September 22, 2025 • 30 mins
Ready to master the critical domain of Identity and Access Management for your CISSP exam? This comprehensive rapid review demystifies Domain 5, which accounts for 13% of all exam questions—knowledge you absolutely cannot skip.
Dive deep into the fundamentals as we explore controlling physical and logical access to assets—from information systems to facilities. Discover how properly implemented controls protect your most sensitive data through classification, encryption, and permissions. As one cybersecurity veteran wisely notes, "It's all about the data," and this episode equips you with the frameworks to protect it.
The podcast meticulously unpacks identity management implementation, breaking down authentication types, session management, and credential systems. You'll grasp the differences between single-factor and multi-factor authentication and understand why accountability through proper logging and auditing is non-negotiable in today's security landscape.
We explore deployment models that fit various organizational needs—from on-premise solutions offering complete control to cloud-based options providing scalability, along with the increasingly popular hybrid approach. The episode clarifies authorization mechanisms including role-based access control (RBAC), rule-based access control, mandatory access controls (MAC), and discretionary access controls (DAC)—essential knowledge for implementing proper security boundaries.
Particularly valuable is our breakdown of authentication systems and protocols—OAuth, OpenID Connect, SAML, Kerberos, RADIUS, and TACACS+—demystifying their purposes and applications in real-world scenarios. Whether you're a seasoned security professional or preparing for your certification, this episode delivers the practical knowledge you need.
Ready to accelerate your CISSP journey? Visit CISSPcybertraining.com for free resources including podcasts, study plans, and 360 practice questions—plus premium content with over 50 hours of focused training. This episode isn't just exam prep; it's a masterclass in identity and access management principles you'll apply throughout your cybersecurity career.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey, I'm Sean Gerber with CISSPCyber Training and this is
CISSP Rapid Review Exam Prep forDomain 5, identity and Access
Management.
If you're new to this, this isthe CISSP Rapid Review for the
Domain 5, and we have all eightdomains on CISSP Cyber Training.
So if you are wanting to getthat quick last minute review
(00:45):
before you go take your CISSPexam, this is a great tool for
that.
And this is domain five to kindof go over what you should
expect to see in the domain fiveaspects.
So let's roll into what we'regoing to talk about today.
So domain five, as you can seein this chart, basically covers
13% of the questions you willget for the CISSP will be
(01:06):
covered in domain five.
So, as we talked about before,this is a pretty even split
amongst all the questions andyou really can't just say, well,
I'm going to skip domain, let'ssay two, because there's not
that many questions.
You really can't do that, butit's a well-defined list of
questions that you will run into.
Now you can get all of this atCISSP Cyber Training.
You have weekly resources thatare all available to you that
(01:26):
are like over 250 episodes ofpodcasts that are there.
I have a three to five monthstudy plan that's available to
you and there's a 360 studyquestions as well as various
stuff on my blog and my YouTubechannel.
That's all the free resourcesthat are available to you and I
continue to add more on goingeach and every week.
(01:47):
As it relates to the paidresources, there's over 50 hours
covering all the CISSP content1500 plus CISSP questions.
There's audio and video content, there's deep dive topics and
mentorship.
All of that's available to youat CISSP Cyber Training.
So, again, that's the paidresources.
But it's pretty amazing, guys.
I mean, realistically, this isall the information you need to
study and get ready for theCISSP exam.
(02:07):
So if you go through thisinformation and you take it to
account, you will pass this exam.
You really truly will.
So, bottom line, go to CISSPCyber Training and check it out.
Okay, let's move on to domainfive.
All right, so this is domain5.1, control physical and
Logical Access to Assets.
So we're going to start off.
We're talking about informationsystems and devices.
(02:30):
Now, information this isimplementing the controls to
ensure that only authorizedindividuals or processes can
read, modify or delete sensitiveinformation or data.
This is what is importantaround the information pieces of
this, and this is achievedthrough data classification,
encryption and permissions thatare set up specifically on files
, databases and the applicationsthemselves.
(02:51):
The bottom line is theinformation is extremely
important, and a friend of minetold me this a long time ago.
It's all about the data and youreally want to have good
controls in place allowing theseauthorized people to read,
modify or delete the sensitivedata.
If you don't have thesecontrols in place, it opens you
up to a substantial amount ofrisk to your organization, and
this again is done throughclassification, encryption and
(03:13):
permission settings.
Now, systems these are managingwho can log into, execute
commands on or configure thesesystems specifically, and this
involves operating system levelcontrols, application level
access and network accessspecifically.
So these are the systems.
Now we're talking about thedevices.
This is controlling thephysical access right.
(03:33):
These are the locked offices,the device encryption all these
are these physical devices thatare set up specifically and the
logical access to operate thesesystems or managing the
interfaces that are tied to them.
This applies to workstations,mobile phones, servers and
network equipment.
So you get your information,your data, then you have the
systems that are.
Everything is kind of tied to.
(03:53):
This is the application levelstuff and then you have your
specific devices themselves,which is your workstation
servers and your networkequipment.
So now we're going to talk aboutfacilities.
This is implementing physicalsecurity measures to restrict
entry into locations thatcontain or house the information
systems that you're currentlyworking with.
This could include fences,guards, locks, access cars,
(04:14):
biometrics, surveillance cameras, etc.
So this is what controls thephysical access to these
facilities and you you need tounderstand how are these all
work together and how do theyall tie together.
How are guards involved?
How are access cards?
How are biometrics?
Are they good, do they work, dothey not work, and so forth.
Applications this is managingthe user authentication and
(04:37):
authorization within theapplication itself, and this is
how is it taken care of andmanaged, and this defines the
functions, users, what they canperform and what data they can
view or modify based on theirspecific role.
Now we talk about the fact thatthe application is an important
part.
It's probably one of the mostcrucial parts of this, but they
all work together as a kind of atriad, because if you don't
(04:58):
have the physical aspects takencare of from the facilities
getting in, if you don't havethe operating systems taken care
of, if you don't have theapplications taken care of.
All of these things build uponthemselves, so any one of them
can lead to and create moreproblems and challenges to you
and your organization.
Domain 5.2, manageidentification and
authentication of people,devices and services.
(05:20):
So identity managementimplementation.
So this is the framework.
Idm is a framework for managingdigital identities through
their entire life cycle.
And when we talk about a lifecycle, what does that mean?
It's a big word that people go.
You have a life cycle for this.
No, it's how things are createdand they go to the end of the
beginning to when they actuallygo and terminated and are
(05:42):
basically erased.
The point of it is that youwant to have a beginning and the
ending thought out from thebeginning through to the end.
This includes processes forprovisioning, deprovisioning,
modifying user accounts andtheir attributes that are
associated with it, and again,this can be very daunting and I
recommend, as you're goingthrough this as a security
professional, you need toconsider.
What step do I want to do?
First, look at this as ajourney.
(06:03):
This is not something you cando overnight.
