Cissp Cram

8/6/2019 Cissp Cram

http://slidepdf.com/reader/full/cissp-cram 1/36

Certified InformationSystems SecurityProfessionalVersion 3.0.0

Notice: While every precaution has been taken in the preparation of this material, neither the author norCramsession.com assumes any liability in the event of loss or damage directly or indirectly caused by anyinaccuracies or incompleteness of the material contained in this document. The information in this documentis provided and distributed "as-is", without any expressed or implied warranty. Your use of the information inthis document is solely at your own risk, and Cramsession.com cannot be held liable for any damagesincurred through the use of this material. The use of product names in this work is for information purposesonly, and does not constitute an endorsement by, or affiliation with Cramsession.com. Product names usedin this work may be registered trademarks of their manufacturers. This document is protected under US andinternational copyright law s and is int ended for individual, personal use only.For more details, visit our legal page.

Check out these great featuresat www.cramsession.com

> Discussion Boardshttp://boards.cramsession.com

> Info Centerhttp://infocenter.cramsession.com

> SkillDrillhttp://www.skilldrill.com

> Newslettershttp://newsletters.cramsession.com/default.asp

> CramChallenge Questionshttp://newsletters.cramsession.com/signup/default.asp#cramchallenge

> Discounts & Freebieshttp://newsletters.cramsession.com/signup/ProdInfo.asp

Your TrustedStudy Resource

forTechnical

CertificationsWritten by experts.

The most popularstudy guideson the web.In Versatile

PDF file format

http://www.cramsession.com/helpInfo/LegalStuff/default.asp



http://www.cramsession.com/

http://boards.cramsession.com/


http://infocenter.cramsession.com/


http://www.skilldrill.com/


http://newsletters.cramsession.com/default.asp


http://newsletters.cramsession.com/signup/default.asp#cramchallenge


http://newsletters.cramsession.com/signup/ProdInfo.asp


http://studyguides.cramsession.com/












8/6/2019 Cissp Cram


Certified Information Systems Security Professional

Certified Information SystemsSecurity ProfessionalVersion 3.0.0

Abstract: This study guide will help you prepare for the International InformationSystems Security Certifications Consortium, Inc. (ISC2) exam,Certified Information Systems Security Professional (CISSP). Thisexam consists of 250 multiple-choice questions. Candidates have up to6 hours to complete the examination. Ten CISSP information systemssecurity test domains are covered in the examination pertaining to theCommon Body of Knowledge.

Find even more help here:

01/03/02© 2002 All Rights Reserved – BrainBuzz.com

1

http://studyguides.cramsession.com/cramsession/pdf/PDFDetails.asp?cert=CISSP

http://studyguides.cramsession.com/cramsession/pdf/PDFDetails.asp?cert=CISSP

8/6/2019 Cissp Cram



Contents:CBK #1: Access Control Systems .................................................................... 3 CBK #2: Telecommunications and Network Security........................................... 8 CBK #3: Security Management Practices .........................................................13 CBK #4: Applications and Systems Development...............................................16 CBK #5: Cryptography .................................................................................19 CBK #6: Security Architecture and Models .......................................................20 CBK #7: Operational Security ........................................................................24 CBK #8: Business Continuity Planning and Disaster Recovery Planning ................25 CBK #9: Law, Investigation, and Ethics...........................................................27 CBK #10: Physical Security ...........................................................................28 Additional Material ........................................................................................30

Types of Attacks ........................................................................................30 PKI ..........................................................................................................31 Security Assessment ..................................................................................31 Orange Book.............................................................................................32 TCP/IP .....................................................................................................32 Glossary...................................................................................................32


2

8/6/2019 Cissp Cram



CBK #1: Access Control Systems

• Definition : Access Control is the set of procedures (hardware, software, andadministrators) used to monitor access to systems, identify users requestingaccess, record access attempts, and grant or deny access based on pre-established rules and policies

• Access Control List (“ACL”) : An ACL is a register of (1) users who havebeen given permission to use an object and (2) the types of access they havebeen permitted

• Controls : Can be used to mitigate risks. Controls can relate to subjects (entities or individuals; active entity) or objects (files, systems, or other

resources; passive entities). Controls can be preventive , detective , orcorrective . These can be implemented by:o Administrative controls: Policies and procedures, disaster recovery

plans, awareness training, security reviews and audits, backgroundchecks, review of vacation history, separation of duties, and jobrotation

o Logical or technical controls: Restrict access to systems and theprotection of information. Encryption, smart cards, anti-virussoftware, audit trails, log files, ACLs, biometrics, and transmissionprotocols ( e.g., Kerberos, IPSec)

o Physical controls: Guards and building security, biometric accessrestrictions, protection of cables, file backups

Mnemonic: ALP = Administrative, Logical, and Physical controls• Constrained User Interface – Menus and shells; database views; and

physically constrained user interfaces (limited number of buttons – ATMmachine). Depending on how implemented, the control could be eitherphysical or logical

• Three types of access rules :o Mandatory access control (MAC): Authorization of subject’s access to

an object depends on labels (sensitivity levels), which indicate asubject’s clearance, and the classification or sensitivity of the relevantobject. Every object is assigned a sensitivity level/label and only usersauthorized up to that particular level can access the object. Accessdepends on rules and not by the identity of the subjects or objectsalone. Only an administrator (not owners) may change the categoryof a resource. Orange Book B-level. Output must be labeled as tosensitivity level. Unlike permission bits or ACLs, labels cannotordinarily be changed. Can’t copy a labeled file into another file with adifferent label. Rule based AC


3

8/6/2019 Cissp Cram



o Discretionary Access Control (DAC): Subject has authority, within

certain limits, to specify what objects can be accessible ( e.g., use of ACL). User-directed means a user has discretion. Identity-basedmeans discretionary access control is based on the subject’s identity.Very common in commercial context because of flexibility. OrangeBook C level. Relies on object owner to control access. Identity BasedAC

o Non-Discretionary Access Control: Administrator determines whichsubjects can have access to certain objects based on organization’ssecurity policy. May be based on individual’s role in the organization(Role-Based) or the subject’s responsibilities or duties (Task-Based)

• Check summing . Have checksum of program files to see if they have beenaltered. Only should change when updates are installed. Use to find changesmade by Superzap

• Intrusion Detection Systems (IDS) :o To monitor network traffic or to monitor host audit logs to detect

violations of security policy. Detects attacks by two majormechanisms: signature –based ID (Knowledge-Based) or statistical anomaly-based ID (Behavior-based)

o Two general types of IDS:Network-Based IDS: Doesn’t consume network or hostresources. Reviews packets and headers. Monitors networktraffic in real time. Won’t detect attacks against a host by auser logged in at the host’s terminal (only the network ismonitored)Host-Based IDS: Reviews system and event logs to detect

attack on host. Efficacy is limited by lack of completeness of most host audit log capabilities. Resident on centralized hosts

o In many instances, Network-Based IDS will be combined with Host-Based IDS to provide a more complete approach to protection

o Clipping Level : Setting thresholds on a reported activity. Clippinglevel of three can be set for reporting failed workstation logonattempts. Three or fewer won’t result in a reported security violation

• Authentication :Identification and authentication are keystones in access control. Authenticationestablishes an identity of a subject, but does not guarantee authorization. Compareauthorization, which determines whether a user is permitted to perform some actionor access a resource. Authentication and authorization are two separate processes

o Three possible factors for authentication:Something you have (token, key to lock)Something you know (username and password)Something you are (biometrics)

o Two factor authentication refers to the use of two of the three factorslisted above


