Why Become a CISSP? 1. The CISSP Exam. 2. CISSP: A Brief History. 7. How Do
You Become a CISSP? 8. What Does This Book Cover? 8. Tips for Taking the ...
ALL
IN
ONE
CISSP EXAM Fifth
®
GUIDE
Edition
Shon Harris
Mc
Graw Hill New York London
•
San Juan
• San Francisco Chicago Madrid Mexico City Milan •
•
•
Seoul
•
•
Singapore
•
Sydney
Lisbon
•
New Delhi
•
•
Toronto
CONTENTS Forewords
xvin
Acknowledgments
xxi
Introduction
Chapter
I
Becoming Why
a
xx"
CISSP
Become
a
I
CISSP?
1
The CISSP Exam
2
CISSP: A Brief History How Do You Become
a
7 CISSP?
8
What Does This Book Cover?
8
Tips for Taking the CISSP Exam
9
How to Use This Book
Chapter
2
11
Questions
11
Answers
15
Security Trends How Security Became an Issue
•
Areas of Security
20
Benign to Scary Evidence of the Evolution of
21
Hacking
22
How Are Nations Affected?
25
How Are Companies Affected?
27
The U.S. Government's Actions
29
Politics and Laws
33
So What Does This Mean to Us?
35
Hacking and Attacking
36
Management A
•
Layered Approach
•
An Architectural View
3
•
37 39 40
A Layer Missed
Chapter
17 17
41
Bringing the Layers Together Education
42
Summary
43
Information
Security
and Risk
Management
42
45
Security Management
45
Security Management Responsibilities The Top-Down Approach to Security Security Administration and Supporting Controls
46
Fundamental Principles of Security
51
47 48
Availability
51
Integrity
52
Confidentiality
53
Security Definitions Security Through Obscurity
54 56
Organizational Security Model
57
Security Program Components Information Risk Management
59 73
Who Really Understands Risk Management?
73
Information Risk Management Policy The Risk Management Team
74 75
Risk Analysis
76
The Risk Analysis Team The Value of Information and Assets
77 78
Costs That Make Up the Value Identifying Threats
79 80
Failure and Fault Analysis Quantitative Risk Analysis
83 86
Qualitative Risk Analysis
91
Quantitative vs. Qualitative Protection Mechanisms
94
Putting
It
95
Together
99
Total Risk vs. Residual Risk
Handling Risk Policies, Standards, Baselines, Guidelines,
100 101 and Procedures
102
Security Policy Standards
103
Baselines
107
Guidelines
1°8
Procedures
108
Implementation
109
1°6
Information Classification Private Business
vs.
Ill
Military Classifications
112
Classification Controls
115
Layers of Responsibility Who's Involved?
H 7 117
The Data Owner
I25
The Data Custodian
125
The
126
System Owner The Security Administrator The Security Analyst The
Application
126 127 127
Owner
The Supervisor
127
The Change Control Analyst
127
The Data
128
Analyst
The Process Owner
128
The Solution Provider
128
The User
128
The Product Line Manager
129
The Auditor
129
Why So Many Roles?
129
Personnel
I30
Structure
130 131
Hiring Practices Employee Controls
I33
Termination
•
Security-Awareness Training Different Types of Security-Awareness Training
I33 I3*
135 i3G
Evaluating the Program
Specialized Security Training Summary
I37
Quick Tips
139
138
I42
Questions Answers
-
I48
Chapter
4
Access Control
153
Access Controls Overview
153
Security Principles Availability Integrity Confidentiality
154 155 155
155
Identification, Authentication, Authorization, and Identification and Authentication
Accountability
Password Management Authorization
158 169 194
Access Control Models
210
Discretionary Access Control Mandatory Access Control
21°
Role-Based Access Control
213
Access Control Techniques and Technologies Rule-Based Access Control Constrained User Interfaces Access Control Matrix
Content-Dependent Access
211
216 216 218
218 Control
220
Context-Dependent Access Control
220
Access Control Administration
221
Centralized Access Control Administration
222
Decentralized Access Control Administration
229
Access Control Methods Access Control
Layers
Administrative Controls
Physical
Controls
Technical Controls Access Control
Types
229 230 230 232 233 236
Preventive: Administrative
238
Preventive:
238
Physical
Preventive: Technical
Accountability
239 242
Review of Audit Information
244
Keystroke Monitoring Protecting Audit Data and Log Information
244
Access Control Practices
Unauthorized Disclosure of Information Access Control
245
245 246
Monitoring
248
Intrusion Detection
249
Intrusion Prevention Systems
258
A Few Threats to Access Control
Chapters
156
260
Dictionary Attack
261
Brute Force Attacks
262
Spoofing
262
at
Logon
Summary
266
Quick Tips
