CISSP boxed set / [Book 1] / CISSP exam guide : [complete ...

4 downloads 207 Views 457KB Size Report
Why Become a CISSP? 1. The CISSP Exam. 2. CISSP: A Brief History. 7. How Do You Become a CISSP? 8. What Does This Book Cover? 8. Tips for Taking the ...
ALL

IN

ONE

CISSP EXAM Fifth

®

GUIDE

Edition

Shon Harris

Mc

Graw Hill New York London



San Juan

• San Francisco Chicago Madrid Mexico City Milan •





Seoul





Singapore



Sydney

Lisbon



New Delhi





Toronto

CONTENTS Forewords

xvin

Acknowledgments

xxi

Introduction

Chapter

I

Becoming Why

a

xx"

CISSP

Become

a

I

CISSP?

1

The CISSP Exam

2

CISSP: A Brief History How Do You Become

a

7 CISSP?

8

What Does This Book Cover?

8

Tips for Taking the CISSP Exam

9

How to Use This Book

Chapter

2

11

Questions

11

Answers

15

Security Trends How Security Became an Issue



Areas of Security

20

Benign to Scary Evidence of the Evolution of

21

Hacking

22

How Are Nations Affected?

25

How Are Companies Affected?

27

The U.S. Government's Actions

29

Politics and Laws

33

So What Does This Mean to Us?

35

Hacking and Attacking

36

Management A



Layered Approach



An Architectural View

3



37 39 40

A Layer Missed

Chapter

17 17

41

Bringing the Layers Together Education

42

Summary

43

Information

Security

and Risk

Management

42

45

Security Management

45

Security Management Responsibilities The Top-Down Approach to Security Security Administration and Supporting Controls

46

Fundamental Principles of Security

51

47 48

Availability

51

Integrity

52

Confidentiality

53

Security Definitions Security Through Obscurity

54 56

Organizational Security Model

57

Security Program Components Information Risk Management

59 73

Who Really Understands Risk Management?

73

Information Risk Management Policy The Risk Management Team

74 75

Risk Analysis

76

The Risk Analysis Team The Value of Information and Assets

77 78

Costs That Make Up the Value Identifying Threats

79 80

Failure and Fault Analysis Quantitative Risk Analysis

83 86

Qualitative Risk Analysis

91

Quantitative vs. Qualitative Protection Mechanisms

94

Putting

It

95

Together

99

Total Risk vs. Residual Risk

Handling Risk Policies, Standards, Baselines, Guidelines,

100 101 and Procedures

102

Security Policy Standards

103

Baselines

107

Guidelines

1°8

Procedures

108

Implementation

109

1°6

Information Classification Private Business

vs.

Ill

Military Classifications

112

Classification Controls

115

Layers of Responsibility Who's Involved?

H 7 117

The Data Owner

I25

The Data Custodian

125

The

126

System Owner The Security Administrator The Security Analyst The

Application

126 127 127

Owner

The Supervisor

127

The Change Control Analyst

127

The Data

128

Analyst

The Process Owner

128

The Solution Provider

128

The User

128

The Product Line Manager

129

The Auditor

129

Why So Many Roles?

129

Personnel

I30

Structure

130 131

Hiring Practices Employee Controls

I33

Termination



Security-Awareness Training Different Types of Security-Awareness Training

I33 I3*

135 i3G

Evaluating the Program

Specialized Security Training Summary

I37

Quick Tips

139

138

I42

Questions Answers

-

I48

Chapter

4

Access Control

153

Access Controls Overview

153

Security Principles Availability Integrity Confidentiality

154 155 155

155

Identification, Authentication, Authorization, and Identification and Authentication

Accountability

Password Management Authorization

158 169 194

Access Control Models

210

Discretionary Access Control Mandatory Access Control

21°

Role-Based Access Control

213

Access Control Techniques and Technologies Rule-Based Access Control Constrained User Interfaces Access Control Matrix

Content-Dependent Access

211

216 216 218

218 Control

220

Context-Dependent Access Control

220

Access Control Administration

221

Centralized Access Control Administration

222

Decentralized Access Control Administration

229

Access Control Methods Access Control

Layers

Administrative Controls

Physical

Controls

Technical Controls Access Control

Types

229 230 230 232 233 236

Preventive: Administrative

238

Preventive:

238

Physical

Preventive: Technical

Accountability

239 242

Review of Audit Information

244

Keystroke Monitoring Protecting Audit Data and Log Information

244

Access Control Practices

Unauthorized Disclosure of Information Access Control

245

245 246

Monitoring

248

Intrusion Detection

249

Intrusion Prevention Systems

258

A Few Threats to Access Control

Chapters

156

260

Dictionary Attack

261

Brute Force Attacks

262

Spoofing

262

at

Logon

Summary

266

Quick Tips

266

Questions

269

Answers

276

Security Architecture and Design Computer Architecture

281

The Central

283

Processing Multiprocessing

Unit

283

288

Operating System Architecture Process Activity Memory Management Memory Types Virtual Memory CPU Modes and Protection Rings

289 296 297 300 308 309

Operating System Architecture

312

Domains

313

Layering

and Data Hiding

314

The Evolution of Terminology

316

Virtual Machines

318

Additional Storage Devices

320

Input/Output Device Management System Architecture Defined Subsets of Subjects and Objects

320 324 325

Trusted Computing Base

326

Security Perimeter Reference Monitor and Security Kernel

329 330

Security Policy Least Privilege

332

Security Models State Machine Models

334

331

332

The Bell-LaPadula Model

336

The Biba Model

338

The Clark-Wilson Model

341

The Information Flow Model

344

The Noninterference Model

347

The Lattice Model

348

The Brewer and Nash Model

350

The

351

Graham-Denning Model

The Harrison-Ruzzo-Ullman Model

Security Modes

of

353

Trust and Assurance

356

Systems Evaluation Methods

Why

Put

a

Orange Book and

Technology Security

353 354

354

357 358

the Rainbow Series

The Red Book Information

353

357

Product Through Evaluation?

The Orange Book The

351

Operation Dedicated Security Mode System High-Security Mode Compartmented Security Mode Multilevel Security Mode

362

363 Evaluation Criteria

364

Common Criteria

367

Certification

370

vs.

Accreditation

Certification Accreditation

Open

vs.

Closed Systems

371 371 372

Open Systems

372

Closed Systems

373

Enterprise Architecture

373

A Few Threats to Review

382

Maintenance Hooks

382

Time-of-Check/Time-of-Use Attacks

383

Buffer Overflows

Summary

384 388

389

Quick Tips Questions „

^q?

.

JJJ-

oc)7

Answers

Chapter

6

Physical

and Environmental

Introduction to The

J J'

Planning

401

Security

401

Physical Security

Process

404

Through Environmental Design Designing a Physical Security Program Protecting Assets Internal Support Systems Crime

408

Prevention

413 428 429

430

Electric Power Environmental Issues

434

Ventilation

437

Fire Prevention, Detection, and Perimeter

438

Suppression

Security





Facility Access Control

447

Personnel Access Controls External

454

Boundary Protection Intrusion Detection Systems

Mechanisms

455 464

Patrol Force and Guards

468

Dogs Auditing Physical Access Testing and Drills Summary

468 469 469 470

Quick Tips

Chapter 7

445

471

Questions

473

Answers

47 8

Telecommunications and Network

Security

483

Open Systems Interconnection Reference Model

485

Protocol

485

Application Layer Presentation Layer Session Layer Transport Layer



489 491 492

Network Layer Data Link Layer

493

Physical Layer

496

Functions and Protocols in the OSI Model

496

Tying TCP/IP

the

Layers Together

IP

494

498 499

TCP

500

Addressing

IPv6

506 508

Types of Transmission

LAN

489 •

510

Analog and Digital Asynchronous and Synchronous

510

Broadband and Baseband

512

Networking Network Topology LAN Media Access Technologies Cabling

5U

513 513 516 522

Transmission Methods

528

Media Access

529

Technologies

IAN Protocols

533

Routing

Protocols

538

Networking Devices

541 541

Repeaters Bridges

542

Routers

544

Switches

546

-

Gateways

550

PBXs

552

Firewalls

553 572

Honeypot Network Segregation and isolation Networking Services and Protocols

572 573

Domain Name Service

573

Directory Services Lightweight Directory Access Protocol

578

Network Address Translation

580

580

Intranets and Extranets

582

Metropolitan Area Networks

585

Wide Area Networks

586

Telecommunications Evolution

587

Dedicated Links

589

WAN

592

Technologies

Remote Access

610 and RAS

Dial-Up

610

ISDN

611

DSL

613

Cable Modems

613

VPN

615

Authentication Protocols

621

Remote Access Guidelines

623

Wireless

Technologies



625

WLAN

627

Components

Wireless Standards

630

WAP

641

i-Mode

642

Mobile Phone Security

643

Driving for WLANs Satellites

644

War

646 649

Rootkits

650

Spyware and Adware Instant

Chapter

8

624

Wireless Communications

651

Messaging

Summary

652

Quick Tips

652

Questions

656

Answers

660

Cryptography The

History of Cryptography Cryptography Definitions and Concepts Kerckhoffs' Principle The Strength of the Cryptosystem Services of Cryptosystems