4

8/6/2019 Cissp Cram



o Methods of authentication: user name and password; x.509

certificate; biometrics; smart cards; anonymouso Problems with passwords: repudiable, insecure, easily brokeno Password Management (composition, length, lifetime, source,

ownership, distribution, storage, entry, transmission, andauthentication period):

Configure system to use string passwordsSet password time and length limitsLimit unsuccessful loginsLimit concurrent connectionsEnable auditingUse last login dates in banners

o Cognitive Passwords : Fact-based cognitive data for userauthentication. Favorite color, movie, vegetable

o Biometrics : No common Application Programming Interface (“API”).Three factors in evaluating a biometric access system: averageenrollment time for users must be less than 2 minutes per user,throughput rate should be 6-10 subjects per minute, and acceptability(privacy, invasiveness, can be used to detect health problems,transmission of disease). Biometric file sizes range from 9 bytes -10,000 bytes. Three main performance measurements of biometricsystems:

False Rejection Rate (FRR) or Type I Error: % valid subjectsrejected. Too sensitive, too high of a FRRFalse Acceptance Rate (FAR) or Type II Error: % of invalidsubjects falsely accepted. Not sensitive enough, too high of a

FARCrossover Error Rate (CER): % at which FRR=FAR. Systemwith CER of 2% is more accurate than CER of 5%

o Types of passwords: static passwords, dynamic passwords (changeswith each login), one-time passwords. Pass Phrase – converted bysystem into a virtual password

o Tokens – Two types: memory (no processing) or smart cards.Tokens may be used to generate static and dynamic passwords.Tokens can be in the form of a credit card like device, a calculator-likedevice, or a dongle attached to a USB port on a workstation. Fourkinds of smart cards:

Static Password Tokens: Owner authenticates himself to thetoken and token authenticates owner to the systemSynchronous Dynamic Password Token: Token generates anew unique password at fixed time intervals, users entersunique password and username into system, system confirmspassword and username are correct and entered during allowedtime interval


5

8/6/2019 Cissp Cram



Asynchronous Dynamic Password Token: Same as synchronous

except no time dependencyChallenge-Response Token: System or workstation generatesrandom number challenge, owner enters string into token alongwith proper PIN, token generates a response that is enteredinto the system

o Single Sign-On (SSO) : Kerberos, SESAME, KryptoKnight, and NetSPcan provide SSO

o Kerberos . Dog in Greek mythology guarding gates of hell. Softwareused in a network to establish user’s identity. Uses symmetric keyencryption. Users/systems are given tickets that can be used toidentify themselves to other systems and secret crypto keys areprovisioned for secure communications. Three components: KeyDistribution Center (KDC), Authentication Service (AS) exchange, andTicket granting Service (TGS) exchange. Single point of potentialfailure, susceptible to replay attacks during allotted time window. Fourbasic steps:

KDC knows secret keys of all clients and servers on networkKDC initially exchanges information with the client and serverby using the secret keysKerberos authenticates a client to a requested service on aserver through the TGS, and by issuing temporary symmetricsession keys for communications between the client and KDC,the server and the KDC, and the client and serverCommunication then takes place between client and serverusing those temporary session keys

o SESAME . Secure European System for Applications in a MultivendorEnvironment. Addresses weaknesses in Kerberos by using public keycryptography for distribution of secret keys

o KryptoKnight . IBM developed, provides authentication, SSO, andkey distribution services

o Rule of Least Privilege : Any object (user, administrator, program,system) should have only the least privileges the object needs toperform its assigned task, and no more. AC system grants user onlythose rights necessary for them to perform their work. Example, valetkey versus overall key to car. Authorization creep occurs whensomeone continues to retain access privileges associated with a formerposition. Users should be re-authorized after each position change

o Accountability is also important to access control. Ability to use logfiles and other accounting mechanisms to track users and theiractivities


6

8/6/2019 Cissp Cram



o Methods of compensating for access control violations:

BackupsRAIDFault ToleranceBusiness Continuity PlanningInsurance

o Access Control Methodologies . Access control can be divided intotwo categories:

Centralized Access Control: For dial-up users, the RemoteAuthentication Dial-in User Service (RADIUS) is used. Callbackcan be used in RADIUS (beware of hackers using call-forwarding). Challenge Handshake Authentication Protocol(CHAP) is also used. For networked applications, the TerminalAccess Controller Access Control System (TACACS) employs auser ID and a static password for network access. TACACS isunencryptedDecentralized/Distributed Access Control: Use of databases tocontrol access to information in a decentralized environment.Relational database models have three parts: (1) datastructures called tables or relations; (2) integrity rules onallowable values and value combinations in the tables; and (3)operators on the data in the tables. Fundamental entity is therelation (table or set of columns in table). With “attributes” (columns), having permissible values, specific attribute is “key” with unique values, occurring in “instances” or tuples (rows).Cardinality is the number of rows in the table. Degree is the

number of columns in the table. Primary key is uniqueidentifier in table that points to a tuple; subset of candidatekeys. Candidate key is an attribute that is a unique identifierwithin a given table. If attribute in one relation has values thatmatch primary key in another relation, this attribute is called aforeign key. Security is provided through views. Description of the database is called a schema, which is defined by the DataDescription Language (DDL). Primary key is chosen from set of candidate keys. A domain of a relation is the set of allowablevalues that an attribute can take on. The databasemanagement system (DBMS) is the software that maintainsand provides access to the database. Relational is used forinformation in text form. Graphics, video, and multimedia aremore suited to an Object-Oriented Data Base (OODB). There isalso the hybrid, called the Object-Relational DB


7

8/6/2019 Cissp Cram



CBK #2: Telecommunications and Network Security

• IDS: Not a preventive functiono Network Based – Usually consist of network appliance with Network

Interface Card (“NIC”) operating in promiscuous mode to interceptpackets in real time

o Host Based – Small programs (agents) reside on host and monitor OS.Write log files and trigger alarms, only detects activity on host – notthe network

o Knowledge-Based (Signature) – Most common system. Low falsealarms, resource intensive (continually update knowledge base), newor original attacks go unnoticed

o Behavior Based (Statistical anomaly) – Dynamically adapts to newvulnerabilities, high incidence of false alarms

• Computer Incident Response Team (“CIRT”): Analysis of eventnotification; response to incident, escalation path, resolution and post-incident follow-up. Link user support and incident handling

• Redundant Array of Independent (Inexpensive) Disks (“RAID”): Canbe implemented in hardware or software. Three classifications of RAID, onlyFailure Resistant Disk Systems (FRDS) have been implemented. There areten levels of RAID. RAID 0 stripes only data; RAID 1 does disk mirroring; andRAID level 5, which is the most popular implementation, stripes data andparity information

•

Port Protection Device: Protects port from unauthorized use. Uses DESone-time PW challenge• Redundant Servers (mirroring) versus Server Clustering (servers are

managed as single system, all are online and working)• Cabling: Exceeding effective length is a common problem

o Coaxial. 50 ohm and 75 ohm. Baseband carries only one channel.Broadband carries several channels. BNC connector

o Twisted pair. Wires can be shielded (STP) or unshielded (UTP).Categories – the higher the category the more tightly wound the wire,giving greater protection from interference. Category 5 is for fastEthernet of 100 Mbps. STP used in Token Rings. RJ 45 connector

o Fiber Optic. Most resistant to interference. SC connector• LAN Transmission Methods: Unicast, multicast, broadcast• LAN Topologies: Bus, Ring, Star, Tree, and Mesh• Ethernet: 10BaseT is 10Mbps, 100BaseT is 100Mbps


8

8/6/2019 Cissp Cram



Specification Cable Type Max Length10BaseT UTP 100 meters10Base2 Thin Coax (Thinnet) 185 meters

