Saturday, September 15, 2018

SSCP 2018 Exam Changes



With effect from 1st November 2018, (ISC)2 would be doing a domain refresh in the course content of SSCP certification. This is in line with a refresh cycle of 3 years for every certification which (ISC)2 offers.

In this post, we look at changes which will take place in this refresh. We will look at it from a perspective of what will remain the same for an exam giver and what would change.

Question 1. Have the domains changed completely?

No, the weight of the domains has changed. There are minor changes. So if “Security Operations & Administration” had a weight of 17% in the earlier exam (2015), it has been reduced to 15% in the new exam outline.

Question 2. Would the changes affect my already bought course material?

No, the course content broadly remains the same. The course content does not change. Your old books or exam material will remain fully valid. 

Question 3. Is there a change in the exam format too just like CISSP?

Absolutely No. The format remains the same. You will have 125 questions to answer in 3 hours where 100 questions will be graded. 25 questions are research questions, however, from an examination point of view, you’ll not be able to differentiate amongst them. There is no negative marking, hence you must attempt all the questions. You need to secure 700 out of 1000 points to clear the exam.

Question 4. Where can I identify the changes that have been brought in topic wise with respect to various domains?

Here are the exam outlines for your reference: 



Domain Wise Changes are also mentioned here for your assistance:

Domain 1 Access Controls
New Additions:
Federated Access, IAM systems, Subject-based & Object-Based Access Controls.

Domain 2 Security Operations and Administration
New Additions:
Software inventory and licensing, Data Storage, Periodic audit review.

Domain 3 Risk Identification, Monitoring, and Analysis
New Additions:
Risk management frameworks (e.g., ISO, NIST), Remediation validation, Audit finding remediation, Legal and regulatory concerns (e.g., jurisdiction, limitations, privacy).

Domain 4 Incident Response and Recovery
New Additions:
Support incident lifecycle (Preparation, Detection, analysis, and escalation, Containment, Eradication, Recovery, Lessons learned/implementation of new countermeasure)

Domain 5 Cryptography
New Additions:
Web of Trust (WOT) (e.g., PGP, GPG) 
Note – In this domain, some restructuring has taken place. Although the new exam outline shows some topics, they were also present in the older CBK too.

Domain 6 Network and Communications Security
New Additions:
Transmission media types (e.g., fiber, wired, wireless), Network relationships (e.g., peer to peer, client-server), Wireless security devices (e.g., WIPS, WIDS), Bluetooth, 

Domain 7  Systems and Application Security
Removed: Secure Big Data Systems (Application vulnerabilities, Architecture or design vulnerabilities)

Question 5. Has the cost of the exam changed?

No, the cost of the exam remains the same. You need to pay 250USD or equivalent and book the exam through the Pearson Vue Centre only.

Question 6. When will these changes go into effect?

All changes will reflect from 1st November 2018. 

Question  7. Do these updates affect the experience requirement for the SSCP?

No. The changes do not affect the experience requirement. For the SSCP, a candidate is required to have a minimum of one year of cumulative work experience in one or more of the seven domains of the SSCP CBK.

Question 8. Where can I practice exam based questions for the new changes?

I have created two courses for the same. The links to these courses are given below. Please be rest assured that these practice questions have been made considering the new changes that have been brought in. SSCP Mock Exam 2 is also coming in November.



Question 9. Is there a training available with respect to the new course changes?

For official training, you can check the (ISC)2 website. 
I would be uploading the complete training course on Teachable which will reflect all the changes. This training will contain all the new topics and the updated course content. A new tab called the “SSCP Training Course” will be available in November on the website.

Overall, the changes brought in by (ISC)2 do not reflect any major changes as such. Certain topics which have been added reflect the importance which (ISC)2 wants to showcase in certain areas. From a domain perspective too, the weight of “Cryptography” has increased, which makes more sense.

In case you have any more questions regarding the SSCP 2018, feel free to drop in as comments in the comment section below. I will be happy to answer them for you.

Happy Learning.

Tuesday, September 4, 2018

Single Sign On & Kerberos


Imagine Susie wants to log on to a company database, her own system, a web server, her webmail and other multitudes of applications. Since she needs to access so many resources, it is extremely important to have a set of credentials for accessing each of this resource. This means Susie must remember an approximate dozen passwords in order to access these resources. Susie finds a solution to this problem. She writes down every single username and password to access them.

Clearly, Susie is not alone in doing so. You may also be doing the same. Clearly, from an information security point of view, this is not a great solution. It may sound that different ids and passwords would provide more security, it ultimately ends up in more work for the administrator since there are more requests of password reset or greater chances of a breach if that notebook gets in the wrong hands.