You need to really understandthe lay of the land and then
start in your life cycle journeyaround managing identifications
.
Now you have single andmulti-factor authentication.
Single factor is authenticatingwith one piece of evidence, ie
just a password.
Multi-factor authentication iswith two or more distinct types
of evidence.
Something you know, somethingyou have that's your MFA.
(06:23):
An MFA will significantlyenhance security by requiring
multiple forms of verification.
Now, is the MFA perfect?
No, and especially when you'reconsidered texting as an MFA
option, it is not perfect, buthaving multiple different ways
to authenticate you is animportant factor and in the
CISSP, you're going to have tounderstand what are some of the
(06:43):
different multi-factor optionsthat you have.
Accountability ensuring thatactions are performed by an
individual or entity can beuniquely traced back to them,
and this is where, specifically,you have your applications,
your different types of unitsthat you're using, the different
systems you're using.
They need to be able to haveidentifiably back to you.
(07:04):
One example that would be achallenge is if you have a
username that is shared amongstall many people and there is not
a unique password for eachindividual username.
That's another one that couldbe.
That really limits youraccountability.
And this is achieved throughstrong authentication, unique
user IDs and a comprehensivelogging and auditing system.
(07:24):
Now, again, we talk about this.
This is very broad and this isvery generic, but you want to
make sure that you have.
What you have in place is thebeginning phases of this.
From the point that you startthis process, you have an
auditing process in place, youhave a logging process in place
and then, at the end of all ofit, you have the ability to kind
of provide these metrics andthis data for your senior
(07:46):
leaders and for yourself tounderstand what you're actually
trying to measure.
Now, session management this isthe process of securely managing
a user's interactive sessionwith the application or system.
This includes session IDgeneration, secure transmissions
, expiration and theinvalidation to prevent session
hijacking or replay attacks.
You have to have the plan to beable to do this, to control the
(08:09):
sessions of your employees andof the systems that are working
on.
If you have a service accountsand so forth, you need to have a
way to generate or to basicallylimit the ability for these
devices to be able to use thesesessions.
Now registration, proofing andestablishment of identities this
is registration.
It's the initial process wherethe user provides information to
(08:30):
create an identity.
You have to begin this processright.
When you log in and you go to acompany, they give you a
registration process, by whichyou then would actually become
part of the company and you willhave your username and identity
, username password and so forth.
Proofing this is where youverify the authenticity of the
(08:50):
identity presenting during theregistration.
Again, government ID cards,background checks, things that
provide that, you provide thatprove who you are Social
security cards, birthcertificates, etc.
The establishment this is thecreation of a digital identity
within their system.
After successful registrationand proofing has completed.
This is the establishment ofthe identity and, again, these
(09:10):
are really important that youhave a good process in place to
do this.
Now, there's gonna be plenty ofaccounts that you have within
your company that won't have anidentity that tied to them, but
you want to have, at least withyour users, a good path and a
good plan for this specifically.
So, again, when the CISSP isgoing to talk about this,
they're going to be asking youwhat is registration?
What is establishment?
(09:31):
Are you connected with how thatworks?
They're going to give you ascenario on how this would
potentially happen and then you,in turn, would go and say is
this true, is it not?
How would I understand theestablishment of my identity and
access management processwithin my company?
Federal Identity, federatedIdentity Management, fim.
This allows users toauthenticate once with a trusted
(09:52):
identity provider, idp and thenaccess multiple service
providers withoutre-authenticating.
So your company may have an IDPand this is where they would
federate that information ofyour identity to multiple other
service providers, and this allyou have to do is authenticate
one time, and this enablescross-domain identity sharing
and management and it does allowfor a much more seamless and
(10:13):
better user experience for yourpeople.
Credential management systemsthese are securely store, manage
and distribute user credentialsie, passwords, keys, tokens,
anything like that is beingstored and then distributed
through ie, passwords, keys,tokens, anything like that is
being stored and thendistributed through a credential
management system.
This includes features forpassword vaulting, automated
password rotation, just-in-timecredential access.
(10:35):
A good example of this isCyberArk.
They have a really good processin place for this as well, and
I don't think CyberArk gotbought by somebody recently for
gazillions of dollars, so very,very good company.
A user authentication processthat allows users to log in with
a single ID and password togain access to multiple related
(10:56):
but independent software systems.
This is SSO and this isbasically.
You'll see this in a lot ofdifferent places with just your
one single ID and that passwordand allows you access in.
Google is a good example ofthat.
You log into Google, it cangain you access to various other
areas because it's a serviceprovider and it passes those
federated credentials throughoutthe entire cycle.
(11:18):
This enhances user convenienceand it can improve security by
reducing password sprawl orpassword reuse.
A lot of people reuse passwordson a routine basis.
Just-in-time access this is asecurity principle where access
privileges are granted only whenneeded for the shortest
possible duration.
This is a really good thing.
Now, just-in-time access can bevery, very secure.
(11:39):
It also can be very complicatedand can break things.
So you have to have a good planof how you want to deal with
just-in-time access.
It minimizes the window ofopportunity for attackers to
exploit the standing privilegesthat are there, and then
particularly for privilegedaccounts.
And one thing is potentiallylike just passing the hash.
This would be mitigated with.
You wouldn't have pass the hashissues, because it's just
(12:00):
provided for the informationthat you have for that moment
and then it goes away for anyother access.
So just-in-time access is areally good thing you can put
within your organization if youhave the ability to do so.
Domain 5.3, integrate identityas a third-party service.
So we have the on-premise ofthe IAM deployment model.
This is where identity andaccess management infrastructure
(12:21):
and the services are hosted andmanaged entirely within the
organization's own data centers.
This provides full control oversystems, but requires
significant capital expendituresand operational overhead.
So when you're dealing with IAM, deploying it within your own
organization, it does workreally really well, but it is
(12:41):
extremely expensive.
So a lot of times smallercompanies will just go with a
service provider to help themwith that, such as they'll use
Google or they'll use some otherauthentication mechanism to
provide this.
But if you want to put itwithin your own company, you
would need the infrastructureand the services behind it,
along with the people thatunderstand how to deploy it.
But it does allow full controlover the data and the systems,
(13:02):
but it is a significant capitalexpenditure and operational
overhead.
Cloud IAM deployment model thisis where identity and access
management services are providedby a third-party cloud provider
.
This is identity as a service.
So they have it in the cloudand you're using their model.
You don't have it on prem.
You're not using necessarilyGoogle.
I mean, you are kind of usingGoogle because it's acting as
(13:24):
this, but let's just say thatyou have a cloud provider.
You have ping in the cloud.
That is their model.
Then there's a third-partycloud provider that's providing
this identity as well.
This offers scalability,reduced infrastructure costs and
often integrates easily withother cloud applications.
Amazon has the ability to dothat.
You can use Amazon's productsas well.
So there's that process that'sset in place.
(13:46):
Hybrid this is where it combineson-premises and cloud IAM
solutions, often synchronizingidentities between two
environments.