10Base5 Thick Coax (Thicknet) 500 meters10BaseF Fiber 2000 meters

• Network topologieso Etherneto Token Ringo Fiber Distributed Data Interface (FDDI) – token ring passing media

with dual rings• Trivial File Transfer Protocol (TFTP): use for saving setups and configurationfiles on routers and other devices

• Trusted Network Interpretation (TNI) – Department of Defense Red Book.Extended the Orange Book to networks

• Wide Area Network (WAN)o Private Circuit Technologies: dedicated line, leased line, PPP, SLIP,

ISDN, DSLo Packet Switched technologies: X.25, Frame Relay (fastest WAN

protocol, no error correction), Asynchronous Transfer Mode (ATM)(data travels in fixed sizes called cells), Synchronous Data Link Control(SDLC, mainframe), High Level Data Link Control (HDLC, serial link),High Speed Serial Interface (HSSI). More cost effective thandedicated circuits because they can create virtual circuits, which areused as needed

o Protocols:High-level Data Link Control (HDLC). Layer 2 of OSI model.Uses framesHigh Speed Serial Interface (HSSI). Short distance, 50 feet

• Remote Node Security Protocols: Password Authentication Protocol (PAP,standard authentication method, password and username sent in the clear)and CHAP. TACACS, TACACS+ (two factor ID), and RADIUS provide centraldatabase, which maintains user lists, passwords, user profiles that can beaccessed by remote access equipment on the network. Systems are

“standards-based” meaning they are interoperable with other systems of the

same type. RADIUS cannot provide two-way authentication• Data encapsulation is process in which information from one packet iswrapped around or attached to the data of another packet. In OSI modeleach layer encapsulates the layer immediately above it


9

8/6/2019 Cissp Cram



• Open Systems Interconnect (OSI) Model from International Standards

Organization (ISO):

Layer 7 Application Security: confidentiality,authentication, data integrity, non-repudiation. Technology: gateways.Protocols: FTP, SNMP, SMTP, DNS,TFTP, NFS, S-HTTP

Layer 6 Presentation Security: confidentiality,authentication, encryption.Technology: gateway

Layer 5 Session Security: None. Technology:gateways. Protocols: RPC and SQL

Layer 4 Transport Security: confidentiality,authentication, integrity. Technology:gateways. Protocols: TCP and UDP,SSL and SSH-2

Layer 3 Network Security: confidentiality,authentication, data integrity.Technology: virtual circuits, routers.Protocols: IP and IPSec. ARP, RARP,ICMP

Layer 2 Data Link Security: confidentiality. Technology:bridges, switch. Protocols: HDLC,PPTP, L2F, and L2TP, Token ring andEthernet, PPP and SLIP

Layer 1 Physical Security: confidentiality. Technology:ISDN, repeaters, hubs. Protocols:IEEE 802 and 802.2. X.21 and HSSI

o Memory Aid . When learning the features of each OSI layer, think interms of what security , technology , and protocols each offers.Although it is not entirely correct to group the capabilities of thevarious layers in this way, it makes memorizing them much easier

• DOD or TCP/IP ModelLayer 4 Application Layer

Layer 3 Host-to-Host TCP and UDPLayer 2 Internet IP, ARP, RARP, and

ICMPLayer 1 Network Access

(Link)


10

8/6/2019 Cissp Cram



• Transmission Control Protocol (“TCP”) v. User Datagram Protocol (“UDP”):

TCP UDPAcknowledged UnacknowledgedSequenced Subsequence

Connection-oriented ConnectionlessReliable UnreliableHigh overhead Low overhead (faster)

• Firewalls Types: Basic default should be to deny all traffic unless expresslypermitted

o Packet Filtering (screening router). Examines source and destinationaddress of IP packet. Can deny access to specific applications orservices based on ACL. First generation firewall. Operates at networkor transport layer

o Application Level Firewall (proxy server; application layer gateway).Second generation. Reduces network performance. Circuit levelfirewall is a variation, creates virtual circuit between client and server

o Stateful Inspection Firewall. Third generation. Packets are capturedby an inspection engine. Can be used to track connectionlessprotocols like UDP

o Dynamic Packet Filtering Firewalls. Mostly used for UDP. Fourthgeneration

• Firewall Architectureso Packet filtering routerso

Screened host systems. Uses packet filtering router and a bastionhost. Provides both network layer packet filtering and applicationlayer proxy services

o Dual Homed Host Firewalls. Single computer with two NICs, oneconnected to trusted network and other connected to Internet (oruntrusted network)

o Screened Subnet Firewalls. Two packet filtering routers and a bastionhost. Provides Demilitarized Zone (“DMZ”)

• Virtual Private Network (“VPN”). Creates secure communications linkusing a secret encapsulation method. Link is called a secure encryptedchannel, more accurately an encapsulated tunnel, because encryption may ormay not be used. Protocols:

o Point to point tunneling protocol (PPTP). Based on Point-to-PointProtocol (“PPP”). Primarily a dial-in protocol. Data link layer (Layer2). Not limited to IP packets

o Layer 2 Forwarding (L2F). Based on PPP. Dial in. Data link layer(Layer 2). Not limited to IP packets


11

8/6/2019 Cissp Cram



o Layer 2 Tunneling Protocol (L2TP). Based on PPP. Dial in. IETF wants

L2TP to be standard. Data link layer (Layer 2). Not limited to IPpackets

o IPSec. Used LAN to LAN. Network Layer (Layer 3). Limited to IPpackets. IPSec devices have two modes:

Tunnel mode – entire data packet is encrypted and encased inan IPSec packetTransport mode – only the datagram is encrypted, not theheader

• Network requirements: NIC, transmission medium (copper, fiber, wireless),Network Operating System (“NOS”), and a LAN device to physically connectthe computers ( e.g., hub, bridge, router, switch)

• Repeater. Hub (concentrator). Bridge forwards data to all other networksegments. Switch sends data to specific port where destination Media AccessControl (“MAC”) address is located. Router

• CAN – Campus Area Network• Network Abuse Classes:

o Class A – Unauthorized access of restricted resources by circumventionof access controls

o Class B – Unauthorized use for non-business purposeso Class C -- Eavesdroppingo Class D – Denial of service or other service interruptionso Class E – Network Intrusiono Class F -- Probing

• Local Area Network (“LAN”)o Address Resolution Protocol (ARP). Resolves 32 bit IP address to 48

bit MAC Ethernet addresso Reverse Address Resolution Protocol (RARP). Ethernet MAC address to

IP address• Backup Concepts (must ensure physical security of backups):

o Fullo Incremental – only copies files that have been added or changed that

dayo Differential – only files that have been changed since last backup

• Tape FormatsProperties

DigitalAudio Tape(DAT)

Quarter InchCartridge (QIC)drives

8mmTape

Digital LinearTape (DLT)

Capacity 4GB/12GB 13 GB 20GB 20/35GBMaxtransferrate

1MBps 1.5MBps 3MBps 5MBps

Cost Medium low Medium High


12

8/6/2019 Cissp Cram



CBK #3: Security Management Practices

• Primary Concepts: CIA – Confidentiality, Integrity, and Availability. Oppositeis DAD – Destruction, Alteration, and Disclosure

o Confidentialityo Integrity: Three principles to establish integrity controls: (i)

granting access on need-to-know basis; (ii) separation of duties; and(iii) rotation of duties. Types of integrity:

Modifications made by unauthorized personnel or processesUnauthorized modifications by authorized personnel orprocessesInternal and external consistency of data

o Availability – fault tolerance, backups • Secondary Concepts

o Identification – Means by which users identify themselves to thesystem

o Authentication – Testing or reconciliation of evidence of user’sidentity

o Accountability – System ability to determine actions of user withinthe system and to identify the user. Audit trails (must be secured)and log files

o Authorization – Rights and permissions granted to a user or process.ACL

o Privacy – Level of confidentiality and privacy protection of a user• Audit trails: user accountability; reconstruction of events, intrusion detection,

and problem analysis. Audit records: keystroke monitoring/logging andevent-oriented logs. Protect integrity by requiring digital signatures toaccess, set up as write once. Use software for rapid analysis.

