CISSP Training Guide - Robert Bragg

CI SSP
Certified
I nformation
System
Security
Professional
Bezoek ook onze website http://www.enacom.nl.

Op basis van de boeken:
CISSP Certification, Training Guide, Roberta Bragg
The CISSP Prep Guide, Ronald L. Krutz & Russel Dean Vines
Samenvatting door Jos Engelhart MSc CISSP
Table of Contents

CISSP i
1

ACCESS CONTROL SYSTEMS AND METHODOLOGY 1

1.1 AUTHENTICATION AND ACCESS CONTROL ..............................................................1
1.2 ACCOUNTABILITY ..........................................................................................1
1.3 ACCESS CONTROL TECHNIQUES.........................................................................1
Discretionary Access Control - DAC..............................................................1
Mandatory Access Control MAC.................................................................1
Lattice-Based Access Control.......................................................................1
Rule-Based Access Control ..........................................................................2
Role-based access control ...........................................................................2
Access Control Lists ...................................................................................2
1.4 ACCESS CONTROL ADMINISTRATION ...................................................................2
Account administration...............................................................................2
1.5 ACCESS CONTROL MODELS / STRATEGIES .............................................................3
Bell-LaPadula ............................................................................................3
Biba.........................................................................................................3
Liptner s Lattice.........................................................................................4
Non-inference Models.................................................................................4
1.6 IDENTIFICATION AND AUTHENTICATION TECHNIQUES................................................4
Passwords ................................................................................................4
One-Time Passwords..................................................................................4
Challenge Response...................................................................................4
Biometrics ................................................................................................4
Tickets .....................................................................................................4
Single Sign-On ..........................................................................................5
1.7 ACCESS CONTROL METHODOLOGIES....................................................................5
Centralized/Remote Authentication Access Controls .......................................5
Decentralized Access Control.......................................................................5
1.8 METHODS OF ATTACK .....................................................................................5
Brute force ...............................................................................................5
Denial of service........................................................................................5
Spoofing...................................................................................................6
Sniffing ....................................................................................................6
1.9 MONITORING ...............................................................................................6
Intrusion detection ....................................................................................6
Intrusion prevention ..................................................................................6
How intrusion detection works.....................................................................6
1.10 PENETRATION TESTING ...................................................................................7
Penetration Testing versus Security Assessments ..........................................7
Ethical Issues............................................................................................7
Performing a Penetration Test .....................................................................7
2

TELECOMMUNICATIONS AND NETWORK SECURITY 1

2.1 THE OPEN SYSTEMS INTERCONNECTION MODEL......................................................1
2.2 THE OSI LAYERS ..........................................................................................1
Layer 7 - Application Layer .........................................................................1
Layer 6 - Presentation layer ........................................................................2
Layer 5 - Session Layer ..............................................................................2
Layer 4 - Transport Layer ...........................................................................2
Layer 3 - Network Layer .............................................................................2
Layer 2 - Data Link Layer ...........................................................................3
Layer 1 - Physical Layer .............................................................................3
2.3 NETWORK CHARACTERISTICS AND TOPOLOGIES ......................................................3
Coax........................................................................................................3
UTP..........................................................................................................4
Fiber Optic................................................................................................4
Multi-Mode Fiber........................................................................................5
Single-Mode Fiber......................................................................................5
Dense Wave Division Multiplexing................................................................5
Wireless ...................................................................................................5
2.4 NETWORK TOPOLOGIES...................................................................................5
Linear Bus Topology...................................................................................5
Star Topology ...........................................................................................6
Ring Topology ...........................................................................................6
Tree Topology ...........................................................................................6
Mesh Topology ..........................................................................................6
LAN and WAN Technologies.........................................................................6
Table of Contents
CISSP ii
Ethernet ...................................................................................................6
Token-Ring and FDDI .................................................................................6
ARCnet Attached Resource Computer Network............................................7
2.5 LAN DEVICES ..............................................................................................7
Hubs and Repeaters...................................................................................7
Switches and bridges .................................................................................7
VLANs ......................................................................................................7
Routers ....................................................................................................8
Firewalls...................................................................................................8
Gateways and Proxies ..............................................................................10
2.6 WAN TECHNOLOGIES...................................................................................10
WAN Connections ....................................................................................10
WAN Services..........................................................................................10
WAN Devices ..........................................................................................12
2.7 PROVIDING REMOTE ACCESS CAPABILITIES .........................................................12
Client-Based Dial-In Remote Access...........................................................12
Using tunneling as a security method.........................................................12
Virtual Private Networks ...........................................................................12
Remote access Authentication...................................................................13
2.8 NETWORKING PROTOCOLS .............................................................................13
Application Layer Protocols .......................................................................13
Transport Layer Protocols .........................................................................14
Internet Layer Protocols ...........................................................................14
2.9 PROTECTING THE INTEGRITY, AVAILABILITY AND CONFIDENTIALITY OF NETWORK DATA.....14
The CIA-triad ..........................................................................................14
Security Boundaries and Translating Security Policy to Controls.....................15
Trusted Network Interpretation .................................................................15
Network Layer Security Protocols...............................................................15
Transport Layer Security Protocols.............................................................16
Application Layer Security Protocols...........................................................16
Network Monitoring and Packet Sniffers......................................................16
Intrusion Detection ..................................................................................16
Intrusion Response ..................................................................................17
Network Address Translation.....................................................................17
Public and Private IP Addresses .................................................................18
Transparency ..........................................................................................18
Hash Totals.............................................................................................18
Email Security.........................................................................................18
Facsimile and Printer Security ...................................................................18
Common Attacks and Countermeasures .....................................................18
2.10 FAULT TOLERANCE AND DATA RESTORATION........................................................19
2.11 ADDENDUM ...............................................................................................20
3

