CCT 075: Management of Identification, Authentication & Future Trends (Practice CISSP Exam Questions D5)

Are you ready to unlock the secrets of cybersecurity? Buckle up as we journey into the intriguing world of CISSP Cyber Training. Imagine the shock when Microsoft AI researchers accidentally leaked up to 38 terabytes of data due to a slip-up in their Azure environment! We're diving deep into this incident, unpacking all its layers. But that's not all. We’re shedding light on the complexities of Multi-Factor Authentication (MFA) and the unique challenges of Single Sign-On (SSO). Plus, get ready to demystify the 'something you are' factor in biometrics and understand the real objective of identification - hard facts.

The journey continues as we navigate the tricky waters of machine learning and IoT devices. Ever wondered what happens when a machine learning algorithm sniffs out a phishing attempt? Or how dynamic policies keep the ship afloat in geofencing? We've got answers! We're cracking the code on pattern recognition algorithms in credential stuffing prevention, and taking a hard look at IoT device trustworthiness. But we're not stopping there. We'll wrap things up with a treasure chest of resources for CISSP Cyber Training - think YouTube channels, websites, and more. So, are you ready to level up your cybersecurity game? Your expedition into the exciting realm of cybersecurity starts here. Tune in, take notes, and transform your understanding of the digital world!

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Content

Transcript
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey all Sean Gerber with CISSP Cyber Training and I hope you all are doing well. All are having a beautiful day today. Today is CISSP Question Thursday, so today we're going to be chatting around some various aspects as it relates to Domain 5 and some of the podcast content that we had on Tuesday. We've got some questions that are going to be associated specifically actually the podcast. On Monday We'll have some questions specifically focused around that and Domain 5. Before we get started, one thing I wanted to bring up was there was some recent news articles. Obviously, with cybersecurity there's always news articles, and one of that I saw that was quite interesting is the fact that supposedly, some AI researchers with Microsoft did accidentally expose up to 38 terabytes of data that they had set aside and some of that has confidential information that was sitting in it you can go to, in this case, the hacker news and I know I saw it on TechCrunch as well but there's some various related comments to this situation and how it occurred. But bottom line is that there were some tokens that were shared with the GitHub repository that did expose some various Teams messages, backups, passwords, private keys that had been set aside for their overall activity. They did, but it was more or less an accidental disclosure and it was because of the fact they had an overly permissive token that they had set up within their Azure environment. This is something that you'll see routinely and I recommend that if you are a security practitioner within your organization, you go through your cloud connectivity and ensure that your accounts are correct and that they aren't overly permissive. I do this routinely with my team and it's an important factor just to make sure that any cloud activity you do have, you are watching those accounts. Just because this is a great situation where various data was contained within these backups that they had to include secret keys, passwords, and then they had over 30,000 internal Teams messages that were in this as well from a backup standpoint. So I don't feel aware. Teams messages have a plethora of information in them, especially when it comes to people uploading data content and so forth. Teams is a really good way, if you're a hacker, to gain access to a lot of very sensitive data. So it's, and we're seeing more and more attacks that are coming towards Teams, especially some of these AI bots that are coming out there. So I highly recommend that you go give it a check it out at the Hacker News and it's about this AI researchers who exposed 38 terabytes of confidential data. You also can get this information on Infosec Industry and just go out there and check it out. But go ahead and Google it. You'll be able to find all the information around this. It goes specifically into how the attackers did it and what they're able to gain access to. So I shouldn't say the attackers did. It was a public disclosure and it was one of those where they found it on their own, but in the process of finding it, they want to lock it down to make sure that it wasn't exposed and that people didn't gain access to this information. Okay, so we're going to go ahead and let's get started into the CISSP questions. Okay, so this is going to be tied around. It's like I said before, domain five. All right. So question number one what is the primary objective of identification? A to prove the user is genuine. B to present claims about a subject. C to grant access to resources. Or D to ensure data encryption. What is the primary objective of identification? It is B. The main goal of identification is to present claims about a subject, usually by providing credentials like, such as username, and it serves as the initial step before authentication process and usually and actually validates those claims. So it's to present claims about a subject. Question two which method provides two factor authentication? A biometrics and a pin. B password and username, c smart