• Security Awareness Training: Awareness (Light: what, recognition,information), training (deeper: how, skill, knowledge), and education(deepest: why, understanding, insight).

• Most important question to ask in evaluating access control security is howmuch it is going to cost to not protect the valuable information.

• Risk Management (RM) : Prime objective of security controls is to reduceeffects of threats and vulnerabilities to a level that is tolerable ( i.e., mitigaterisk). Risk Analysis (RA). A “risk” is a potential harm or loss to a system;the probability that a threat will materialize.

o Identifying risks:

Actual threatPossible consequences if threat is realizedProbable frequency of occurrence of threatConfidence threat will happen

o Key Terms


13

8/6/2019 Cissp Cram



Asset – resource, process, product, system, etc. Value is

composed of cost of creation, development, license, support,replacement, public credibility, considered costs, lostintellectual property if disclosed, and ownership values.Threat – Any event that causes undesirable impact onorganization. Data classification, info warfare, personnel,criminal, application, operationalVulnerability – Absence of safeguard constitutes vulnerability.RM triple : Asset, threat, and vulnerabilitySafeguard – control or countermeasure to reduce riskassociated with a threat. Absence of safeguard creates avulnerability. Look at cost/benefit analysis of deployingsafeguard. Include impact on organization of implementingsafeguard. Safeguard must include ability to audit. Value toorganization of safeguard = ALE (Annualized Loss Expectancybefore implementation) – ALE (after implementation) –Annualized safeguard cost. During or after activation or reset:no asset destruction, no covert channel access to or throughcontrol; no security loss or increase in exposure, and defaultsto state that does not enable any operator access or rights untilcontrols fully operationalExposure Factor (EF) – Percentage loss a realized threat wouldhave on an asset. Hardware failure on critical system mayresult in 100% lossSingle Loss Expectancy (SLE) – Loss from a single threat. SLE= Asset Value($) x EF

Annualized Rate of Occurrence (ARO) – Estimated frequency inwhich a threat is expected to occur. Range from 0 (never) to alarge number (minor threats, such as misspellings)Annualized Loss Expectancy (ALE) – ALE = SLE x ARO

o Elements of RAQuantitative RA – Assigns objective dollar costQualitative RA – intangible values of data loss and other issuesthat are not pure hard costsAsset Valuation ProcessSafeguard Selection

o RA StepsIdentify Assets: Estimate potential losses to assets bydetermining their valuesIdentify Threats: Analyze potential threats to assetsCalculate risk: Define ALE

o Remedies: Risk reduction, risk transference (transferring cost of lossto another party; i.e., insurance company), and risk acceptance


14

8/6/2019 Cissp Cram



• Information Classificationo Prevent unauthorized disclosure and failure of confidentiality.

Demonstrates due diligence, identifies most sensitive info, regulatorycompliance, etc. SBU: Sensitive, but unclassified

o Lattice model : Every resource and user is associated with one of anordered set of classes. Resources of a particular class may only beaccessed by those whose associated class is as high or higher thanthat of the resource

o Bell-LaPadula Model (Orange Book): Most common model. Definesrelationships between objects and subjects. Relationships aredescribed in terms of a subject’s assigned level of access or privilege(security clearance) and the object’s level of sensitivity (securityclassification). Enforces lattice principle, which specifies that subjectsare allowed write access to objects at the same or higher level as thesubject, read access to objects at the same or lower level, andread/write access to only those objects at the same level as thesubject. Example of MAC

o DOD information classifications levels: Unclassified, confidential,secret, top secret

o Classification criteria for information: Value, Age, Useful Life,Personally Identifiable

o Procedures:Identify administrator/custodianSpecify classification criteriaClassify by owner

Specify exceptions to classification policySpecify controls for each classification levelSpecify procedures for declassifying or transferring custody toanother entityEnterprise awareness program re classification controls

o Information Roles: Owner (officer or manager), Custodian (day-to-day responsibility for data protection; IT person), and End User (usesinfo as part of job)

• Policies (senior management, regulatory, advisory, informative), standards(use of specific technologies in a uniform way), guidelines (recommendactions, but are not compulsory), and procedures (steps to perform a specifictask in compliance with a mandatory standard).

Mnemonic: PSGP


15

8/6/2019 Cissp Cram



CBK #4: Applications and Systems Development

• Software development models: Simplistic, Waterfall (limited to one stage of re-work), Modified Waterfall (development phases end on milestones), andSpiral (four quadrants: requirements, objective, planning, risk analysis).Spiral – Angular dimension is progress made in completing project. Radialdimension is cumulative cost of project. Barry Boehm developeddevelopment models. Using live data is not appropriate. Live data may notexercise all functions, including out of range and other invalid types. Theprogrammers should not do testing

• Maintenance phase: Request control, change control, and release control• Configuration Management: British Standards Institute 7799: tracking and

issue of new versions. A configuration item is a component whose state is to

be recorded and against which changes are to be progressed. Configurationcontrol controls changes to the configuration items and issues versions of theitems from the software library. Two goals: (1) ensuring changes to systemdo not unintentionally or unknowingly effect security; and (2) ensuringchanges to system are reflected in documentation

• Software cycle:o Verification: Evaluate product in development against the specificationo Validation: Evaluate against real-world requirements and concepts

• Software Capability Maturity Model (CMM): Quality software is a function of the quality of its associated software development and maintenance process

• Software Development Life Cycle: Investigation (RequirementsSpecification), Analysis and General Design, Implementation (integration of software into hardware environment), Installation (experimentation onprototype), and Review

• Object Oriented Systems: More reliable and capable of reducing propagationof change errors. Dynamic objects are created during program execution.Objects are encapsulated – only accessed through messages sent to them torequest performance of their desired operations. Substitution property:objects with compatible operations can be substituted for each other.Message is a communication to an object. Behavior is the results exhibitedby an object on receipt of a message. Class is collection of common objects.Method is the code that defines the actions an object performs in response toa message. Inheritance – methods from a class are inherited by members of its subclasses. Delegation is forwarding a request from one object to another.Polymorphism is objects of many different classes that are related by some

common superclass; thus any object denoted by this name is able to respondto some common set of operations in a different way. Polyinstantiation isdevelopment of a detailed version of an object from another object usingdifferent values in the new object. To avoid inference, systems will allowsame id# for lower class and the DBMS would manage to permit same


16

8/6/2019 Cissp Cram



primary key for two different units. Polyinstantiation prevents inference

violations• Database security threats: Aggregation and inference• Objects can be made available to users through Object Request Brokers

(ORBs). ORBs are middleware because they reside between two otherentities. Common Object Request Broker Architecture (CORBA) definesstandard that enables programs written in different languages and usingdifferent platforms and operating systems to interface and communicate

• Artificial Intelligence (AI):o Expert Systems: Acts like a human expert. Builds knowledge base (in

the form of If-Then statements) of the domain to be addressed in theform of rules and an inferencing mechanism to determine if the ruleshave been satisfied by system input. Inference engine + knowledgebase = expert system. Fuzzy logic used to address uncertainty

o Neural Networks: Neurons, signals are exchanged among neuronsthrough electrical pulses traveling along an axon. Electrical pulsearrives at a neuron at points called synapses. Output =Input1*Weight1 + Input2*Weight2 . . . InputN*WeightN. Summationof inputs with dynamic weights assigned to them. One summing nodeis called a single-layer network. Multiple summing nodes make up amulti-layer network. Training develops the weights