SECURITY MANAGEMENT AND PRACTICES 1

3.1 DEFINING SECURITY PRINCIPLES........................................................................1
CIA: Information Security s Fundamental Principles .......................................1
Privacy.....................................................................................................1
Identification and Authentication .................................................................1
Nonrepudiation..........................................................................................2
Accountability and Auditing.........................................................................2
3.2 SECURITY MANAGEMENT PLANNING.....................................................................2
3.3 RISK MANAGEMENT AND ANALYSIS .....................................................................2
Risk analysis .............................................................................................3
Identifying threats and Vulnerabilities ..........................................................3
Asset Valuation .........................................................................................3
Qualitative Risk Analysis.............................................................................4
Countermeasure Selection and Evaluation ....................................................4
3.4 POLICIES, STANDARDS, GUIDELINES AND PROCEDURES ............................................5
3.5 ROLES AND RESPONSIBILITIES ..........................................................................5
3.6 UNDERSTANDING PROTECTION MECHANISMS .........................................................6
3.7 CLASSIFYING DATA........................................................................................6
3.8 EMPLOYMENT POLICIES AND PRACTICES ...............................................................7
3.9 MANAGING CHANGE CONTROL...........................................................................7
4

APPLICATIONS AND SYSTEM DEVELOPMENT SECURITY 1

4.1 SOFTWARE APPLICATIONS AND ISSUES ................................................................1
Centralized, decentralized and distributed systems ........................................1
Table of Contents
CISSP iii
Malicious software (malware) ......................................................................1
Databases ................................................................................................2
Data warehouses.......................................................................................2
Storage and Storage Systems .....................................................................2
Knowledge-Based Systems .........................................................................3
Web Services and Other Examples of Edge Computing ...................................3
4.2 ATTACKING SOFTWARE ...................................................................................3
4.3 UNDERSTANDING MALICIOUS CODE ....................................................................4
4.4 IMPLEMENTING SYSTEM DEVELOPMENT CONTROLS...................................................4
4.5 USING CODING PRACTICES THAT REDUCE SYSTEM VULNERABILITY ...............................5
5

CRYPTOGRAPHY 1

5.1 USES OF CRYPTOGRAPHY .................................................................................1
5.2 CRYPTOGRAPHIC CONCEPTS, METHODOLOGIES AND PRACTICES ...................................1
Symmetric Algorithms................................................................................1
Asymmetric Algorithms ..............................................................................1
Safety mechanisms....................................................................................1
5.3 PKI AND KEY MANAGEMENT .............................................................................2
5.4 METHODS OF ATTACK .....................................................................................2
6

SECURITY ARCHITECTURE AND MODELS 2

6.1 REQUIREMENTS FOR SECURITY ARCHITECTURE AND MODELS.......................................2
6.2 SECURITY MODELS ........................................................................................2
Clark-Wilson Model ....................................................................................2
Access Control Lists ...................................................................................2
6.3 SECURITY SYSTEM ARCHITECTURE......................................................................2
Security Principles .....................................................................................2
Security Modes..........................................................................................3
6.4 INFORMATION SYSTEM SECURITY STANDARDS........................................................3
TCSEC The Orange Book and the Rainbow Series........................................4
ITSEC Information Technology Security Evaluation Criteria ..........................4
Common Criteria .......................................................................................5
6.5 COMMON CRITERIA........................................................................................5
Introduction and general model ...................................................................6
Security Functional Requirements................................................................6
Security Assurance Requirements ................................................................6
Evaluation Assurance Packages or Levels - EALs............................................7
Areas not Addressed by the Common Criteria................................................7
A Comparison of the Orange Book, ITSEC and Common Criteria ......................7
6.6 IPSEC .......................................................................................................8
Uses for IPSec...........................................................................................8
Architectural Components of IPSec ..............................................................8
7