So this is where you workbetween both the cloud and the
on-prem solutions, and it'scommon for organizations with
existing on-prem infrastructurethat are migrating to cloud or
using multiple cloud services.
So you have your on-prem, yourcloud and your hybrid domain 5.4
(14:10):
.
So this is implementing andmanaging authorization
mechanisms.
So we're going to get intorole-based access and the
different types of that, andthen rule-based access as well.
So, role-based access this iswhere access permissions are
grouped into roles, ie like ananalyst, a manager,
administrator, air quotes God.
Yeah, you're not going to putthat, that would be a bad idea,
but they're different, groupedinto different roles.
(14:32):
The users are assigned theseroles and these roles are
assigned permissions to thevarious resources.
Again, this is a great process,but it does take management and
it does take the ability foryou to have a good coordinated
plan around doing so, itsimplifies the management into
large organizations byabstracting permissions from
individual users.
So, again, very good processworks really really well, but it
(14:57):
does take something toimplement.
That's RBAC, rule-based accesscontrols.
This is where access is grantedor denied based on a set of
predefined rules and orconditions that you may have in
place.
The rules are often based onattributes of the user's
resources or environment andbasically an example would be
allowing access to financialdata only from internal IP
(15:17):
addresses during business hours.
So you can see the bigdifference.
Right, your analyst has accessto these specific systems, which
is very granular.
Then now you have a little bitnot so granular aspect to it.
Now, rule-based access controlscan be very useful, especially
if you're not dealing withindividual user accounts.
If you're just dealing, maybe,with a service account, you may
(15:37):
want to put definitely want toput in a rule-based access
controls, depending upon whatdata you're actually using.
Now you also have to understand, based on risk, you may not be
able to put rule-based accesscontrols everywhere, and the
same with RBAC, you may not beable to do that, and the same
with RBAC, you may not be ableto do that.
So therefore, you need tounderstand the overall risk to
your organization and then putthese different types of
controls in place based on therisk to your company.
(16:01):
Mandatory access controls MACthis is access decisions are
enforced by a central authority,basically an operating system
or of the kernel, and it's basedon the security labels assigned
to the subjects and the objects.
Users cannot override thesecontrols and they're usually
used for high securityenvironments such as the
military or the government.
These are mandatory accesscontrols that are in place.
(16:22):
It will deal a lot.
An example with potentially isaround multi-level security
systems, such as secret, topsecret, confidential.
That's where mandatory accesscontrols do come into play.
They are enforced by a centralauthority.
So, as an example, at thecentral, if I'm dealing with a
security systems computer liketop secret, secret type of
systems, I do not have theauthority to make any changes on
(16:44):
those.
Those are all changes.
All the controls are pusheddown from a central authority, a
central management system.
Discretionary access controlsthese are the owner of the
resource or object can grant orrevoke access permissions to
other users or, your quote,subjects at their own discretion
.
It's common in many commercialoperating systems and the
(17:04):
applications that are associatedwith it.
So you're allowing individuals,the owner of that data, to
grant or revoke the permissions.
The downside of DAC is thatpeople just don't pay attention
to it and they just grant accessto everyone.
That's a problem, right?
So you have to have a real goodthought process out of what
you're going to allowindividuals to have access, to
allow them to use discretionaryaccess controls.
(17:27):
So, as an example, a user cancreate a file and then decide
who can read, write or executethat file.
So discretionary accesscontrols again, they play a part
in this entire process.
But you need to be very controlon these different types of
controls.
Uh, and rather than mostcompanies just say, well, you
know what, we're just going touse discretionary access
controls everywhere and you cantake care of it, your data, you
(17:48):
work through it.
It's a bad idea, really badidea.
So having a good plan in placeis imperative.
Attribute-based access controlsthese are ABAC Access is granted
or denied based on theevaluation of attributes
associated with the subject, theobject, the action and the
environment.
So, again, that's based on thissituation of the overall
(18:09):
attribute.
You may find these are highlyflexible and dynamic and they
allow for very granular accessdecisions based on complex
conditions.
So, as an example of this, youwould allow any user with the
air quotes manager role or frommarketing and from the marketing
department to approve theexpense reports if the amount is
less than $500.
So there's very granularcontrols that you have put in
(18:32):
place based on the attributethat you're coming up with.
These are good.
But I'm just going to be verytransparent.
They can be extremelychallenging to try to negotiate
when things don't work well.
You may put them in place, theywork great for a while, but
then you may be not like me, butI forget what I did yesterday
and then all of a suddensomething breaks and now you're
(18:54):
trying to remember why did I dothis?
So attribute-based can be a bitof a challenge.
Risk-based access controls theseare access decisions are made
dynamically based on real-timeassessment of the risk
associated with the an accessattempt.
Now it considers factors likeuser behavior, device posture,
location and time of day, thesensitivity of the resource
being accessed as well.
(19:15):
So an example would be a user'sattempting to log in from an
unusual location and might beprompted for additional MFA type
or authentication aspects togain access to the information,
or maybe denied access entirely.
So these are really good.
Again, they don't fit everyneed, but if you have a very
global company, you're going towant to consider some level of
(19:38):
risk-based access controls, andunderstanding the behaviors, the
device posture and the locationof the day is really, really
important.
Now, can this be spoofed?
Yes, can it cause issues whereit says, especially if your
network is maybe the VPNing in,does it give you wrong type of
information?
Yes, that can happen.
But again, you have to decidethe risk that you're trying to
(20:01):
associate or trying to protectagainst and then determine is
this an important part of yourcompany?
So, again, risk-based controlsare important and I highly
recommend them, but you do needto have a really good
understanding of the data andthe systems that are critical
within your company.
Domain 5.5, manage the identityand access provisioning
(20:21):
lifecycle.
So, account access review.
This is the users, the systemsand the service.
You regularly review users,systems and service accounts to
verify that the assigned accessprivileges remain appropriate.
This is you going in andchecking the accounts on a
routine basis.
You identify and remove dormant, unauthorized and ones with
excessive permissions.
You should be doing this on anannual basis.
(20:43):
You may do this more than that,depending upon the systems and
the data that's being controlled.
But you should at least look atthis on an annual basis.
The first time you do it, ifyou're just coming into an
organization, it may get verypainful, but if you do it
annually, it is a very quick andeasy process.
Provisioning and deprovisioningthis is the on and off, boarding
and transfers.
(21:04):
This is provisioning, basicallyis granting access to new users
or systems based on theirdefined roles and needs.
So you're onboarding anemployee.
This is where you'd beprovisioning them something,
granting them access to it.
Deprovisioning is you'rerevoking all access privileges
when the user leaves anorganization or the system is
decommissioned.
That's what they calloffboarding.
(21:24):
Some people just say exiting,so you could do the one, but the
bottom line is you need to havesomething in place for
provisioning and deprovisioning.
Now you also need to considertransfers.