665 666 671 672 674 675

One-Time Pad

677

Running and Concealment Ciphers Steganography

679 680

Types

of

W3

Ciphers

Substitution Ciphers

683

Transposition Ciphers

684 686

Methods of Encryption

Symmetric

vs.

686

Asymmetric Algorithms

686

Symmetric Cryptography Block and Stream Ciphers

691 fi9S

Hybrid Encryption Methods Types of Symmetric Systems Data Encryption Standard Triple-DES The Advanced Encryption Standard International Data Encryption Algorithm

702 703 710 711

711

Blowfish

712

RC4

712

RC5

7*2

RC6

7>2 7l3

Types of Asymmetric Systems The Diffie-Hellman Algorithm

713 716

RSA

719

El Gamal

Elliptic

Curve

719

Cryptosystems

LUC

720

Knapsack Knowledge

Zero

720



Proof

720 721

Message Integrity

721

The

One-Way Hash Various Hashing Algorithms

726

MD2

727

MD4

727

MD5 Attacks

727

Against One-Way

Hash Functions

729 730

Digital Signatures Digital Signature Standard

733 733

Public Key Infrastructure Certificate Authorities

734

Certificates

?37

The

Registration Authority PKI Steps Key Managemen t Key Management Principles Rules for Keys and Key Management Link Encryption vs. End-to-End Encryption

737

E-mail Standards

745

Multipurpose

738 7'W 741 742 742

Internet Mail Extension

Privacy-Enhanced

74."3

Mail

746

Message Security Protocol Pretty Good Privacy Quantum Cryptography Internet Security

747 747 748 7 SO

Start with the Basics

750

Attacks

Cipher-Only Attacks Known-Plaintext Attacks

761 •



761 71

Chosen-Plaintext Attacks

761

Chosen-Ciphertext Attacks

762

Differential

762

Linear

763

Cryptanalysis Cryptanalysis

Side-Channel Attacks

763

Replay Attacks

764

Algebraic Attacks

764

Analytic

Attacks

764

Statistical Attacks

764 765

Summary Quick Tips

Chapter

9

765

Questions

769

Answers

773

Business

Continuity and

Disaster Recovery Continuity and Disaster Recovery Business Continuity Steps Making BCP Part of the Security Policy and Program Project Initiation Business Continuity Planning Requirements Business Impact Analysis Business

780 781 783 785 786 793

Recovery Strategies Business Process Recovery Facility Recovery Supply and Technology Recovery

794

The End-User Environment

808

796 797 803

Backup Alternatives

Electronic

Backup

Choosing

a

809

Solutions

Software

812

Backup Facility

Insurance

814 816

Recovery and Restoration Developing Goals for the Plans Implementing Strategies Testing and Revising the Plan Maintaining the Plan Summary Quick Tips

10

778

Preventive Measures

Data

Chapter

777

817 821 823

824 829 832 832

Questions

834

Answers

840

Legal, Regulations, Compliance, and Investigations

845

The

846

Many Facets of Cyberlaw The Crux of Computer Crime Complexities in Cybercrime

Laws

847 849

Electronic Assets

851

The Evolution of Attacks

851

Different Countries

854

of Laws

856

Types Intellectual

Property Laws

860

Trade Secret

861

Copyright

861

Trademark

862

Patent

862

Internal Protection of Intellectual Software

Piracy

Privacy Laws, Directives, and Regulations

Property

863 863 865 866

Liability and Its

Ramifications

874

Personal Information

877

Hacker Intrusion

878

Investigations Incident

8''9

Response

S?9

Incident Response Procedures Computer Forensics and Proper Collection of Evidence

883

International

Organization on Computer Evidence Motive, Opportunity, and Means Computer Criminal Behavior Incident Investigators

888

The Forensics Investigation Process What Is Admissible in Court?