OPERATIONS SECURITY 1

7.1 EXAMINING THE KEY ROLES OF OPERATIONS SECURITY.............................................1
The OPSEC Process....................................................................................1
7.2 THE ROLES OF AUDITING AND MONITORING ..........................................................2
Using Logs to Audit Activity and Detect Intrusion...........................................2
Detection Intrusion ....................................................................................2
Penetration Testing Techniques ...................................................................2
7.3 DEVELOPING COUNTERMEASURES TO THREATS .......................................................3
Risk analysis .............................................................................................3
Threats ....................................................................................................3
Countermeasures ......................................................................................3
7.4 CONCEPTS AND BEST PRACTICES .......................................................................4
Privileged Operations Functions...................................................................4
Understanding Antiviral Controls..................................................................4
Protecting Sensitive Information and Media ..................................................4
Change Management Control ......................................................................5
8

BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY
PLANNING 1

Table of Contents
CISSP iv
8.1 WHAT ARE THE DISASTERS THAT INTERRUPT BUSINESS OPERATION?............................1
8.2 QUANTIFYING THE DIFFERENCE BETWEEN DRP AND BCP...........................................1
8.3 EXAMINING THE BCP PROCESS..........................................................................1
Define the scope........................................................................................1
Perform a business impact analysis (BIA) .....................................................1
Develop operational plans for each business process......................................2
Implement plans .......................................................................................3
Test plans.................................................................................................3
Maintain plans...........................................................................................3
8.4 DEFINING DRP ............................................................................................3
Determining the scope of the recovery plan ..................................................4
Creating antidisaster Procedures .................................................................4
Listing necessary resources.........................................................................4
Emergency response procedures .................................................................4
8.5 DEVELOPING A BACKUP STRATEGY......................................................................4
Backup procedures and policies ...................................................................4
Vital records program.................................................................................4
Hardware backups .....................................................................................5
9

LAW, INVESTIGATION AND ETHICS 1

9.1 FUNDAMENTALS OF LAW..................................................................................1
Intellectual property law.............................................................................1
Privacy law ...............................................................................................1
Governmental regulations...........................................................................1
9.2 CRIMINAL LAW AND COMPUTER CRIME.................................................................2
9.3 COMPUTER SECURITY INCIDENTS .......................................................................2
Advance planning ......................................................................................2
Computer crime investigation......................................................................3
9.4 LEGAL EVIDENCE...........................................................................................3
The fourth amendment...............................................................................3
9.5 COMPUTER FORENSICS ...................................................................................3
9.6 COMPUTER ETHICS ........................................................................................4
10

PHYSICAL SECURITY 1

10.1 CLASSIFYING ASSETS TO SIMPLIFY PHYSICAL SECURITY DISCUSSIONS...........................1
10.2 VULNERABILITIES..........................................................................................1
10.3 SELECTING, DESIGNING, CONSTRUCTING AND MAINTAINING A SECURE SITE ...................1
Site location and construction .....................................................................1
Physical access controls..............................................................................1
Power issues and controls...........................................................................2
Environmental controls...............................................................................2
Water exposure problems and controls.........................................................2
Fire prevention and protection.....................................................................3
10.4 TAPE AND MEDIA LIBRARY RETENTION POLICIES .....................................................3
10.5 DOCUMENT (HARD-COPY) LIBRARIES...................................................................3
10.6 WASTE DISPOSAL .........................................................................................4
10.7 PHYSICAL INTRUSION DETECTION.......................................................................4
10.8 ADDENDUM .................................................................................................4
ABBREVIATIONS I

CISSP 1-1

1 Access Control Systems and Methodol-
ogy
Access control is the collection of mechanisms that permits managers of a system to
exercise a directing or restraining influence over the behavior, use, and content of a
system.
1.1 Authentication and access control
The key part of security is controlling access to critical information. We distinguish
between authentication and access control. Authentication identifies a user and verifies
that the user is who he says he is. Access control systems control what access he is
given on the system. This is called the The principle of least privilege : to give an user
the least amount of access he needs to do his job an nothing else.
1.2 Accountability
Accountability is the process of tracking the behavior of people regarding their actions
and given access controls. Then, you can make people accountable for their actions so
you can properly enforce access controls. A commonly used way is logging.
1.3 Access Control Techniques
Access control techniques are:

Discretionary Access Control

Mandatory Access Control

Lattice-based access control

Rule-based access control

Role-based access control

The use of access control lists
DISCRETIONARY ACCESS CONTROL - DAC
This type is control is essentially based on human decisions about whether some-
one/something should be allowed access tot a particular resource. Most times guide-
lines or policies are rigidly used. They are open to mistakes and can easily be overwrit-
ten. The biggest problem is humans (managers) overriding access controls for certain
individuals who complain they have too less permissions.
DAC is a low level of access control and very subjective.
MANDATORY ACCESS CONTROL

MAC
MAC is based on using classification levels controlled by computer systems. These
systems are popular in government-type environments and financial institutes. Each
user gets a classification level associated with their account and each piece of data has
a classification level.
Most times accounts can include a hierarchy in access rights. We call this multilevel
security. This is not always wanted. Another classification is compartimentation, i.e.
HR-accounts and Finance-accounts.
LATTICE-BASED ACCESS CONTROL
This type of control is based on a set of security classes that can be assigned to users
or objects. For example: confidential, secret, top secret. Bases on these classes a set
of flow operations are defined showing how information can flow from one class to
another. The requirements for a lattice are:

A security class must be finite and not change

All the flow operations must take a partial order with one of the following prop-
erties:
Reflexive An item can always flow back to the security class it came
from (two way direction).
DAC

MAC

ACL

Multilevel security

Access Control Systems and Methodology
CISSP 1-2
confidential

secret

confidential
Anti-symmetric An item cannot flow back to the security class it came from
(one way direction)
confidential secret
Transitive Information flowing into a certain security class by going
through another security class, can also directly flow into
that class.
confidential secret top secret
includes the property
confidential top secret

It must have a lower bound (the null class).

It must have an upper bound which represents a combination of all the items in
the security class.
RULE-BASED ACCESS CONTROL
This kind of control is based on rule sets for individuals. These are not needed for small
companies because everybody knows his role is trusted to some extend. However for
larger organizations they provide a fine level of granularity. Disadvantages are:

Time consuming - you have to figure out what everybody is allowed to do

Maintainability - it becomes a complex list
This is why some companies prefer role-based access control.
ROLE-BASED ACCESS CONTROL
Access is provided to roles or positions across a company. Access is then assigned to
the role based on the job function of a position. This control is easy to maintain and
manage. It is typically implemented by using groups to which permissions are given.
ACCESS CONTROL LISTS
These are similar to rule-based access controls but more formalized. ACLs contain a list
of rules usually based on IP addresses of some other piece of information that can
easily be discernable in the package that goes across the network. ACLs are often
associated with routers.
1.4 Access Control Administration
Setting up an administration is easy; the ongoing maintenance is the difficult part. It
essentially involves a user ID and a password which has to be set up and maintained
for every user of the system. User accounts should be disabled when an employee
leaves the company instead of deleting them.
ACCOUNT ADMINISTRATION
With a new account:

Assign an unique initial random temporary password for the account.

Force the person to change it to another password only known to him.

Prevent multiple people to have access to the same password: you loose ac-
countability.

Keep track of all access controls through logging (successes and failures).

Always give someone the least amount of access he needs to do his job and
nothing else.

Maintain separation of duties for access to sensitive information. This means
that multiple people must participate to gain access (i.e. fire a nuke).
The principle of least
privilege
Separation of duties

{}

{A}

{B}

{A, B}

CISSP 1-3
1.5 Access Control models / strategies
The models in this section serve as a rule for the road when figuring out some general
principles that should be followed when implementing access control. With the explana-
tion two terms are used: objects which refers to passive items such as hardware, soft-
ware and processes that store information and subjects which are active processes that
move information (such as persons or devices).
BELL-LAPADULA
Bell-LaPadula (1970s) is a governmental information flow security model and focuses
on confidentiality. Access to information is controlled by access lists but the move-
ment is controlled by this paradigm: it protects people from accessing information they
should not have access to. It is a bottom-up model which says that information can
flow from the bottom to the top but not downwards. It is composed of two rules:

The simple security rule deals with reading information or files.