266
Questions
269
Answers
276
Security Architecture and Design Computer Architecture
281
The Central
283
Processing Multiprocessing
Unit
283
288
Operating System Architecture Process Activity Memory Management Memory Types Virtual Memory CPU Modes and Protection Rings
289 296 297 300 308 309
Operating System Architecture
312
Domains
313
Layering
and Data Hiding
314
The Evolution of Terminology
316
Virtual Machines
318
Additional Storage Devices
320
Input/Output Device Management System Architecture Defined Subsets of Subjects and Objects
320 324 325
Trusted Computing Base
326
Security Perimeter Reference Monitor and Security Kernel
329 330
Security Policy Least Privilege
332
Security Models State Machine Models
334
331
332
The Bell-LaPadula Model
336
The Biba Model
338
The Clark-Wilson Model
341
The Information Flow Model
344
The Noninterference Model
347
The Lattice Model
348
The Brewer and Nash Model
350
The
351
Graham-Denning Model
The Harrison-Ruzzo-Ullman Model
Security Modes
of
353
Trust and Assurance
356
Systems Evaluation Methods
Why
Put
a
Orange Book and
Technology Security
353 354
354
357 358
the Rainbow Series
The Red Book Information
353
357
Product Through Evaluation?
The Orange Book The
351
Operation Dedicated Security Mode System High-Security Mode Compartmented Security Mode Multilevel Security Mode
362
363 Evaluation Criteria
364
Common Criteria
367
Certification
370
vs.
Accreditation
Certification Accreditation
Open
vs.
Closed Systems
371 371 372
Open Systems
372
Closed Systems
373
Enterprise Architecture
373
A Few Threats to Review
382
Maintenance Hooks
382
Time-of-Check/Time-of-Use Attacks
383
Buffer Overflows
Summary
384 388
389
Quick Tips Questions „
^q?
.
JJJ-
oc)7
Answers
Chapter
6
Physical
and Environmental
Introduction to The
J J'
Planning
401
Security
401
Physical Security
Process
404
Through Environmental Design Designing a Physical Security Program Protecting Assets Internal Support Systems Crime
408
Prevention
413 428 429
430
Electric Power Environmental Issues
434
Ventilation
437
Fire Prevention, Detection, and Perimeter
438
Suppression
Security
•
•
Facility Access Control
447
Personnel Access Controls External
454
Boundary Protection Intrusion Detection Systems
Mechanisms
455 464
Patrol Force and Guards
468
Dogs Auditing Physical Access Testing and Drills Summary
468 469 469 470
Quick Tips
Chapter 7
445
471
Questions
473
Answers
47 8
Telecommunications and Network
Security
483
Open Systems Interconnection Reference Model
485
Protocol
485
Application Layer Presentation Layer Session Layer Transport Layer
•
489 491 492
Network Layer Data Link Layer
493
Physical Layer
496
Functions and Protocols in the OSI Model
496
Tying TCP/IP
the
Layers Together
IP
494
498 499
TCP
500
Addressing
IPv6
506 508
Types of Transmission
LAN
489 •
510
Analog and Digital Asynchronous and Synchronous
510
Broadband and Baseband
512
Networking Network Topology LAN Media Access Technologies Cabling
5U
513 513 516 522
Transmission Methods
528
Media Access
529
Technologies
IAN Protocols
533
Routing
Protocols
538
Networking Devices
541 541
Repeaters Bridges
542
Routers
544
Switches
546
-
Gateways
550
PBXs
552
Firewalls
553 572
Honeypot Network Segregation and isolation Networking Services and Protocols
572 573
Domain Name Service
573
Directory Services Lightweight Directory Access Protocol
578
Network Address Translation
580
580
Intranets and Extranets
582
Metropolitan Area Networks
585
Wide Area Networks
586
Telecommunications Evolution
587
Dedicated Links
589
WAN
592
Technologies
Remote Access
610 and RAS
Dial-Up
610
ISDN
611
DSL
613
Cable Modems
613
VPN
615
Authentication Protocols
621
Remote Access Guidelines
623
Wireless
Technologies
•
625
WLAN
627
Components
Wireless Standards
630
WAP
641
i-Mode
642
Mobile Phone Security
643
Driving for WLANs Satellites
644
War
646 649
Rootkits
650
Spyware and Adware Instant
Chapter
8
624
Wireless Communications
651
Messaging
Summary
652
Quick Tips
652
Questions
656
Answers
660
Cryptography The
History of Cryptography Cryptography Definitions and Concepts Kerckhoffs' Principle The Strength of the Cryptosystem Services of Cryptosystems
•
665 666 671 672 674 675
One-Time Pad
677
Running and Concealment Ciphers Steganography
679 680
Types
of
W3
Ciphers
Substitution Ciphers
683
Transposition Ciphers
684 686
Methods of Encryption
Symmetric
vs.