card, d username. Which method provides two factor authentication and two factor authentication does involve two different types of verification methods. So hence it would be A biometrics and a pin. Biometrics, obviously, is something that you are in. A pin is something that you know, making it a full two factor. Question three what is the something you are factor in MFA? A password, b smart card, c biometrics or D pin? And the answer is B or not B, it's C biometrics. Biometrics is something you are. I was thinking B, as in biometrics. No, it is C biometrics. It is something that you are, which could include fingerprint scans, facial recognition or potentially even iris scans. This factor is unique to the each individual. So which of the following is not a benefit of MFA? A lower costs. B increased security. C reduced risk of fishing or. D compliance with regulations. So which of the following is not a benefit of MFA? We talked about MFA is multi-factor authentication. So which one is not a benefit of it? So last three increased security, reduced risk and compliance are all benefits of MFA. So the answer is A lower costs. Mfa increases security. It often comes with a financial cost and I will say and if you add any MFA into your environment, it can come from a financial aspect, physically costing you capital to set it up, but it also can cost from an opportunity cost standpoint, because it's just more training and teaching you have to accomplish. But there's hardware, software and administrative overhead that does make it a bit more costly than just doing nothing, obviously, but it does add a lot of benefits to your organization. In today's world it's highly worth the money spent. Question five what is the primary security concern of SSO? A complexity. B scalability. C lack of user training or de-session fixation. Okay, primary security concern of SSO. Now, each of those A, b and C are a concern. However, the primary security concern would be de-session fixation. Now this comes with a single sign on sessions where there's a fixation attack. Now these attacks occur when an unauthorized user fixes the session identifier for the authorized user, thereby giving control over the session to the attacker. That is session fixation. That is probably one of the bigger security concerns, just because of the fact that they could gain access to your MFA or your SSO environment. Question six which is not a typical use case for federated identity? A e-commerce, b social networking, c digital signatures, d enterprise collaboration. And the answer is C digital signatures. These are not a typical use case for federated identity because they're basically comes down to is their focus on allowing users to use the same credentials across different systems that's when you have digital signatures or even across different organizations. That's why they're tied, not particularly to federated identity. Question seven which regulation mandates strict access controls in healthcare? A HIPAA, B GDPR, c PCI DSS or DCCPA, which is the California Consumer Privacy Act or Consumer Privacy? Yeah, california first, I think. And the answer is A HIPAA. Obviously the HIPAA, if you know the acronyms, is the Health Insurance Supportability and Accountability Act, hipaa. It mandates strict controls for accessing healthcare information and it sets some of the most stringent guidelines that can be managed as it relates to medical records. Under all of these various conditions, question seven. No, actually question eight. I just did question seven, ha ha. Question eight what is the primary focus of PCI DSS regarding authentication? A data minimization, c user consent, c secure authentication methods or D data portability? The answer is C. The primary focus of a PCI DSS regarding authentication is C secure authentication methods. The PCI DSS does place a focus on secure authentication. Obviously, they want you to ensure that you have a solid authentication strategy when you're dealing with credit card transfers. So this is why it's important and it does tie very strongly into the card holder data and how important that is there are specific guidelines to protect sensitive information during these various transactions. Question nine which of the following biometric identification is the least invasive in terms of privacy? Facial recognition, fingerprinting, that's B, c is iris scans or D is voice recognition? Again, which of the following biometric identifications is the least invasive in terms of privacy? And that would be D. Voice recognition is considered the least invasive compared to other biometric techniques such as facial recognition and fingerprinting. Voice data is less revealing from physical characteristics. However, as we deal with AI, that can cause some challenges as well, because it's much easier to copy people's names like or copy people's voice. Hence, with all these podcasts that I've done, somebody probably could make some voice password thing that would replicate my voice if you could do it. So that would be probably bad. Good thing I don't have any voice password type stuff. Question 10. How does blockchain improve identification security? A centralization, b immutability, c role-based access or D none of the above, okay. So how does blockchain improve identification security? And the answer is B immutability. So one of the most significant advantages of blockchain is the actual immutability. So once you add data to that blockchain, it cannot be easily altered and the technology is very resistant against tampering and therefore it improves the overall identification