892

Surveillance, Search, and Seizure Interviewing and Interrogating

901

A Few Different Attack

903

887

889 890 890

898

902

Types

Ethics

906

The Computer Ethics Institute The Internet Architecture Board

907 908

Corporate Ethics Programs

909

-

Summary Quick Tips

910 910

Questions

Chapter

I I

913



Answers

918

Application Security Software's Importance

921

Where Do We Place the

921 922

Security?

Different Environments Demand Different Security Environment vs. Application

Complexity

924 924

of Functionality

Data Types, Format, and

Implementation and

925 926

Length

Default Issues

926

,

Failure States

928

Database

Management Database Management

928 Software

929

Database Models Database

Programming Interfaces

930 •

935

Relational Database Components

936

Integrity

940

Database

942

Security Issues Data Warehousing and Data Mining System Development Management of Development Life-Cycle Phases Software Development Methods Computer-Aided Software Engineering Prototyping Secure Design Methodology Secure Development Methodology Security Testing Change Control The Capability Maturity Model Software Escrow

Application Development Methodology Object-Oriented Concepts

948

951

951 952 968 969 970 970 971 972 972 974

976 976 978

Polymorphism

984

Modeling

986

Data

Software Architecture

986

Data Structures

9S7

Cohesion and Coupling Distributed Computing

987

CORBA and ORBs

589

989

COM and DCOM

"1

Enterprise JavaBeans Object Linking and Embedding

993

Distributed Computing Environment Expert Systems and Knowledge-Based Systems Artificial Neural Networks Web Security Vandalism

"5

"8

1000

Financial Fraud

1001

Privileged

1001

Access

Theft of Transaction Information

1001

Theft of Intellectual Property Denial-of-Service (DoS) Attacks

1001 1001

Create a Quality Assurance Process

1002

Web Application Firewalls

1002

Systems

Implement SYN Proxies

on

the Firewall

Specific Threats for Web Environments Mobile Code

1002 1003 1003 1013

Java Applets

1013

ActiveX Controls

1015

Malicious Software

(Malware)

1016

Antivirus Software

1022

Spam Detection

1025

Anti-Malware

1026

Programs

Management Step 1: Infrastructure Step 2: Research Step 3: Assess and Test Step 4: Mitigation ("Rollback") Step 5: Deployment ("Rollout") Step 6: Validation, Reporting, and Logging Limitations to Patching

1027 1028 1028 1028 1029 1029 1029 1030

Best Practices

1030

Anything Else?

1030

Attacks

1031

Summary Quick Tips

Chapter 12

"4

1000

Intrusion Prevention

Patch

"3

1035 1036

Questions

1040

Answers

1044

Operations Security

1049

The Role of the

Operations Department Administrative Management Security and Network Personnel Accountability Clipping Levels

1050

Assurance Levels

1056

Operational Responsibilities Unusual or Unexplained

1051 1053 1055 1055

1056 Occurrences

1057

Deviations from Standards

1057

Unscheduled Initial Program Loads (a.k.a. Rebooting) Asset Identification and Management System Controls

1058 1058 1059

Trusted

Recovery Input and Output Controls System Hardening Remote Access Security Configuration Management Change Control Process Change Control Documentation

1060 1062 1063 1066 1067

1067 1069

Media Controls Data

1070

Leakage

1077

Network and Resource

Availability

Mean Time Between Failures

1079

(MTBF)

1080

Mean Time to

Repair (MTTR) Single Points of Failure Backups Contingency Planning

1080 1081 1089 1092

Mainframes

1093

E-mail

Security

1095

How E-mail Works

1096

Facsimile Security

1099

Hack and Attack Methods

1101

Vulnerability Testing

1110

Penetration Testing

1113

Wardialing Other Vulnerability Types

HI 7 1118

Postmortem

1120

Summary Quick Tips

Appendix

A

H22 1122

Questions

U24

Answers

H3°

Security Content Automation Background SCAP—More Than Just

a

Protocol Overview

1133 I133

Protocol

Vulnerability Management Problem A Vulnerability Management Solution—-SCAP Specifications

1134

A

Appendix

B

U34

and SCAP 113C>

SCAP Product Validation Program

H38

The Future of Security Automation Conclusion

U39

About the CD-ROM

1141

Running the QuickTime Cryptography Video Sample Troubleshooting Installing Total Seminars'Test Software Navigation

1142

1139

1143 H43 1143

Practice Mode

1143

Final Mode

1143

Minimum

System Requirements for Total Seminars' I144

Software Technical

Glossary Index

1144

Support •

1161