686
Asymmetric Algorithms
686
Symmetric Cryptography Block and Stream Ciphers
691 fi9S
Hybrid Encryption Methods Types of Symmetric Systems Data Encryption Standard Triple-DES The Advanced Encryption Standard International Data Encryption Algorithm
702 703 710 711
711
Blowfish
712
RC4
712
RC5
7*2
RC6
7>2 7l3
Types of Asymmetric Systems The Diffie-Hellman Algorithm
713 716
RSA
719
El Gamal
Elliptic
Curve
719
Cryptosystems
LUC
720
Knapsack Knowledge
Zero
720
•
Proof
720 721
Message Integrity
721
The
One-Way Hash Various Hashing Algorithms
726
MD2
727
MD4
727
MD5 Attacks
727
Against One-Way
Hash Functions
729 730
Digital Signatures Digital Signature Standard
733 733
Public Key Infrastructure Certificate Authorities
734
Certificates
?37
The
Registration Authority PKI Steps Key Managemen t Key Management Principles Rules for Keys and Key Management Link Encryption vs. End-to-End Encryption
737
E-mail Standards
745
Multipurpose
738 7'W 741 742 742
Internet Mail Extension
Privacy-Enhanced
74."3
Mail
746
Message Security Protocol Pretty Good Privacy Quantum Cryptography Internet Security
747 747 748 7 SO
Start with the Basics
750
Attacks
Cipher-Only Attacks Known-Plaintext Attacks
761 •
•
761 71
Chosen-Plaintext Attacks
761
Chosen-Ciphertext Attacks
762
Differential
762
Linear
763
Cryptanalysis Cryptanalysis
Side-Channel Attacks
763
Replay Attacks
764
Algebraic Attacks
764
Analytic
Attacks
764
Statistical Attacks
764 765
Summary Quick Tips
Chapter
9
765
Questions
769
Answers
773
Business
Continuity and
Disaster Recovery Continuity and Disaster Recovery Business Continuity Steps Making BCP Part of the Security Policy and Program Project Initiation Business Continuity Planning Requirements Business Impact Analysis Business
780 781 783 785 786 793
Recovery Strategies Business Process Recovery Facility Recovery Supply and Technology Recovery
794
The End-User Environment
808
796 797 803
Backup Alternatives
Electronic
Backup
Choosing
a
809
Solutions
Software
812
Backup Facility
Insurance
814 816
Recovery and Restoration Developing Goals for the Plans Implementing Strategies Testing and Revising the Plan Maintaining the Plan Summary Quick Tips
10
778
Preventive Measures
Data
Chapter
777
817 821 823
824 829 832 832
Questions
834
Answers
840
Legal, Regulations, Compliance, and Investigations
845
The
846
Many Facets of Cyberlaw The Crux of Computer Crime Complexities in Cybercrime
Laws
847 849
Electronic Assets
851
The Evolution of Attacks
851
Different Countries
854
of Laws
856
Types Intellectual
Property Laws
860
Trade Secret
861
Copyright
861
Trademark
862
Patent
862
Internal Protection of Intellectual Software
Piracy
Privacy Laws, Directives, and Regulations
Property
863 863 865 866
Liability and Its
Ramifications
874
Personal Information
877
Hacker Intrusion
878
Investigations Incident
8''9
Response
S?9
Incident Response Procedures Computer Forensics and Proper Collection of Evidence
883
International
Organization on Computer Evidence Motive, Opportunity, and Means Computer Criminal Behavior Incident Investigators
888
The Forensics Investigation Process What Is Admissible in Court?