• Database security issues. Granularity of the access to objects in DB refers tofineness with which access can be controlled or limited. Aggregation is act of obtaining info of a higher sensitivity and combining it with lower levels of sensitivity. Inference is ability of users to infer or deduce info about data atsensitivity levels for which they do not have access. A link that enables an

inference to occur is called an inference channel• Data Warehouse and mining: Data warehouse is a repository of info from

heterogeneous databases. Object is to find relationships that were unknownup until now among data in warehouse. This searching for data is called datamining. Correlations or data about data is called metadata. Metadata is notstored in data warehouse, but is instead stored in a highly protected “datamart.” Data warehouse and mining can be applied to audit logs and otherinfo to find system anomalies

• Data Dictionary: Database for developers, records all the data structuresused in an application

• Accreditation: Formal acceptance of security adequacy, authorization foroperation and acceptance of existing risk

• Certification: Formal testing of security safeguards• Operational assurance: Verification that system is operating to its security

requirements. Look at policies, audits, and system monitoring• Distributed environments permit agents. Agents are surrogate programs or

process performing services in one environment on behalf of a principal inanother environment. Not a proxy, which hides identity


17

8/6/2019 Cissp Cram



• Distributed systems should include:o Interoperabilityo Portability. Software at source code level can be moved from system

to system with different vendorso Transparency. Ability to keep application and its processes invisible to

the end usero Extensibility. System must be able to adapt to various management

policies and allow introduction of new resources to manage• Single state machines can only process one security level at a time. Multi-

State Machines can process two or more security levels at the same time• Interpreted language executes each instruction in real-time, called run-time

binding. Compiled language, binding occurs at compile time. Compiled codeposes greater security risk since it may contain destructive code that can’teasily be detected

• Applets in Web browsers called mobile code. Java runs in constrainedmemory space (sandbox) for security

• Security measures: Configure firewalls to screen applets; configure browsersto restrict or prevent downloading applets; permit applets only from trustedparties, provide training to users re mobile code

Applicationcontroltype

Accuracy Security Consistency

Preventive Data checks, forms,custom screens,validity checks

Firewalls, sensitivitylabels, encryption,passwords, test

environments

Data dictionary,programmingstandards

Detective Hash controls, cyclicredundancy checks

IDS and audit trails Comparisoncontrols,relationship tests

Corrective Backups, checkpointrestarts

Emergency responseand referencemonitor

Programcomments anddatabase controls


18

8/6/2019 Cissp Cram



CBK #5: Cryptography

• Cryptology is cryptography and cryptanalysis. Cryptography: science of codes. Cryptanalysis is science of breaking codes

• XOR: 0+0 = 0; 0+1 = 1; 1+0=1; 1+1=0• One time pad is usually implemented as a stream cipher using XOR function• Work function (factor): Difficulty in recovering plaintext from the ciphertext• Link encryption – individual application of encryption to data on each link of a

network• End-to-end encryption – encryption of data from source system to end

system (https)• Security of cryptosytem should only depend on security of keys, not the

algorithm• Block code cipher: Message broken into blocks and each block encryptedseparately. Blocks of identical plaintext have identical ciphertext. Replay and

substitution attacks easier. DES is block cipher• Block chaining – parts of previous block are inserted into current block.

Makes replay and substitution attacks harder• Stream cipher – message broken into characters or bits and enciphered with

a key stream (random and independent of message stream). XOR generallyused. XOR key stream and message. XOR encrypted output with key streama second time to decode

• Process of establishing a session key is called key exchange, negotiation, ordistribution

• Private key: 1,000 or more times faster than public key• Public key: message encrypted with one of keys can be decrypted with other.

RSA, Diffie-Hellman, El Gamal, and Elliptic Curve. Requires larger keys thansymmetric (512 – 64; 1792 – 112)

• Data Encryption Standard (“DES”): Symmetric algorithm. 56 bit key, plus 8parity bits. Never approved for national security applications. 64 bit blocksize. Triple DES – encrypt with first key, decrypt with second key, encryptwith first key. Data encryption algorithm (DEA). National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES) isreplacement, has variable block and key length (128, 192, 256). AES isRijndael Block Cipher

• RSA: Rivest, Shamir, and Adleman. Public key encryption algorithmdeveloped in 1976. Factors large numbers

• Modular arithmetic – subtract modulo. 27 mod26 = 1•

Time stamps can be used to prevent replay attacks• Elliptic curve encryption – best bandwidth, computation, and storage. Used in

wireless applications• Key escrow: Clipper chip with Skipjack algorithm (80 bit key, 64 bit block).

Key split in two and held by to escrows


19

8/6/2019 Cissp Cram



• Digital Signature: Used to detect unauthorized modifications and

authenticate sender. Provides non-repudiation. Steps:o Hash messageo Digest is fed into digital signature algorithm that generates signature.

This is done by encrypting the message digest with the sender’sprivate key and attaching to the message

o Message and attached message digest sent to recipient• Digital Signature Standard (DSS): uses secure hash algorithm, 160 bits. Key

size 512-1024. NIST standard. Enables RSA or Digital Signature Algorithm(DSA). Both use Secure Hash Algorithm (SHA-1), 160 bit message digest(length of message is number of bits in message, need multiple of 512,padding bits added if necessary)

• Hash: Output is message digest. Two files cannot have same hash. Can’tcreate file from hash. MD5 – 128 bit digest, uses blocks of 512

• Message Authentication Code (MAC): General term to describe digitalsignatures

• Clustering: Plaintext message generates identical ciphertext using the sametransformation algorithm, but with different keys (cryptovariables)

• Certificate Authority (CA): Binds public key to person. Certificate revocationlist. X.509 provides format for digital certificates

CBK #6: Security Architecture and Models

• OS components: Process management, I/O, memory management, and

system file management• Multiprocessing: Means multiple processors• IT Architecture: Logical (functional) and technical (physical) components• Closed security environment: (i) application developers have sufficient

clearances and authorizations to provide acceptable presumption that theywill not introduce malicious logic and (ii) configuration control providesprotection from introduction of malicious logic prior to and during theoperation of systems. Open security environment does not have theforegoing protections

• Types of I/O: Block devices (write blocks of data; hard disk) and characterdevices (not addressable; keyboard and printer)

• CPU operating states: Ready state, problem state, supervisory state, andwait state

• Programming languages. Three types: machine (1GL), assembly (2GL), andhigh-level (3-5GL)

o Assembler – translates from assembly language to machine languageo Disassembler – translates machine language to assemblyo Compiler – translates high-level language to machine code


20

8/6/2019 Cissp Cram



o Decompiler – translates machine language into high level languageo Interpreter – translates high level language one command at time to

machine code• Staffing: Define position, determine sensitivity of position, filling position,

training hired person• Delphi Technique. Group does not meet as a whole. Individual members

submit anonymous comments• Causes of economic loss: 65% errors and omissions• Total Quality Management (TQM): (1) pursuit of complete customer

satisfaction, (2) continuously improve products and services, through (3) thefull and active involvement of the entire workforce. Quality Assurancetypically focuses on the quality of the end-product. Under TQM, QA focuseson assuring quality throughout production and service process. QualityCircles are team of voluntary employees that get together to discuss qualityissues. Quality Council is management

• ISO 9000: Addresses quality of system processes, not product performanceto specifications. Provides baseline for TQM

• Benchmarking:o Internalo Competitiveo Industryo Best-in-Class

• Dynamic RAM (DRAM; multi-phase clock signals) and SRAM (single-phaseclock; requires refresh)

• Programmable Logic Device (PLD): IC with connections or internal logic gatesthat can be programmed

• Memory: Real or Primary (RAM), Secondary (hard disk), Sequential Memory– information must be obtained sequentially searching from the beginning(tape)

• Instruction Cycles: Two phases – fetch and execute. Run or operating state.Application or problem state. Users only permitted access to subset of instruction set. Subset is non-privileged instructions. Computer is insupervisory state when executing privileged instructions

• Pipelining: overlaps steps of instructions• Scalar processor – executes one instruction at a time• Multiprogramming, multitasking, multiprocessing• I/O: memory mapped and isolated. Collectively “Programmed I/O” • Protection Domain: Execution and memory space assigned to each process• Trusted computer base (TCB): Total combination of protection mechanisms

within a system. Security perimeter is boundary separating TCB fromremainder of system. TCB must be tamperproof and non-compromisable

• Security Kernel is hardware, software, firmware, elements of TCB thatimplement the reference monitor concept. Reference monitor is a systemcomponent that enforces access controls on an object. Reference monitor


21

8/6/2019 Cissp Cram



concept is an abstract machine that mediates all access of subject to objects.