This is where someone moveswithin a company and modifying
the access rights promptly whenthe user changes roles or the
department.
Transfers are a huge thing andthat's where we talk about in
CISSP, cyber training,credential creep.
(21:46):
You will get a lot ofcredential creep where people
will gain access to somethingthey should not have access to
because they moved to a new roleand then they didn't lose the
access they used to have andthey keep that access, and
that's bad.
So seen it happen time and timeand time again.
So credential creep is a realproblem.
Role definitions this is wherepeople are assigned to new roles
(22:07):
.
You clearly define and documentthe specific permissions
associated with each role withinthe access control model.
So roles are defined, youunderstand those permissions
tied to those roles and each oneis understood and well-defined
within your organization.
It ensures that whenindividuals are assigned new
roles, their access is updatedto reflect only permissions
required for that new role.
(22:28):
There's some great tools outthere that can help you with
that, and it's automated tools,but they have to be more or less
kind of integrated into your HRsystem.
They are awesome, but theythey're very painful if you're
trying to bolt them on after thefact.
Their sale point, I think, isone that does a really good job,
but you do have to have a goodplan in place to work with these
(22:49):
guys.
If you can bring them in at thebeginning, that's awesome.
The problem is they're veryexpensive and so a lot of times
they get avoided till the endand then, when there's a problem
, then they're brought in.
Privileged escalation this iswhere you're managing your
service accounts using the useof pseudo, like in Unix systems,
which is supervisor dosomething along those lines.
(23:10):
I can't remember.
Yeah, supervisor do or superuser do.
Those are the pieces whereyou're allowing elevated
privileges to be using.
You should minimize its use.
Obviously you don't want yourdomain level privileges to be
used on a routine basis.
Those should only be in case ofemergency break glass kinds of
things.
The process these are theprocess by which users or
attackers will gain access toprivileges more than they're
(23:31):
initially authorized.
So they will use this.
They will migrate from oneplace to the next place.
The next place to try to gainaccess to increased user
accounts and therefore and theywill not necessarily use our
accounts could be just anyaccount to escalate the
privileges they have.
Management practices includeusing managed service accounts,
strictly controlling andauditing the use of tools like
sudo or similar commands, andminimizing the standing
(23:54):
administrative privileges.
So this is an important part towatch out for privilege
escalation within your company.
I highly recommend that ifyou're a large organization, you
consider doing a red team toyour company in certain areas
that you feel are your highestrisk.
It will go a long ways inmaking sure that you have the
proper protections in place foryour data Domain.
5.6, implement authenticationsystems.
(24:15):
So OpenID Connect OIDC andOAuth open authorization For the
CISP.
You're going to have to knoweach of these and understand how
they're being used.
Oauth is an open standard fordelegated authorization.
It allows users to grant athird-party application limited
access to their resources orother services.
A good example of this would bethe photo app accessing
(24:38):
Google's photos withoutbasically sharing your
credentials.
That's the goal, right.
So it allows you anotherservice.
It doesn't share yourcredentials, but it gives you
delegated authorization to do so.
Oidc is in the authenticationlayer built on top of OAuth 2.0.
So OIDC and OAuth do worktogether.
You can have OAuth separatefrom OIDC, but OIDC needs to
(24:59):
have OAuth 2.0.
It allows clients to verify theidentity of the end user based
on the authentication performedby the authorization server, as
well as to obtain basic profileinformation about the end user.
So again, it adds a little bitmore granularity on top of OAuth
and it gives you with the userand the identity of that
individual Security AssertionMarkup Language, or SAML.
(25:22):
This is an XML-based openstandard for exchanging
authentication and authorizationdata between the IDP, which we
talked about as theidentification provider and the
service provider.
So when you have the IDP andthe SP, this is where SAML comes
into play and it will helpexchange authentication and
authorization information.
It's primarily used forfederated authentication, such
as single sign-on.
(25:43):
You'll see SAML in some of thequestions that may come up, so
you need to kind of understandhow would SAML be integrated
with your IDP and your SP, justto make sure, as they're asking
this question, you trulyunderstand what they're asking
for.
So this is done in web-basedenvironments and allows users to
log in once and access multipleapplications.
Kerberos it's a networkauthentication protocol that
(26:05):
uses secret key crypto and itprovides strong authentication
for clients' server applicationsby providing their identity to
each other across non-securenetwork connections.
It relies on trusted thirdparties, such as a key
distribution center, and it alsoissues tickets for
authentication.
It's common in Active Directoryenvironments, so Kerberos has
been around a long time and itis used a lot, especially with
(26:28):
your AD environments.
So you need to understand theuse of crypto.
Kerberos is not going away, soyou need to really, truly
understand how Kerberos workswithin your environment and how
it could work within an activedirectory environment.
Remote authentication, dial-inuser service, radius yeah, as
you notice, people don't sayremote authentication, dial-in
user service a lot.
(26:48):
You'll hear them say RADIUS alot, but not that big big words.
No, they don't say that.
And then you have TACAC.
I actually did a podcast outthere on RADIUS and TACAC
specifically.
That was done.
This was a good one to kind ofgo back to and it'll help you
specifically around this.
But TACAC is your TerminalAccess Control, access Control
Systems Plus.
(27:09):
Yeah, lots of big words.
It's very confusing.
But just remember RADIUS andTACAC Plus.
Radius is a widely usednetworking protocol that
provides centralizedauthentication and authorization
and accounting so they call itAAA, right and management for
users connecting to the networkservice.
So it's basically it's widelyused for any sort of networking
protocol and it provides acentralized management for users
(27:31):
connecting to the networkservice.
Radius it's a widely usednetworking protocol that
provides centralized managementfor users connecting to a
network service.
You'll get this centralizedauthentication, authorization
and accounting, which is AAA.
This is what is usedspecifically for that and it's
often used for network access,such as in Wi-Fi or VPNs.
(27:51):
You'll get that in a lot ofsmall network well, not even
small networks.
You'll get them in largenetworks as well, but the use of
RADIUS is widely used.
Tacacs is a Cisco proprietaryprotocol that provides AAA,
which we talked about,authentication, authorization
and accounting services.
It separates authentication andauthorization and accounting
into distinct processes, notjust one.
(28:12):
It also offers a much moregranular product than RADIUS,
particularly for deviceadministration.
So you'll see RADIUS and TACACS.
I've seen RADIUS is used in alot of older type systems
definitely a lot of oldersystems and then they've
migrated to a TACACS type system.
You may get them in both yourenvironment.
In the enterprise I was in, Ihad Radius and I had TACACS that
(28:36):
were both working together inthe same enterprise.
So you're going to see them ina lot of different places.
But just you need to understandwhat is the difference between
the two.
Radius is focused onauthentication, authorization
and accounting right, and itdeals with Wi-Fi and VPNs.
Tacacs is.
This basically just gives youmore granular access to the same
types of contact that Radiuswould give you.