892
Surveillance, Search, and Seizure Interviewing and Interrogating
901
A Few Different Attack
903
887
889 890 890
898
902
Types
Ethics
906
The Computer Ethics Institute The Internet Architecture Board
907 908
Corporate Ethics Programs
909
-
Summary Quick Tips
910 910
Questions
Chapter
I I
913
•
Answers
918
Application Security Software's Importance
921
Where Do We Place the
921 922
Security?
Different Environments Demand Different Security Environment vs. Application
Complexity
924 924
of Functionality
Data Types, Format, and
Implementation and
925 926
Length
Default Issues
926
,
Failure States
928
Database
Management Database Management
928 Software
929
Database Models Database
Programming Interfaces
930 •
935
Relational Database Components
936
Integrity
940
Database
942
Security Issues Data Warehousing and Data Mining System Development Management of Development Life-Cycle Phases Software Development Methods Computer-Aided Software Engineering Prototyping Secure Design Methodology Secure Development Methodology Security Testing Change Control The Capability Maturity Model Software Escrow
Application Development Methodology Object-Oriented Concepts
948
951
951 952 968 969 970 970 971 972 972 974
976 976 978
Polymorphism
984
Modeling
986
Data
Software Architecture
986
Data Structures
9S7
Cohesion and Coupling Distributed Computing
987
CORBA and ORBs
589
989
COM and DCOM
"1
Enterprise JavaBeans Object Linking and Embedding
993
Distributed Computing Environment Expert Systems and Knowledge-Based Systems Artificial Neural Networks Web Security Vandalism
"5
"8
1000
Financial Fraud
1001
Privileged
1001
Access
Theft of Transaction Information
1001
Theft of Intellectual Property Denial-of-Service (DoS) Attacks
1001 1001
Create a Quality Assurance Process
1002
Web Application Firewalls
1002
Systems
Implement SYN Proxies
on
the Firewall
Specific Threats for Web Environments Mobile Code
1002 1003 1003 1013
Java Applets
1013
ActiveX Controls
1015
Malicious Software
(Malware)
1016
Antivirus Software
1022
Spam Detection
1025
Anti-Malware
1026
Programs
Management Step 1: Infrastructure Step 2: Research Step 3: Assess and Test Step 4: Mitigation ("Rollback") Step 5: Deployment ("Rollout") Step 6: Validation, Reporting, and Logging Limitations to Patching
1027 1028 1028 1028 1029 1029 1029 1030
Best Practices
1030
Anything Else?
1030
Attacks
1031
Summary Quick Tips
Chapter 12
"4
1000
Intrusion Prevention
Patch
"3
1035 1036
Questions
1040
Answers
1044
Operations Security
1049
The Role of the
Operations Department Administrative Management Security and Network Personnel Accountability Clipping Levels
1050
Assurance Levels
1056
Operational Responsibilities Unusual or Unexplained
1051 1053 1055 1055
1056 Occurrences
1057
Deviations from Standards
1057
Unscheduled Initial Program Loads (a.k.a. Rebooting) Asset Identification and Management System Controls
1058 1058 1059
Trusted
Recovery Input and Output Controls System Hardening Remote Access Security Configuration Management Change Control Process Change Control Documentation
1060 1062 1063 1066 1067
1067 1069
Media Controls Data
1070
Leakage
1077
Network and Resource
Availability
Mean Time Between Failures
1079
(MTBF)
1080
Mean Time to
Repair (MTTR) Single Points of Failure Backups Contingency Planning
1080 1081 1089 1092
Mainframes
1093
E-mail
Security
1095
How E-mail Works
1096
Facsimile Security
1099
Hack and Attack Methods
1101
Vulnerability Testing
1110
Penetration Testing
1113
Wardialing Other Vulnerability Types
HI 7 1118
Postmortem
1120
Summary Quick Tips
Appendix
A
H22 1122
Questions
U24
Answers
H3°
Security Content Automation Background SCAP—More Than Just
a
Protocol Overview
1133 I133
Protocol
Vulnerability Management Problem A Vulnerability Management Solution—-SCAP Specifications
1134
A
Appendix
B
U34
and SCAP 113C>
SCAP Product Validation Program
H38
The Future of Security Automation Conclusion
U39
About the CD-ROM
1141
Running the QuickTime Cryptography Video Sample Troubleshooting Installing Total Seminars'Test Software Navigation
1142
1139
1143 H43 1143
Practice Mode
1143
Final Mode
1143
Minimum
System Requirements for Total Seminars' I144
Software Technical
Glossary Index
1144
Support •
1161