Must be verified correct• Security Modes of Operation:

o Dedicated Security Mode : Each subject must have clearance for allinformation on system and valid need to know for all information

o System high Security Mode : Each subject must have clearance forall information on system and valid need to know some of theinformation. All users may not have need to know

o Compartmented Security Mode : Each subject must have clearancefor most restricted information on system and valid need to know thatinformation

o Multilevel Mode : Some subjects do not have clearance for allinformation. Each subject has need to know all information to whichthey will have access

• Recovery procedures: System should restart in secure mode. Startup shouldoccur in maintenance mode that permits access only by privileged users fromprivileged terminals. Fault-tolerant continues to function despite failure. Failsafe system, program execution is terminated and system protected fromcompromise when hardware or software failure occurs. Fail soft or resilientsystem, selected, non-critical processing is terminated when failure occurs.Failover, switches to hot backup

• Assurance – degree of confidence in satisfaction of security requirementso Evaluation criteria:

Trusted Computer Security Evaluation Criteria (TCSEC):Addresses confidentiality, not integrity. Focuses on securityfunctionality and degree of assurance that functionality works

as documented. Functionality and assurance requirements arecombined in TCSEC ratings. Five aspects of security: systemsecurity policy, marking (use of labels for AC),identification of individuals, accountability mechanismson the system, operational and lifecycle assurance of system’s security, and the documentation developed andmaintained about system security . Limited to the OS.Orange book

There are four types of protection: 1) Minimal Protection –system tested and failed; 2) Discretionary Protection (C1 andC2); 3) Mandatory Protection (B1, B2, and B3) – B1 labels forAC. B2 addresses covert channels and includes trusted facilitymanagement; configuration management. B3 TCB designdirected to minimizing complexity; use of security administratorand auditing; configuration management; and 4) Verified Protection (A1). A1 configuration management


22

8/6/2019 Cissp Cram



Trusted Network Interpretation (TNI): Addresses

confidentiality and integrity. Red book. Applies Orange Book inthe network contextEuropean Information Technology Security Evaluation Criteria(ITSEC). Addresses confidentiality, integrity, and availability.Focuses on functionality and assurance. Two levels for eachsystem: “F” for functionality (F1 – F10) and “E” for EuropeanAssurance (E0 – E6; E6 is highest). F1 is comparable to C1 of Orange Book. Target of Evaluation (TOE) is product or systemto be evaluated. Functionality and assurance are evaluatedindependently under ITSEC. Compare TCSEC, which combinesfunctionality and assurances into a single set of classesTCSEC, ITSEC, and the Canadian Trusted Computer ProductEvaluation Criteria (CTCPEC) have evolved into one evaluationcriteria: Common Criteria

• Certification: Establish extent in which a particular design andimplementation meets the set of specified security requirements

• Accreditation: Formal declaration by Designated Approving Authority thatsystem is approved to operate in a particular security mode using aprescribed set of safeguards at an acceptable level of risk

o Defense Information Technology Security Certification andAccreditation Process (DITSCAP): Phase 1 definition, phase 2verification, phase 3 validation, phase 4 post accreditation

o National Assurance Certification and Accreditation Process (NIACAP)• Information Security Models: Access control, integrity, and information flow

o Access Control Model. Four methods:

Access Matrix – Columns are ACLs and rows are capability lists.Includes DAC. Capability list: used to implement capabilities,which identifies the object and specifies the access rights to beallowed to the accessor (subject) who possesses the capabilityTake-Grant Model. What rights can be transferred by a subjectBell-Lapadula Model. Only addresses confidentiality, notintegrity or availability. A Trusted Subject can violate the*property. Does not address client/server model .

Secure state can have three properties: 1) Simple SecurityProperty (ss Property): Reading info by a subject at a lowersensitivity level from an object at a higher sensitivity level isnot permitted (no read up); 2) The * star Security Property:Writing info by subject at higher level of sensitivity to an objectat lower sensitivity is not permitted (no write down); 3)Discretionary Security Property. Uses an access matrix tospecify DAC.


23

8/6/2019 Cissp Cram



o Integrity Model

Biba Integrity Model (similar to Bell-Lapadula)Clark-Wilson Integrity Model. Two elements: well formedtransaction and separation of duties

o Information Flow Model – each object and subject is assigned securityclass and value, info is constrained to flow in directions that arepermitted by the security policy

CBK #7: Operational Security

• Types:o Preventive. Designed to lower amount and impact of unintentional

errors entering the system and to prevent unauthorized intruders frominternally or externally accessing the system. Data validation, pre-numbered forms, and review for duplications

o Detective. Track unauthorized transactions and lessen errors bydetecting quickly

o Corrective. Data recoveryo Recovery. Help rebuild system, application, or network after security

incident• Orange Book. Trusted Computer Security Evaluation Criteria.

Two types of assurance:o Operational Assurance. Basic features and architecture of system.

System integrity, covert channel analysis (storage and timing), trusted

recoveryTrusted facility management: Assignment of specific individual toadminister security of system. Separation of duties, don’t havesystem administrator and security administrator as same person.In highly secure systems have three administrative roles: systemadministrator, security administrator, and enhanced operatorfunction. Two-man control means each reviews and approves thework of the other. Dual control requires both operators tocomplete a task. Rotation of duties. Mandatory taking of vacationsTrusted recovery: Ensures security is not breached when systemcrashes or has other failures. Required only for B3 and A1 levels inOrange BookCommon Criteria for recovery: 1) Manual Recovery. Sys adminintervention to return system to secure state after failure; 2)Automated Recovery. Recovery to secure state is automaticwhen resolving single failure – intervention for other failures; 3)Automated Recovery without Undue Loss


24

8/6/2019 Cissp Cram



o Live cycle assurance. Controls needed for building and maintaining

system. Configuration management monitors and protects changes toa system’s resources. Security testing

Configuration change management (covers entire lifecycle of system/software). Required only for B2, B3, and A1

Five procedures: 1) Applying to introduce a change; 2) Catalogingthe change; 3) Scheduling the change; 4) Implementing thechange; and 5) Reporting the change to appropriate parties

• Media security controls. Logging, access control, and proper disposal.Sanitization includes overwriting, degaussing, and destruction. Media viabilitycontrols: marking, handling, storage.