(28:57):
Thank you again for joining meon Rapid Review Domain 5.
I just wanted to do a shout outagain CISSP, cyber Training.
Head on over to get my freeresources that are out there.
I've got podcasts, I've gotstudy plans, I've got study
questions.
There's tons of stuff that'savailable specifically for you
at CISSP Cyber Training to helpyou pass the CISSP exam.
(29:17):
There's also paid resources.
I have over 50 hours of contentthat's focused specifically
around the CISSP.
I got over 1,500 CISSPquestions.
I have curated audio and videocontent, mentorship All of that
stuff is available specificallyfor you at CISSP Cyber Training,
whether it's free or it's paid.
There's all kinds of stuffthat's available.
Just go check it outCISSPcybertrainingcom.
(29:41):
Okay, thank you all for joiningme today and have a wonderful
day, and we'll catch you on theflip side.
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
(30:04):
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey, I'm Sean Gerber with CISSPCyber Training and this is
CISSP Rapid Review Exam Prep forDomain 5, identity and Access
Management.
If you're new to this, this isthe CISSP Rapid Review for the
Domain 5, and we have all eightdomains on CISSP Cyber Training.
So if you are wanting to getthat quick last minute review
(00:45):
before you go take your CISSPexam, this is a great tool for
that.
And this is domain five to kindof go over what you should
expect to see in the domain fiveaspects.
So let's roll into what we'regoing to talk about today.
So domain five, as you can seein this chart, basically covers
13% of the questions you willget for the CISSP will be
(01:06):
covered in domain five.
So, as we talked about before,this is a pretty even split
amongst all the questions andyou really can't just say, well,
I'm going to skip domain, let'ssay two, because there's not
that many questions.
You really can't do that, butit's a well-defined list of
questions that you will run into.
Now you can get all of this atCISSP Cyber Training.
You have weekly resources thatare all available to you that
(01:26):
are like over 250 episodes ofpodcasts that are there.
I have a three to five monthstudy plan that's available to
you and there's a 360 studyquestions as well as various
stuff on my blog and my YouTubechannel.
That's all the free resourcesthat are available to you and I
continue to add more on goingeach and every week.
(01:47):
As it relates to the paidresources, there's over 50 hours
covering all the CISSP content1500 plus CISSP questions.
There's audio and video content, there's deep dive topics and
mentorship.
All of that's available to youat CISSP Cyber Training.
So, again, that's the paidresources.
But it's pretty amazing, guys.
I mean, realistically, this isall the information you need to
study and get ready for theCISSP exam.
(02:07):
So if you go through thisinformation and you take it to
account, you will pass this exam.
You really truly will.
So, bottom line, go to CISSPCyber Training and check it out.
Okay, let's move on to domainfive.
All right, so this is domain5.1, control physical and
Logical Access to Assets.
So we're going to start off.
We're talking about informationsystems and devices.
(02:30):
Now, information this isimplementing the controls to
ensure that only authorizedindividuals or processes can
read, modify or delete sensitiveinformation or data.
This is what is importantaround the information pieces of
this, and this is achievedthrough data classification,
encryption and permissions thatare set up specifically on files
, databases and the applicationsthemselves.
(02:51):
The bottom line is theinformation is extremely
important, and a friend of minetold me this a long time ago.
It's all about the data and youreally want to have good
controls in place allowing theseauthorized people to read,
modify or delete the sensitivedata.
If you don't have thesecontrols in place, it opens you
up to a substantial amount ofrisk to your organization, and
this again is done throughclassification, encryption and
(03:13):
permission settings.
Now, systems these are managingwho can log into, execute
commands on or configure thesesystems specifically, and this
involves operating system levelcontrols, application level
access and network accessspecifically.
So these are the systems.
Now we're talking about thedevices.
This is controlling thephysical access right.
(03:33):
These are the locked offices,the device encryption all these
are these physical devices thatare set up specifically and the
logical access to operate thesesystems or managing the
interfaces that are tied to them.
This applies to workstations,mobile phones, servers and
network equipment.
So you get your information,your data, then you have the
systems that are.
Everything is kind of tied to.
(03:53):
This is the application levelstuff and then you have your
specific devices themselves,which is your workstation
servers and your networkequipment.
So now we're going to talk aboutfacilities.
This is implementing physicalsecurity measures to restrict
entry into locations thatcontain or house the information
systems that you're currentlyworking with.
This could include fences,guards, locks, access cars,
(04:14):
biometrics, surveillance cameras, etc.
So this is what controls thephysical access to these
facilities and you you need tounderstand how are these all
work together and how do theyall tie together.
How are guards involved?
How are access cards?
How are biometrics?
Are they good, do they work, dothey not work, and so forth.
Applications this is managingthe user authentication and
(04:37):
authorization within theapplication itself, and this is
how is it taken care of andmanaged, and this defines the
functions, users, what they canperform and what data they can
view or modify based on theirspecific role.
Now we talk about the fact thatthe application is an important
part.
It's probably one of the mostcrucial parts of this, but they
all work together as a kind of atriad, because if you don't
(04:58):
have the physical aspects takencare of from the facilities
getting in, if you don't havethe operating systems taken care
of, if you don't have theapplications taken care of.
All of these things build uponthemselves, so any one of them
can lead to and create moreproblems and challenges to you
and your organization.
Domain 5.2, manageidentification and
authentication of people,devices and services.
(05:20):
So identity managementimplementation.
So this is the framework.
Idm is a framework for managingdigital identities through
their entire life cycle.
And when we talk about a lifecycle, what does that mean?
It's a big word that people go.
You have a life cycle for this.
No, it's how things are createdand they go to the end of the
beginning to when they actuallygo and terminated and are
(05:42):
basically erased.
The point of it is that youwant to have a beginning and the
ending thought out from thebeginning through to the end.
This includes processes forprovisioning, deprovisioning,
modifying user accounts andtheir attributes that are
associated with it, and again,this can be very daunting and I
recommend, as you're goingthrough this as a security
professional, you need toconsider.
What step do I want to do?
First, look at this as ajourney.
(06:03):
This is not something you cando overnight.
You need to really understandthe lay of the land and then
start in your life cycle journeyaround managing identifications
.
Now you have single andmulti-factor authentication.
Single factor is authenticatingwith one piece of evidence, ie
just a password.
Multi-factor authentication iswith two or more distinct types
of evidence.
Something you know, somethingyou have that's your MFA.
(06:23):
An MFA will significantlyenhance security by requiring
multiple forms of verification.
Now, is the MFA perfect?
No, and especially when you'reconsidered texting as an MFA
option, it is not perfect, buthaving multiple different ways
to authenticate you is animportant factor and in the
CISSP, you're going to have tounderstand what are some of the
(06:43):
different multi-factor optionsthat you have.
Accountability ensuring thatactions are performed by an
individual or entity can beuniquely traced back to them,
and this is where, specifically,you have your applications,
your different types of unitsthat you're using, the different
systems you're using.