of the security. I've seen this being used in it's kind of cutting edge right. Not everybody uses blockchain from an identification standpoint, but you're seeing a little bit more of that being embedded within their identification methods and their identification tools. What is a behavioral analytics primary use for as far as it relates to identification and authentication? This is question 11. What is behavioral analytics primarily used for in identification and authentication? A anomaly detection, b password management, c data encryption or D access control. Question is what is behavioral analytics primarily used for in the identification and authentication aspects, and it is A behavioral analytics primarily focused on monitoring user behavior and therefore it's looking for any sort of anomalous activity. You have machine learning algorithms that arrange a factor such as navigation paths. You know, obviously, where did you click time spent on the tasks, are you spending enough time or not enough time? And then other ways to flag inconsistencies that could indicate a potential security issue. It's more or less monitoring how you do business and then, therefore, if an attacker does business different than you, it would be a risk score and it would then flag an anomaly. Which AI based method adapts over time to a user's typical authentication methods? So question 12 is which AI based method adapts over time to a user's typical authentication methods? A risk based authentication, b gate analysis, c semantic analysis or D adaptive MFA? Okay, so which AI based method adapts over time to a user's typical authentication methods? So now, if you don't know the answer to this question, you just got to kind of start tearing it apart. What AI based method so that would be a first part of it and looks at user's typical authentication methods. So you're dealing with authentication pieces. So there's two parts of this question and the answer is D adaptive MFA. Adaptive MFA uses machine learning models that adapt over time to a user's typical authentication method and it assesses in real time and adjusts based on the authentication factors accordingly. So what it's basically doing is it's watching how you would normally do your MFA and if it would be out of dip, out of band or out of normal pattern, it would then have a. It would raise a risk score based on that. Question 13, what do algorithms in social media analytics look for to flag potential identity fraud? They look for a public posts, b inconsistencies with online profiles, c number of friends or d personal preferences. What algorithms in social media analytics look to flag potential identity fraud? And it would be b inconsistency in online profiles. So it's looking for the analytics tied to your profile and it looks for any consistencies, such as differences in names, locations and work histories to flag potential identity fraud. Again, it's just trying to pull all that information in which would flag it and really, when it comes right down to it is if the robot you know people, if you were hired an investigator for them to dig into this, they would probably find these problems of fraud against your identity, but it would take time. That's where the machine, the robot, can do this for you in a much faster and a much more effective manner. Question 14, what does semantic analysis do for chatbots? The chatbot security, a scan attachments be, anomaly detection, see to understand user intent, or d encrypt chat. So now, if you look at the term again, semantic analysis do for chatbot security. Semantics deals with words, right, it does so. You know you could automatically throw out scan attachments, anomaly detection and maybe the encrypt chat might be there, but you definitely could throw out those first two. And the C is understand user intent. So the ultimate goal of this is it looks at what was the user's intent and what was the structure and meaning of their inputs, to provide an extra layer of verification. If it sounds like it doesn't make any sense, when you're the user's intent is different than what you would anticipate, that's when it will raise a risk score flag. Now again, when I talk about this a lot of times, just because there's an error that's put into these, it will not automatically say that there's a, there's an attack or there's something being done against an account. It will raise a risk score and that risk score, if there's enough of it goes high enough, that's when it will alert people that there might be a potential fraud situation, but doesn't just automatically do that, because sometimes people make mistakes, but therefore it's. It's all about the risk score and about all the different levels that you would create or that you could potentially, in the act upon to create a higher risk. Question 15, what is the action? What action does a machine learning algorithm take when it detects a fishing attempt? A quarantine the email, be notify the system administrator, see delete the email, or D send real time alerts to users. Question is what action does machine learning algorithms take when it detects a fishing attempt and it is D send real time alerts to users? I don't know if you've ever noticed this before, but I've had this happen to me a couple times, where it will send a real time alert to me, such as if a fishing attempt has been a tech detected. This noted immediate notification can really add a lot of value, especially if you notice that it's it's happening right and we talk about this within all of our training of our employees and done this through years, from being