• Problem management goals:o Reduce failures to a manageable levelo Prevent occurrence or re-occurrence of a problemo Mitigate negative impact of problems

• Initial Program Load vulnerabilities

CBK #8: Business Continuity Planning and DisasterRecovery Planning

• Business Continuity Planning (BCP). Plans and framework to ensure businesscan continue in an emergency. Minimize cost associated with disruptive eventand mitigate risk. Foreign Corrupt Practices Act of 1977 imposes civil andcriminal penalties if publicly held companies fail to maintain adequate controlsover their info systems. Four elements of BCP process:

o Scope and Plan Initiationo Business Impact Assessment (BIA). Identify what impact a disruptive

event would have on the business. Impact may be financial(quantitative) or operational (qualitative). Includes execution of vulnerability assessment. BIA has three goals: criticalityprioritization, downtime estimation, resource requirements. Mustidentify which business units are critical to continuing acceptable levelof operations

Vulnerability assessment involves conducting a loss impactanalysis. Two elements: financial assessment (quantitative)and operational assessment (qualitative). Identify “criticalsupport areas” that are required to sustain continuity of business

o Business Continuity Plan Developmento Plan Approval and Implementation


25

8/6/2019 Cissp Cram


8/6/2019 Cissp Cram



• Hierarchical Storage Management (HSM). Software that dynamically

manages storage and retrieval of electronic information from storage mediathat varies in speed and cost

• Six resource categories that support critical business functions: Humanresources, processing capability, computer-based services, automatedapplications and data, physical infrastructure, and documents

CBK #9: Law, Investigation, and Ethics

• Two types of evidence:o The following are types of evidence that may be reviewed in

connection with an audit:Physical examinationConfirmation (response from third party)DocumentationObservationInquiryMechanical accuracyAnalytical procedures (using comparisons and ratios)

o The following are types of evidence relevant to legal proceedingsBest EvidenceSecondaryDirectCircumstantial

ConclusiveCorroborativeOpinionHearsay

• Standards for evidence: the evidence must be sufficient , competent , andrelevant

• Criteria for evaluating legal requirements for implementing safeguards is toevaluate cost (C) of instituting protection versus estimated loss (L) resultingfrom exploitation of vulnerability. If C<L and the business does notimplement the safeguard, the business could face liability

• Because development of technology may outpace law, crimes of embezzlement, fraud, and wiretapping are frequently used

• Federal Sentencing Guidelines hold senior corporate officers personally liableif their organizations violate the law

• Evidence life cycle: Collection and identification; analysis; storage,protection, transportation; presentation in court; and return to victim/owner

• Kennedy-Kassenbaum Act is Health Insurance Portability and AccountabilityAct (“HIPAA”)


27

8/6/2019 Cissp Cram



• The extension of property to include electronic information has been key to

the development of computer crime laws in some countries• FBI and Secret Service are responsible for computer crimes• Computer Incident Response Team (CIRT)• Federal Computer Security Act of 1987: First to require government agencies

to do security training and adopt security plan• MOM: Motive, opportunity and means• Typical computer felon holds a position of trust with the company• Privacy Act of 1974: Fed agencies must protect information of private

individuals in their databases• Ethics code does not include “control” as a behavior• ISC2 Code of Ethics:

o Conduct in highest standards of moral, ethical, and legal conducto Not commit unlawful or unethical act that would negatively impact

professional reputation or reputation of professiono Report unlawful activity and cooperate in investigationo Support efforts to promote prudent info security measureso Provide competent service, avoid conflicts of interesto Execute responsibilities to highest standards of professiono Not misuse information they come in contact with, maintain

confidentiality• Internet Activities Board (IAB): Unethical to:

o Seek unauthorized access to Internet resourceo Destroy integrity of informationo Disrupt Internet useo Waste resourceso Compromise privacy of userso Negligence in Internet experiments

CBK #10: Physical Security

• Five threats: Interruptions in computing services, physical damage,unauthorized disclosure of information, loss of control of system integrity, andphysical theft

• Three types of controls (same as AC):o Administrative Controls: proper emergency procedures, policy

implementation, facility security management (audit trails andemergency procedures), pre-employment screening, on-goingemployee checks, post-employment procedures. Audit trails andaccess logs are detective, not preventative

Environmental controls:


28

8/6/2019 Cissp Cram



1) Electrical Power: Noise (EMI, RFI), use power line

conditioning, proper grounding, cable shielding, limitingexposure to magnets, electric motors, and heaters. Humidityrange should be 40-60%. <40% increases likelihood of staticelectricity. >60% increases condensation. Use Hygrometer tomeasure humidity. Static electricity controls: anti-staticsprays, antistatic flooring, proper grounding, anti-static table orfloor mats, HVAC to control humidity. Power loss: fault ismomentary, blackout is prolonged. Power Degradation: sag ismomentary, brownout is prolonged. Power excess: spike ismomentary, surge is prolonged. EPO – Emergency Power Off.Air conditioning should have separate EPO. Three methods toprotect power: UPS, power line conditioning, backup powersources

2) Fire detection and suppression: Three elements – oxygen,heat, and fuel. Water suppresses temperature. Soda acidreduces fuel. CO2 (lethal if removes all O2) reduces oxygen.Fire Detectors: Heat sensing, flame sensing, flame actuated,smoke actuated, automatic dial-up. Fire extinguishingsystems: Wet pipe (water all the time), dry pipe (water onlywhen activated), Deluge, Preaction (dry until heat, then loadswater; most recommended for computers). Gas dischargesystems employ pressurized inert gas usually from under raisedfloor. CO2 and Halon. Halon now listed as danger toenvironment and is being phased out. Halon not safe above

10% concentration. Use in >900 degrees creates toxic gas.Halon 1211 (portable extinguishers) and Halon 1301 (floodingsystems). FM-200 is good replacement. Fire contaminants:smoke, heat, water, suppression medium contamination (CO2or Halon)

3) Sprinklers do not cause water damage – fire does.Sprinklers protect lives, reduce fire damage, limit fire tobuilding

Class Description Suppression MediumA Common combustibles Water or soda acid

B Liquid CO2, soda acid, HalonC Electrical CO2 or Halon


29

8/6/2019 Cissp Cram



4) Heating, Ventilation, and Air Conditioning (HVAC)o Physical Controls

Fences3’ to 4’ (1 meter) Deters casual trespasser6’ to 7’ (2 meters) Too hard to climb easily8’ with 3 strands of barbed wire(2.4 meters)

Deters intruders

o Technical Controls: Proximity readers, biometric devices, intrusiondetectors and alarms, motion detectors. Alarms must be audible for atleast 400 feet. Power supply backups must last at least 24 hours

Object reuse: Reusing data storage media after initial useData remanence: Residual info remaining on media after

erasure, which may be restored. Orange Book requiresmagnetic media be formatted seven times before discard orreuse

Common problems with media erasure: 1) Deleting does notactually remove data, file allocation table; 2) Damaged sectorsmay not be overwritten by format utility. Need degaussing;and 3) Improper use or equipment failure of degausserClearing: Overwriting data on media for reuse within samesecured environment (i.e., not used in a lesser securityenvironment)Purging: Degaussing or overwriting media to be removed frommonitored environment, such as resale, use in unsecuredenvironment, or donationDestruction: Completely destroying media. Good practice topurge media before submitting for destruction

Additional Material

Types of Attacks

• Denial of Service (DoS)• Distributed Denial of Service (DDoS)• SYN – DOS.• Smurf – IP Ping with forged return address of target• Viruses• Trojan Horses• IP spoofing: Impersonation of a computer from a trusted network


30

8/6/2019 Cissp Cram



• Network Packed Sniffers: Software that uses a NIC in “promiscuous mode” to

review packets sent across the network• Port Scanning• Covert Channel: Unapproved communications link between one application

and another. Covert storage channel. Covert timing channel

PKI

• Can be open (third party trusted CA for many organizations and individuals)or closed (CA and members are part of single organization)

• CA – Certificate Authority; RA – Registration Authority; CRL – CertificateRevocation List; Certification Practice Statement (CPS), dictates legalresponsibilities, roles, policies, and procedures for the CA

• Certification is process of binding a public key to a specific person, entity, orsystem

• Key recovery – key escrow• Public Key Cryptography Standards (PKCS). PKCS#1 is RSA standard.