They need to be able to haveidentifiably back to you.
(07:04):
One example that would be achallenge is if you have a
username that is shared amongstall many people and there is not
a unique password for eachindividual username.
That's another one that couldbe.
That really limits youraccountability.
And this is achieved throughstrong authentication, unique
user IDs and a comprehensivelogging and auditing system.
(07:24):
Now, again, we talk about this.
This is very broad and this isvery generic, but you want to
make sure that you have.
What you have in place is thebeginning phases of this.
From the point that you startthis process, you have an
auditing process in place, youhave a logging process in place
and then, at the end of all ofit, you have the ability to kind
of provide these metrics andthis data for your senior
(07:46):
leaders and for yourself tounderstand what you're actually
trying to measure.
Now, session management this isthe process of securely managing
a user's interactive sessionwith the application or system.
This includes session IDgeneration, secure transmissions
, expiration and theinvalidation to prevent session
hijacking or replay attacks.
You have to have the plan to beable to do this, to control the
(08:09):
sessions of your employees andof the systems that are working
on.
If you have a service accountsand so forth, you need to have a
way to generate or to basicallylimit the ability for these
devices to be able to use thesesessions.
Now registration, proofing andestablishment of identities this
is registration.
It's the initial process wherethe user provides information to
(08:30):
create an identity.
You have to begin this processright.
When you log in and you go to acompany, they give you a
registration process, by whichyou then would actually become
part of the company and you willhave your username and identity
, username password and so forth.
Proofing this is where youverify the authenticity of the
(08:50):
identity presenting during theregistration.
Again, government ID cards,background checks, things that
provide that, you provide thatprove who you are Social
security cards, birthcertificates, etc.
The establishment this is thecreation of a digital identity
within their system.
After successful registrationand proofing has completed.
This is the establishment ofthe identity and, again, these
(09:10):
are really important that youhave a good process in place to
do this.
Now, there's gonna be plenty ofaccounts that you have within
your company that won't have anidentity that tied to them, but
you want to have, at least withyour users, a good path and a
good plan for this specifically.
So, again, when the CISSP isgoing to talk about this,
they're going to be asking youwhat is registration?
What is establishment?
(09:31):
Are you connected with how thatworks?
They're going to give you ascenario on how this would
potentially happen and then you,in turn, would go and say is
this true, is it not?
How would I understand theestablishment of my identity and
access management processwithin my company?
Federal Identity, federatedIdentity Management, fim.
This allows users toauthenticate once with a trusted
(09:52):
identity provider, idp and thenaccess multiple service
providers withoutre-authenticating.
So your company may have an IDPand this is where they would
federate that information ofyour identity to multiple other
service providers, and this allyou have to do is authenticate
one time, and this enablescross-domain identity sharing
and management and it does allowfor a much more seamless and
(10:13):
better user experience for yourpeople.
Credential management systemsthese are securely store, manage
and distribute user credentialsie, passwords, keys, tokens,
anything like that is beingstored and then distributed
through ie, passwords, keys,tokens, anything like that is
being stored and thendistributed through a credential
management system.
This includes features forpassword vaulting, automated
password rotation, just-in-timecredential access.
(10:35):
A good example of this isCyberArk.
They have a really good processin place for this as well, and
I don't think CyberArk gotbought by somebody recently for
gazillions of dollars, so very,very good company.
A user authentication processthat allows users to log in with
a single ID and password togain access to multiple related
(10:56):
but independent software systems.
This is SSO and this isbasically.
You'll see this in a lot ofdifferent places with just your
one single ID and that passwordand allows you access in.
Google is a good example ofthat.
You log into Google, it cangain you access to various other
areas because it's a serviceprovider and it passes those
federated credentials throughoutthe entire cycle.
(11:18):
This enhances user convenienceand it can improve security by
reducing password sprawl orpassword reuse.
A lot of people reuse passwordson a routine basis.
Just-in-time access this is asecurity principle where access
privileges are granted only whenneeded for the shortest
possible duration.
This is a really good thing.
Now, just-in-time access can bevery, very secure.
(11:39):
It also can be very complicatedand can break things.
So you have to have a good planof how you want to deal with
just-in-time access.
It minimizes the window ofopportunity for attackers to
exploit the standing privilegesthat are there, and then
particularly for privilegedaccounts.
And one thing is potentiallylike just passing the hash.
This would be mitigated with.
You wouldn't have pass the hashissues, because it's just
(12:00):
provided for the informationthat you have for that moment
and then it goes away for anyother access.
So just-in-time access is areally good thing you can put
within your organization if youhave the ability to do so.
Domain 5.3, integrate identityas a third-party service.
So we have the on-premise ofthe IAM deployment model.
This is where identity andaccess management infrastructure
(12:21):
and the services are hosted andmanaged entirely within the
organization's own data centers.
This provides full control oversystems, but requires
significant capital expendituresand operational overhead.
So when you're dealing with IAM, deploying it within your own
organization, it does workreally really well, but it is
(12:41):
extremely expensive.
So a lot of times smallercompanies will just go with a
service provider to help themwith that, such as they'll use
Google or they'll use some otherauthentication mechanism to
provide this.
But if you want to put itwithin your own company, you
would need the infrastructureand the services behind it,
along with the people thatunderstand how to deploy it.
But it does allow full controlover the data and the systems,
(13:02):
but it is a significant capitalexpenditure and operational
overhead.
Cloud IAM deployment model thisis where identity and access
management services are providedby a third-party cloud provider
.
This is identity as a service.
So they have it in the cloudand you're using their model.
You don't have it on prem.
You're not using necessarilyGoogle.
I mean, you are kind of usingGoogle because it's acting as
(13:24):
this, but let's just say thatyou have a cloud provider.
You have ping in the cloud.
That is their model.
Then there's a third-partycloud provider that's providing
this identity as well.
This offers scalability,reduced infrastructure costs and
often integrates easily withother cloud applications.
Amazon has the ability to dothat.
You can use Amazon's productsas well.
So there's that process that'sset in place.
(13:46):
Hybrid this is where it combineson-premises and cloud IAM
solutions, often synchronizingidentities between two
environments.
So this is where you workbetween both the cloud and the
on-prem solutions, and it'scommon for organizations with
existing on-prem infrastructurethat are migrating to cloud or
using multiple cloud services.
So you have your on-prem, yourcloud and your hybrid domain 5.4
(14:10):
.
So this is implementing andmanaging authorization
mechanisms.
So we're going to get intorole-based access and the
different types of that, andthen rule-based access as well.
So, role-based access this iswhere access permissions are
grouped into roles, ie like ananalyst, a manager,
administrator, air quotes God.
Yeah, you're not going to putthat, that would be a bad idea,
but they're different, groupedinto different roles.
(14:32):
The users are assigned theseroles and these roles are
assigned permissions to thevarious resources.
Again, this is a great process,but it does take management and
it does take the ability foryou to have a good coordinated
plan around doing so, itsimplifies the management into
large organizations byabstracting permissions from
individual users.