with the military to my current employment. One of the big factors is is treat each person as a sensor. They are your first and in some cases, unfortunately your last line of defense. So if you can teach them how to that there's an issue that they raise that up great. Well now, if you have alerts that can come in real time, then that can help speed up that remediation process. Question 16. What is the main function of dynamic policies in geofencing? A I monitor IoT devices. B anomaly detection for devices. C adjust security policies based on geolocation data. Or. D assign device trustworthiness scores. Okay, what is the main function of dynamic policies in geofencing? A adjust or A monitor devices. B anomaly detection for devices. C adjust security policies based on geolocation or. D assign device trustworthiness. The answer is C adjust your policies based on the geolocation data so you can do this. For example, you might have access requests that are coming from an unfamiliar location. They might require an additional authentication step. So if you normally have people in the United States and all of a sudden you have an executive that's flying to Asia, you maybe you want to add an additional authentication step just to double check to make sure that account is legit. Question 17, what do pattern recognition algorithms in credential stuffing prevention primarily look like? A encryption patterns. B patterns consistent with automated bots. C password complexity or D geographical patterns. What do pattern recognition algorithms in credential stuffing prevention primary look for? Okay, so we're looking to give a break in this down pattern recognition algorithms and credential stuffing. So if you're dealing with pattern recognition, you want something that deals with the patterns that are consistent with automated bots, that's your look for the pattern piece of this, and so that is a key factor. And then, when you're dealing with credential stuffing, you'll need to know that that's just the attack that takes all the credentials that are out there and starts trying to stuff them into the very, trying to basically do various attempts and by doing that it will try to obviously log you in. But if you can get the pattern recognition around this and you realize that the bot is determining oh, this person is just putting in credentials of various methods, they then can go ahead and flag that as a problem. So this is a really good way to help highlight there could be an issue with credentials being stuffed into various accounts and trying to log in. Question 18, what do machine learning algorithms in IoT device authentication mainly flag? Okay, machine learning algorithms in IoT device authentication what do they flag? A insecure passwords no, that's not true. B unusual activities yes, that would be possibly true. C firmware vulnerabilities possibly, but probably not. And then D physical tampering. They typically don't deal with the physical aspects. So if you're dealing with machine learning and IoT authentication, it would be B unusual activities. Machine learning algorithms in the IoT authentication methods will mainly flag based on usual activities that deviate from the device's normal behavior, and the nice part about IoT is that their normal behavior is pretty consistent. Question 19, what is a device trustworthy in a score? A a trust score based on IoT device security posture and past behavior. B a credit score for individuals. C risk assessment for network devices. Or D a reputational score for organizations. So what is the device trustworthy in a score? Well, you can really quickly pull out a couple there where you're dealing with credit scores for individuals and reputational scores for organizations. Yeah, you can throw those out, but when you're dealing with a device, you wanna have A a trust score based on the IoT's device security posture and its past behavior. So if you know that the IoT device has done certain things in the past and you know how it's set up with its security, you then can create a trust score based on that information. So if it's consistently doing one way of creating device providing information for you, and then you also know that the score has got, or the device itself has got, some level of authentication in place, then you can increase its risk or its score as it relates to its security posture and then, therefore, it gives you this trust based on all the other IoT devices that are out there. Question 20, what future technology is debated for its high security benefits, but potential privacy invasiveness? A blockchain, b geofencing, c social media analytics or D biometrics Again, for one of the security benefits high security benefits, but potential privacy invasiveness and that would be D biometrics. Biometrics are often debated for its ability to provide high levels of security, but at a potential cost of an individual privacy. These techniques, such as facial recognition, can be highly invasive and collect potential personal data. Okay, that's all I have for today. Again, you can go to CISSP Cyber Training. You can get all of these questions available to you and many, many more, all at CISSP Cyber Training. Also, you can check out my YouTube channel. You'll see some of these questions will show up eventually. I don't put all these out right away, but they do show up at some point in time, they will be pushed to YouTube. You can also go to my website, and I will put these on the blog as well. You'll see some of these that show up out there. All right, have a wonderful day, and we will catch you on the flip side.