PKCS#13 is elliptic curve crypto

Security Assessment

• Two parts: Physical and Logical

• Areas of Reviewo Physical access: Access zones, server room access, backups, media,

computers (laptops), network accesso Networko Softwareo Messagingo Acceptable Useo Application Securityo Data security/classification according to sensitivity or wortho Encryptiono Change Control Systemso Disaster Recovery: Storage of media; time to restore; test restores;

encrypto Incident response policy/teamo User Trainingo Customer/Partner Training


31

8/6/2019 Cissp Cram



Orange Book

• DOD Trusted Computer System Evaluation Criteria. Systems classified from A(most trusted) to D (least trusted). Relates only to standalone systems. NONETWORKS. Takes a long time to certify (1-2 years). Based on the Bell-Lapadula model. Not adapted to client/server model. Levels:

o A – Verified Protection. A1o B – MAC. B1, B2, and B3o C – DAC. C1 and C2.o D – Minimal security. Systems evaluated, but failed

TCP/IP

• IP is protocol to transport packets between computers. TCP ports data to

applications. TCP packet uses the IP packet to find which computer it isaddressed to. Both sending and receiving applications are assigned ports toidentify them. Port 80 Web access; SMTP is port 25, FTP is port 21. TCP portnumbers are divided into three ranges: well-known ports (0-1023),registered ports (1024-49151), and dynamic private ports (49152-65535)

• IP address is 32 bits. 4 Octets. Address range for each octet is 0-255.Classes A, B, C, D, and E

Glossary

ACL: Types of access – read, write, create, execute, modify, delete, renameCERT: Computer Emergency Response Team

DNS: Domain Name System. Distributed database of name-to-IP address mappingsDomain: Collection of computers and user accounts managed by a central authorityFootprinting: Process by which a hacker gains information about a target computersystemFQDN: Fully Qualified Domain Name; e.g., IBM.comGap Appliance: Provides “air gap” between trusted and untrusted systems.External CPU, switch, and internal CPU. Internal system never directly connected tothe outsideGateway: Translators between networks using incompatible transport protocolsIETF: When submitted to the IETF, draft docs are valid for six months. They gothrough a screening process. If draft is accepted, it will be issued as a Request forComments (RFC) document. If a specification is adopted as an Internet standard, itis given the additional label of STD, but keeps the RFC numberIEEE 802.11 Wireless Standard: Wireless LAN standard. Default is transmissionin the clearIKE: Internet Key Exchange protocolIKMP: Internet Key Management protocol


32

8/6/2019 Cissp Cram



IPSec: IP security. Two main protocols are Authentication Header (AH) and

Encapsulating Security Payload (ESP). AH provides integrity, authentication, andnon-repudiation. ESP provides encryptionLDAP: Lightweight Directory Application Protocol. Can be used to store X.509certificates for authentication. Subset of X.500. Simple mechanism for directoryclients to query and manage a database of hierarchical entries. LDAP is based onclient-server model. LDAP server will offer directory data via TCP/IP port 389 andSSL encrypted port 636. Primary security concerns are availability and integrityLogic Bomb: A logic bomb is a set of instructions in a computer programperiodically executed in a computer system that determines conditions or states of the computer, facilitating the perpetration of an unauthorized, malicious actNIC: Network Interface CardOpen View: Leaving confidential documents in public place (on desk)Privacy Enhanced E-mail (PEM): Proposed by IETF to comply with Public KeyCryptography Standards (PKCS) developed by Microsoft, Novell and Sun. Uses tripleDES and RSA. Uses X.509Pretty Good Privacy: Symmetric cipher IDEA (128 bit key, 64 bit block) is used toencode the message, RSA is used for the symmetric key exchange and for digitalsignatures. Web of trust instead of CARADIUS: Remote Authentication Dial-In User Service. Internet standard forremote-access authentication, authorization, and accountingRPC: Remote Procedure Call. Transport and application layerSAS70 Audit: Statement of Auditing Standards 70. Not a security audit. Onlyconfirms a company’s compliance with its own procedures. Those procedures mayrelate to security. Does not guarantee best practices. Does not make anyrecommendations for improvement. Prime purpose is to audit controls in place to

prevent or detect an error that would be significant to a financial audit. AICPAS/MIME: Secure Multipurpose Internet Mail Extensions. Symmetric key encryptedwith public key cryptography. Uses X.509Secure HTTP (S-HTTP): Alternative to SSL. SSL applies to entire session. S-HTTPcan be used to protect individual WWW documentsSSL: Developed by Netscape. HTTPsSSO: Single Sign OnStructured Programming: Using programming rules and procedures andpreprogrammed modulesSuperzap: IBM mainframe utility used to install zaps or fixes to MVS OS orapplication program code. All powerful. Circumvents all security. Use checksums todetect changes to programsTEMPEST: TEMPEST certified hardware, rooms, or buildings are shielded to limit EMradiation from computer equipmentTLS: Transaction Layer Security. Confidentiality, authentication and integrity abovethe transport layer and resides between the application and the TCP layer. SSL andTLS use X.509


33

8/6/2019 Cissp Cram



Wireless Application Protocol (WAP): Used by wireless devices to access the

Internet. Uses Wireless Transport Layer Security Protocol (WTLS). Data must beunencrypted at gateway between wireless and wired network to be re-encryptedusing SSL. WTLS provides three classes of security:

• Class 1 (Anonymous Authentication). Neither client or server is authenticated• Class 2 (Server Authentication)• Class 3 (Two way Client and Server Authentication)

Worm: Eats up computer/network resourcesWORM: Write Once Read ManyX.500: Directory protocol. Lookup is based on a unique Distinguished Name (DN).Each entry in X.500 database associated with a DN will have attributes and valuesX.509: Defines mechanism for certificates, supports authentication of entries in anX.500 directory. Features include: Version, Serial Number (unique to certificate,assigned by CA), signature algorithm identifier (identifies algorithm used by CA tosign certificate), Issuer Name (typically the CA), validity period, subject name (DN),public key. International Telecommunication Union (ITU) provides telecomstandards, including X. standards. The IETF has recognized X.509 to be used inInternet technologies


34

8/6/2019 Cissp Cram



Special thanks toMichael R. Overly for

contributing this Cramsession.Michael R. Overly is a partner in e-Business & Information Technology Section in the law firm of Foley & Lardner. His practice focuses on draftingand negotiating technology related agreements,outsourcing agreements, information securityagreements, e-commerce agreements, andtechnology use policies. He counsels clients in theareas of information security, electronic commerce,multi-media, on-line law and privacy issues. Mr.

Overly may be the only practicing lawyer who hassatisfied the rigorous requirements necessary toobtain the Certified Information Systems SecurityProfessional (CISSP) certification. Author of Overly on Electronic Evidence (West Publishing 1998), E-Policy: How to Develop Computer, E-Mail, and Internet Guidelines to Protect Your Company and Its

Assets (American Management Association 1998),and Document Retention in The Electronic Workplace (Pike & Fisher 2001). Mr. Overly's numerous articlesand books have been published in the United States,Europe, Korea, and Japan. Mr. Overly is a graduateof Loyola Law School (J.D.) and Texas A&M

University (M.S., Electrical Engineering, 1984; B.S.,1982). He can be reached at [email protected] and his company’s website is athttp://www.foleylardner.com/ .

© 2002 All Rights Reserved – BrainBuzz.com

mailto:[email protected]


http://www.foleylardner.com/

http://www.foleylardner.com/



Cissp Cram

Documents