right andcredential management.
Which of the following is themost secure?
It is implementing multi-factorauthentication.
That's pretty much a no-brainer.
Question six what is a keysecurity consideration when
managing session tokens?
(08:17):
A token should be validindefinitely for user
convenience.
B token should be transmittedover unencrypted channels.
C token should be hard hardcoded in the application source
code.
Or d token should be storedsecurely and have an expiration
time.
Again, what is a key securityconsideration when managing
session tokens?
The answer is D yes, tokensshould be stored securely and
(08:39):
have an expiration time.
That's the whole thing aboutsession management.
We talk about that where youwant to make sure that those
sessions are terminated after apredefined set up, a period that
you basically set aside.
So you want to make sure thatthat is how it's done.
Question seven in a federatedidentity management, which
component issues authenticationassertions?
In a federated identitymanagement, which component
(09:01):
issues authentication assertions?
A identity providers, b serviceproviders, c resource owners or
D authentication gateway.
So, in a federated identitymanagement, b service providers,
c resource owners or Dauthentication gateway.
So, in a federated identitymanagement, which component
issues authentication assertions?
And the answer is IDP identityprovider.
Yes, the identity provider isresponsible for authenticating
users, obviously then giving outthe authentication assertions.
(09:24):
So that's the main point thereyour identity providers,
obviously your Googles andFacebooks, and so forth.
Question eight which attacktargets sessions management by
stealing session cookies?
Which attack?
Which attack target?
Which attack targets sessionmanagement by stealing session
cookies?
(09:45):
I have a lot of big words,sorry.
A cross-site scripting or XSS.
You guys know what cross-sitescripting is?
B SQL injection, c man in themiddle.
Or D credential stuffing.
And the answer is A cross-sitescripting.
This allows attackers to injectmalicious scripts into web apps
, right, which then allows themto steal the session cookies
okay, and hijack their sessions.
So that is the one that targetsthe session management system
(10:09):
Session.
Yeah, whatever.
I can't say that word.
You know what I mean.
Question nine why is commonlanguage important in identity
and access management?
Again, why is common languageimportant in identity and access
management?
One or A, it helps reduce thelength of the security policies.
B, it eliminates the need forauthentication protocols.
C it ensures uniformcommunication across security
(10:32):
teams.
Or d, it allows passwords to besimplified.
You know, with common languageimportant, what is important?
Uh.
C, it ensures uniformcommunication across security
teams, right.
So common language ensures thatthe identity and access
management teams I am conceptsare clearly understood across
different teams.
Without, basically, thestandard terminology, a lot of
misconfigurations would occur.
(10:52):
So that is the whole purposebehind it.
Question 10, which of thefollowing is a key risk of using
shared credentials?
There's nothing wrong withusing shared credentials.
We know that.
Right, it's easy peasy, lemonsqueezy.
So which of the following is akey risk of using shared
credentials?
A users cannot multiply systemswith a single login.
B it increases accountability.
(11:14):
C it reduces the complexity ofaccess management.
Or.
D it makes it extremelydifficult to track user activity
and detect misuse.
Okay, which of the following isa key risk when using shared
credentials?
Yes, it is.
D it makes it difficult fortrack users and activity and
detect misuse.
Now, there's a lot of badthings with using shared
credentials, right.
So using shared credentials,it's just.
(11:34):
All those are bad, right.
But when it comes to thequestions, users cannot access
multiple systems with a singlelogon.
Well, okay, yeah, they can.
Right, it's a negative.
The point was it comes down tois that you don't want to use
shared credentials, right?
Bad idea, just don't do it.
Question 11, which is theauthentication mechanism is most
(11:54):
secure for protectingcredentials?
So which authenticationmechanism is most secure for
protecting credentials?
A basic authentication.
B token-based authenticationwith short-lived tokens.
C username and password storedin plain text or D security
questions.
Again, which authenticationmechanism is the most secure for
protecting credentials?
(12:14):
And the answer is B token-basedauthentication, obviously with
a very short lifespan, is animportant part.
Right, token-based are good,you want to have them, but you
also want to have them ashort-lived, so that they die
and then you don't have moresecurity issues following up
later.
Question 12.
In just-in-time provisioning,which factor is the most
critical to security?
So, in just-in-timeprovisioning, which factor is
(12:36):
the most critical in security?
A Automating access revocation.
C Providing indefinite access.
C reducing authenticationrequirements or D storing
credentials permanently.
So which factor is the mostcritical to security?
And the answer is A automatingaccess revocation.
So one of the big things aboutjust-in-time well, it's
(12:57):
just-in-time provisioning,just-in-time removal.
But if you don't have some sortof automated revocation process
, you can't do the automatedremoval and that causes problems
.
So just-in-time, one of themost secure reasons are the most
critical to security isautomating access revocation.
Question 13 how can sessionhijacking be prevented?
(13:17):
How can session hijacking beprevented?
A use http versus httpsdisabling.
B disabling multi-factorauthentication.
C implementing default admincredentials or.
D encrypting session tokens andenforcing session timeouts.
Okay, if it's all about sessionhijacking, somebody comes in
and takes over your session.
(13:38):
What should you do?
Obviously, tokens that have atime to die.
I've been watching the MissionImpossible thing right.
So Ethan Hunt, as he's pushinga button or doing whatever he
says, this message willself-destruct.
Same thing with recession youwant them to self-destruct
because you don't want someoneto hijack them.
Question 14, what is the mostcommon vulnerability in
federated identity systems?
(13:59):
A using multi-factorauthentication.
B weak assertion validation.
C strong cryptographicalgorithms or D secure session
management.
So the answer is what is?
Or?
Well, the question again iswhat is the most common
vulnerability in federatedidentity systems?
And it is B weak assertionvalidation.
So, again, these rely onassertions as part of the SAML
(14:21):
right.
This is to confirm the user'sidentity.
These assertions, if they'renot properly validated,
attackers can forge them,obviously, and then gain
unauthorized access.
So it's an important part thatyou have strong assertion
validation, not weak.
Okay, the last question, thelast melon what is the role of
identity provider in a federatedidentity?
(14:42):
Again, what is the role of anidentity provider, or IDP, in
federated identity?
A it issues authenticationtokens for users to access
service providers.
B it enforces network firewallrules.
C it manages database storage.
Or.
D it generates session logs.
What is the role of an identityprovider in a federated
(15:02):
identity?
And the answer is A.
It issues authentication tokensfor users to access service
providers.
Okay, that is all I have foryou today.
I hope you guys got a lot outof it.
Again, go to CISSP CyberTraining.
Get access to my content.
All of it is not that expensive.
It will help you if you'repassing the CISSP and on top of
it, there's just really goodstuff in there.
(15:24):
I mean, you're dealing with aguy that's been doing security
for a long time and the part isnot about me.
I want to pass that informationon to you all Because you know
what Getting in the securityspace there's so many
opportunities there.
But again, getting aroundsecurity professionals, ones
that understand the market,understand that world that is
what you need to do.
And again, I'm just trying totell you I've done a lot of
(15:46):
different things.
I can help you in your securitypath and your security journey.
Just go to CISSP Cyber Trainingand check it out.
Also, go to ReduceCyberRiskcom.
You can get access to my othersite there.
That's my consulting site ifyou need any sort of consulting
services.
No-transcript.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com