So, again, very good processworks really really well, but it
(14:57):
does take something toimplement.
That's RBAC, rule-based accesscontrols.
This is where access is grantedor denied based on a set of
predefined rules and orconditions that you may have in
place.
The rules are often based onattributes of the user's
resources or environment andbasically an example would be
allowing access to financialdata only from internal IP
(15:17):
addresses during business hours.
So you can see the bigdifference.
Right, your analyst has accessto these specific systems, which
is very granular.
Then now you have a little bitnot so granular aspect to it.
Now, rule-based access controlscan be very useful, especially
if you're not dealing withindividual user accounts.
If you're just dealing, maybe,with a service account, you may
(15:37):
want to put definitely want toput in a rule-based access
controls, depending upon whatdata you're actually using.
Now you also have to understand, based on risk, you may not be
able to put rule-based accesscontrols everywhere, and the
same with RBAC, you may not beable to do that, and the same
with RBAC, you may not be ableto do that.
So therefore, you need tounderstand the overall risk to
your organization and then putthese different types of
controls in place based on therisk to your company.
(16:01):
Mandatory access controls MACthis is access decisions are
enforced by a central authority,basically an operating system
or of the kernel, and it's basedon the security labels assigned
to the subjects and the objects.
Users cannot override thesecontrols and they're usually
used for high securityenvironments such as the
military or the government.
These are mandatory accesscontrols that are in place.
(16:22):
It will deal a lot.
An example with potentially isaround multi-level security
systems, such as secret, topsecret, confidential.
That's where mandatory accesscontrols do come into play.
They are enforced by a centralauthority.
So, as an example, at thecentral, if I'm dealing with a
security systems computer liketop secret, secret type of
systems, I do not have theauthority to make any changes on
(16:44):
those.
Those are all changes.
All the controls are pusheddown from a central authority, a
central management system.
Discretionary access controlsthese are the owner of the
resource or object can grant orrevoke access permissions to
other users or, your quote,subjects at their own discretion
.
It's common in many commercialoperating systems and the
(17:04):
applications that are associatedwith it.
So you're allowing individuals,the owner of that data, to
grant or revoke the permissions.
The downside of DAC is thatpeople just don't pay attention
to it and they just grant accessto everyone.
That's a problem, right?
So you have to have a real goodthought process out of what
you're going to allowindividuals to have access, to
allow them to use discretionaryaccess controls.
(17:27):
So, as an example, a user cancreate a file and then decide
who can read, write or executethat file.
So discretionary accesscontrols again, they play a part
in this entire process.
But you need to be very controlon these different types of
controls.
Uh, and rather than mostcompanies just say, well, you
know what, we're just going touse discretionary access
controls everywhere and you cantake care of it, your data, you
(17:48):
work through it.
It's a bad idea, really badidea.
So having a good plan in placeis imperative.
Attribute-based access controlsthese are ABAC Access is granted
or denied based on theevaluation of attributes
associated with the subject, theobject, the action and the
environment.
So, again, that's based on thissituation of the overall
(18:09):
attribute.
You may find these are highlyflexible and dynamic and they
allow for very granular accessdecisions based on complex
conditions.
So, as an example of this, youwould allow any user with the
air quotes manager role or frommarketing and from the marketing
department to approve theexpense reports if the amount is
less than $500.
So there's very granularcontrols that you have put in
(18:32):
place based on the attributethat you're coming up with.
These are good.
But I'm just going to be verytransparent.
They can be extremelychallenging to try to negotiate
when things don't work well.
You may put them in place, theywork great for a while, but
then you may be not like me, butI forget what I did yesterday
and then all of a suddensomething breaks and now you're
(18:54):
trying to remember why did I dothis?
So attribute-based can be a bitof a challenge.
Risk-based access controls theseare access decisions are made
dynamically based on real-timeassessment of the risk
associated with the an accessattempt.
Now it considers factors likeuser behavior, device posture,
location and time of day, thesensitivity of the resource
being accessed as well.
(19:15):
So an example would be a user'sattempting to log in from an
unusual location and might beprompted for additional MFA type
or authentication aspects togain access to the information,
or maybe denied access entirely.
So these are really good.
Again, they don't fit everyneed, but if you have a very
global company, you're going towant to consider some level of
(19:38):
risk-based access controls, andunderstanding the behaviors, the
device posture and the locationof the day is really, really
important.
Now, can this be spoofed?
Yes, can it cause issues whereit says, especially if your
network is maybe the VPNing in,does it give you wrong type of
information?
Yes, that can happen.
But again, you have to decidethe risk that you're trying to
(20:01):
associate or trying to protectagainst and then determine is
this an important part of yourcompany?
So, again, risk-based controlsare important and I highly
recommend them, but you do needto have a really good
understanding of the data andthe systems that are critical
within your company.
Domain 5.5, manage the identityand access provisioning
(20:21):
lifecycle.
So, account access review.
This is the users, the systemsand the service.
You regularly review users,systems and service accounts to
verify that the assigned accessprivileges remain appropriate.
This is you going in andchecking the accounts on a
routine basis.
You identify and remove dormant, unauthorized and ones with
excessive permissions.
You should be doing this on anannual basis.
(20:43):
You may do this more than that,depending upon the systems and
the data that's being controlled.
But you should at least look atthis on an annual basis.
The first time you do it, ifyou're just coming into an
organization, it may get verypainful, but if you do it
annually, it is a very quick andeasy process.
Provisioning and deprovisioningthis is the on and off, boarding
and transfers.
(21:04):
This is provisioning, basicallyis granting access to new users
or systems based on theirdefined roles and needs.
So you're onboarding anemployee.
This is where you'd beprovisioning them something,
granting them access to it.
Deprovisioning is you'rerevoking all access privileges
when the user leaves anorganization or the system is
decommissioned.
That's what they calloffboarding.
(21:24):
Some people just say exiting,so you could do the one, but the
bottom line is you need to havesomething in place for
provisioning and deprovisioning.
Now you also need to considertransfers.
This is where someone moveswithin a company and modifying
the access rights promptly whenthe user changes roles or the
department.
Transfers are a huge thing andthat's where we talk about in
CISSP, cyber training,credential creep.
(21:46):
You will get a lot ofcredential creep where people
will gain access to somethingthey should not have access to
because they moved to a new roleand then they didn't lose the
access they used to have andthey keep that access, and
that's bad.
So seen it happen time and timeand time again.
So credential creep is a realproblem.
Role definitions this is wherepeople are assigned to new roles
(22:07):
.
You clearly define and documentthe specific permissions
associated with each role withinthe access control model.
So roles are defined, youunderstand those permissions
tied to those roles and each oneis understood and well-defined
within your organization.
It ensures that whenindividuals are assigned new
roles, their access is updatedto reflect only permissions
required for that new role.