So what needs to be done? Well, as usual, the intelligent minds gathered together and found a solution to this problem. They called it the Single Sign-On. You can call this a double-edged sword too. Why? We’ll learn about it a minute. 

Single Sign-On allows a user to enter credentials one time and be able to access all resources in primary and secondary network domains. This reduces the amount of time users spend authenticating to resources and enables the administrator to streamline user accounts and better control access rights. It improves security by reducing the probability that users will write down passwords and also reduces the administrator’s time spent on adding and removing user accounts and modifying access permissions. If an administrator needs to disable or suspend a specific account, he can do it uniformly instead of having to alter configurations on each and every platform.

This sounds really great as it solves all of our problems. Just one username and password and the world is yours, (Now that’s a lot), the resources are yours. 

Wish, life could be so simple. Single Sign-On (SSO) operates on an assumption that all platforms support the credentials in the same manner and will talk to each other, which is extremely rare, given the multitude of platforms and technologies which companies employ. Remember, the double edge sword mentioned earlier. It is simply that if you leak that one super powerful username and password to Thanos, you will see your resources vanishing like the Avengers.

So simply speaking, SSO technology allows you to access multiple resources through a single username and password. You enter the credentials and voila, you have everything you are authorized to access. It does help Susie as she doesn’t need to remember multiple passwords. She can keep one complex passphrase which is easy to remember, yet is extremely complex. 

One of the most commonly used SSO technology is Kerberos. 

If you have seen Harry Potter, you may remember the three-headed dog that was guarding the philosopher’s stone. The photo below may refresh your memory. Confused, as to why a three-headed dog related to SSO here? Kerberos is the name of a three-headed dog that guards the entrance to the underworld in Greek mythology. This is a great name for a security technology that provides authentication functionality, with the purpose of protecting a company’s assets.



So let’s understand everything about Kerberos but in a very simple manner. 

Kerberos is an example of a single sign-on system for distributed environments and is a de facto standard for heterogeneous networks.  Kerberos is like a family in which there are multiple family members and each has a role to play. Let’s hear the names of all these members with their introduction.

Key Distribution Centre – He is just like the father who is having all the money. The Key Distribution Center (KDC) is the most important component within a Kerberos environment. The KDC holds all users’ and services’ secret keys. It provides an authentication service, as well as key distribution functionality. The clients and services trust the integrity of the KDC, and this trust is the foundation of Kerberos security.

The father has a helping hand known as the TGS – ticket-granting service (the mother) which generates the ticket.

Principal – They are the users or the applications which ask for services from the KDC. You can think of them as the kids in the family. They have new requests every day for the father. (KDC). Let’s say, Cathy is one of the kids and requests for a chocolate from the father. So here, Cathy is the principal and the father will act like the KDC.

Hopefully, you understood the analogy. 

Now let’s take up a real situation to help out things into perspective.  This is how the Kerberos process would take place.

1. Cathy comes to Evil Corp to complete her assignment. She logs into her system by providing her credentials.

2. Her request goes to the Kerberos software in her system.

3. This software sends her request to the KDC (remember, KDC is the one which has all the secret keys).

4. KDC sends back Cathy a ticket (not to Europe for holiday !!), which is encrypted with her password.

5. If Cathy entered the right password, then the ticket would be decrypted. Understand it in this manner, if Cathy entered the right password in the beginning, her ticket which is received from the KDC would be valid, if not, then it would be an invalid ticket.

6. Now Evil Corp is in the business of selling user’s information on the black market. 

7. Cathy wants to access this database where all such illegal information is stored. 

8. In order to access this information, Cathy sends a request to access to this database server.

9. Cathy’s system sends a request to this database server, her system sends the TGT to the ticket-granting service (TGS), which runs on the KDC, and a request to access the database server.

10. Why is everyone sending each other tickets? I know. This is because of the trust factor. KDC is one whom everyone trusts. So everyone sends his/her requests to the KDC so that KDC can confirm to everyone whether this is an authorized entity requesting access or not.

11. The TGS creates and sends a second ticket to Cathy, which she will use to authenticate to the database server.

12. What does the second ticket contain? This second ticket contains two instances of the same session key, one encrypted with Cathy’s secret key and the other encrypted with the database server’s secret key.

13. Cathy’s system sends this second ticket to the database server for authentication. 

14. When the database server receives this second ticket, it verifies this by decrypting it. 

15. If it successfully decrypts it, this means it is a valid request. Post this validation, Cathy will get this access to the database server.

This is an extremely simplistic overview of what is going on in any Kerberos exchange, but it gives you an idea of the dance taking place behind the scenes whenever you interact with any network service in an environment that uses Kerberos.

What are your thoughts on this? Share your thoughts in the comments section below.