(22:28):
There's some great tools outthere that can help you with
that, and it's automated tools,but they have to be more or less
kind of integrated into your HRsystem.
They are awesome, but theythey're very painful if you're
trying to bolt them on after thefact.
Their sale point, I think, isone that does a really good job,
but you do have to have a goodplan in place to work with these
(22:49):
guys.
If you can bring them in at thebeginning, that's awesome.
The problem is they're veryexpensive and so a lot of times
they get avoided till the endand then, when there's a problem
, then they're brought in.
Privileged escalation this iswhere you're managing your
service accounts using the useof pseudo, like in Unix systems,
which is supervisor dosomething along those lines.
(23:10):
I can't remember.
Yeah, supervisor do or superuser do.
Those are the pieces whereyou're allowing elevated
privileges to be using.
You should minimize its use.
Obviously you don't want yourdomain level privileges to be
used on a routine basis.
Those should only be in case ofemergency break glass kinds of
things.
The process these are theprocess by which users or
attackers will gain access toprivileges more than they're
(23:31):
initially authorized.
So they will use this.
They will migrate from oneplace to the next place.
The next place to try to gainaccess to increased user
accounts and therefore and theywill not necessarily use our
accounts could be just anyaccount to escalate the
privileges they have.
Management practices includeusing managed service accounts,
strictly controlling andauditing the use of tools like
sudo or similar commands, andminimizing the standing
(23:54):
administrative privileges.
So this is an important part towatch out for privilege
escalation within your company.
I highly recommend that ifyou're a large organization, you
consider doing a red team toyour company in certain areas
that you feel are your highestrisk.
It will go a long ways inmaking sure that you have the
proper protections in place foryour data Domain.
5.6, implement authenticationsystems.
(24:15):
So OpenID Connect OIDC andOAuth open authorization For the
CISP.
You're going to have to knoweach of these and understand how
they're being used.
Oauth is an open standard fordelegated authorization.
It allows users to grant athird-party application limited
access to their resources orother services.
A good example of this would bethe photo app accessing
(24:38):
Google's photos withoutbasically sharing your
credentials.
That's the goal, right.
So it allows you anotherservice.
It doesn't share yourcredentials, but it gives you
delegated authorization to do so.
Oidc is in the authenticationlayer built on top of OAuth 2.0.
So OIDC and OAuth do worktogether.
You can have OAuth separatefrom OIDC, but OIDC needs to
(24:59):
have OAuth 2.0.
It allows clients to verify theidentity of the end user based
on the authentication performedby the authorization server, as
well as to obtain basic profileinformation about the end user.
So again, it adds a little bitmore granularity on top of OAuth
and it gives you with the userand the identity of that
individual Security AssertionMarkup Language, or SAML.
(25:22):
This is an XML-based openstandard for exchanging
authentication and authorizationdata between the IDP, which we
talked about as theidentification provider and the
service provider.
So when you have the IDP andthe SP, this is where SAML comes
into play and it will helpexchange authentication and
authorization information.
It's primarily used forfederated authentication, such
as single sign-on.
(25:43):
You'll see SAML in some of thequestions that may come up, so
you need to kind of understandhow would SAML be integrated
with your IDP and your SP, justto make sure, as they're asking
this question, you trulyunderstand what they're asking
for.
So this is done in web-basedenvironments and allows users to
log in once and access multipleapplications.
Kerberos it's a networkauthentication protocol that
(26:05):
uses secret key crypto and itprovides strong authentication
for clients' server applicationsby providing their identity to
each other across non-securenetwork connections.
It relies on trusted thirdparties, such as a key
distribution center, and it alsoissues tickets for
authentication.
It's common in Active Directoryenvironments, so Kerberos has
been around a long time and itis used a lot, especially with
(26:28):
your AD environments.
So you need to understand theuse of crypto.
Kerberos is not going away, soyou need to really, truly
understand how Kerberos workswithin your environment and how
it could work within an activedirectory environment.
Remote authentication, dial-inuser service, radius yeah, as
you notice, people don't sayremote authentication, dial-in
user service a lot.
(26:48):
You'll hear them say RADIUS alot, but not that big big words.
No, they don't say that.
And then you have TACAC.
I actually did a podcast outthere on RADIUS and TACAC
specifically.
That was done.
This was a good one to kind ofgo back to and it'll help you
specifically around this.
But TACAC is your TerminalAccess Control, access Control
Systems Plus.
(27:09):
Yeah, lots of big words.
It's very confusing.
But just remember RADIUS andTACAC Plus.
Radius is a widely usednetworking protocol that
provides centralizedauthentication and authorization
and accounting so they call itAAA, right and management for
users connecting to the networkservice.
So it's basically it's widelyused for any sort of networking
protocol and it provides acentralized management for users
(27:31):
connecting to the networkservice.
Radius it's a widely usednetworking protocol that
provides centralized managementfor users connecting to a
network service.
You'll get this centralizedauthentication, authorization
and accounting, which is AAA.
This is what is usedspecifically for that and it's
often used for network access,such as in Wi-Fi or VPNs.
(27:51):
You'll get that in a lot ofsmall network well, not even
small networks.
You'll get them in largenetworks as well, but the use of
RADIUS is widely used.
Tacacs is a Cisco proprietaryprotocol that provides AAA,
which we talked about,authentication, authorization
and accounting services.
It separates authentication andauthorization and accounting
into distinct processes, notjust one.
(28:12):
It also offers a much moregranular product than RADIUS,
particularly for deviceadministration.
So you'll see RADIUS and TACACS.
I've seen RADIUS is used in alot of older type systems
definitely a lot of oldersystems and then they've
migrated to a TACACS type system.
You may get them in both yourenvironment.
In the enterprise I was in, Ihad Radius and I had TACACS that
(28:36):
were both working together inthe same enterprise.
So you're going to see them ina lot of different places.
But just you need to understandwhat is the difference between
the two.
Radius is focused onauthentication, authorization
and accounting right, and itdeals with Wi-Fi and VPNs.
Tacacs is.
This basically just gives youmore granular access to the same
types of contact that Radiuswould give you.
(28:57):
Thank you again for joining meon Rapid Review Domain 5.
I just wanted to do a shout outagain CISSP, cyber Training.
Head on over to get my freeresources that are out there.
I've got podcasts, I've gotstudy plans, I've got study
questions.
There's tons of stuff that'savailable specifically for you
at CISSP Cyber Training to helpyou pass the CISSP exam.
(29:17):
There's also paid resources.
I have over 50 hours of contentthat's focused specifically
around the CISSP.
I got over 1,500 CISSPquestions.
I have curated audio and videocontent, mentorship All of that
stuff is available specificallyfor you at CISSP Cyber Training,
whether it's free or it's paid.
There's all kinds of stuffthat's available.
Just go check it outCISSPcybertrainingcom.
(29:41):
Okay, thank you all for joiningme today and have a wonderful
day, and we'll catch you on theflip side.
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
(30:04):
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!