The star property rule deals with writing information or creating new files.
Simple Security Rule

A principal P can read an object O only if the security level of P is higher than or equal
to the security level of O . This rule ensures that someone can only read information
up to the level he is classified for, but not higher.
Star Property Rule

A principal P can write to an object O only if the security label of O is higher than or
equal to the security label of P . Information cannot be written to a lower classification
level. This property prevents the leakage of information; for example against write-
down Trojan horses who attempt to read secure information and write it down into a
general accessible file so an evildoer has access to it. Or to prevent copying classified
data from a protected folder to a general folder.
Bell-LaPadula follows the Basic Security Theorem and has the following basic concepts:

Fundamental modes of access Access modes such as read, write, read only
and so on are defined to permit access be-
tween subject and objects;

Dominance relations A relationship; between the formal security
levels of subjects and objects describes the
access permitted between them

Simple Security Condition See above.

Discretionary security property A specific subject is authorized for a particu-
lar mode of access that is required for state
transition. A matrix is used to specify discre-
tionary access controls.

Star * property See above.

Strong * property Reading/writing is permitted at a particular
level of sensitivity, but not on higher or lower
levels.

Trusted subject Access under this option is not constrained
by the start property. Where the * property
is too rigid, data can be moved using a
Trusted Subject.

Untrusted subject Access under this option is constrained by
the start property.
BIBA
Biba is like BLP an information-flow model but deals with integrity in computer sys-
tems. It is all about modification of data. It has the same two rules (simple security
and star property) as BLP but both rules are the opposite of the BLP model. Within Biba
information can flow from the top down.
Simple Security Rule

A principal P can read an object O only if the security level of P is lower than or equal
to the security level of O . Because Biba deals with integrity, you cannot read down.
There is no need to read information that isn t relevant to a certain transaction; for
example the withdrawal of money from your bank account.
Star Property Rule

A principal P can write to an object O only if the security label of O is lower than or
equal to the security label of P . Because Biba deals with integrity, you cannot write
BLP: confidentiality

You cannot read up

You cannot write down

Biba: integrity

You cannot read down

You cannot write up

CISSP 1-4
up. To withdraw 100 from your account the bank, it is not accepted that you tell the
employee that there is enough money on your account (write up). The employee
checks the system to see if you have enough money on your account.
LIPTNER S LATTICE
Liptner applied the former models, which apply to government settings, to commercial
settings. He changed terms such as confidential and secret to system programmer,
production code and so on.
NON-INFERENCE MODELS
Non-inference models deal with examining the input and the output from a system to
see if they can infer any information that you should not have access to. An example is
two groups using a system. Group A uses commands X; group B uses commands Y. A
does not know about the commands of B and X does not interfere with Y.
1.6 Identification and Authentication Techniques
Authentication is the process of proving that you are the person you tell you are. For
this there are several techniques:

Passwords

One-time passwords

Challenge response

Biometrics

Tickets

Single sign-on
There are three things that can be used to authenticate yourself:

Something you know passwords

Something you have one-time passwords

Something you are biometrics
PASSWORDS
The problem is that users tend to choose easy-to-guess passwords. People tend to
write down difficult passwords. This makes it easy for others to find out the password.
ONE-TIME PASSWORDS
These passwords solve the problems of normal passwords. These systems normally use
hardware devices that generate passwords (i.e. every minute) but there are also soft-
ware tools. The server runs the same software so the password can easily be checked.
The problem is that users have to ensure that they have the device with them all the
time. Another problem is that the clocks of the device and the server may get out of
sync.
CHALLENGE RESPONSE
Challenge response schemes are an alternative to one-time passwords. The user iden-
tifies himself to the server with his user ID. The server responds with a code which has
to be entered on a device. The device responds with an output which has to be pro-
vided to the server.
BIOMETRICS
You don t have to carry devices around which can break or get lost. Biometric devices
can be used to authenticate fingerprints and hand, face and retinal scans.
TICKETS
These systems provide you with a ticket which has to be unencrypted. Secret keys
have to be exchanged prior to the authentication process. When you connect to the
system, you give him your user ID. The server sends you an encrypted ticket. If you
are who you tell you are, you can unencrypt the ticket.
An example of a common program is Kerberos. The problem of these systems is that
they do not scale very well.
SSO

Kerberos

CISSP 1-5
SINGLE SIGN-ON
Single sign-on is used when you have a large number of applications that needs to
authenticate the same user. To prevent logging in many times, the user logs on once
to a central server that authenticates the user to the other applications. The disadvan-
tage is that an evildoer has access to all the system once he knows the primary user
ID and password.
1.7 Access Control Methodologies
There are two primary remote access controls:

RADIUS Remote Authentication Dial-In User Service

TACACS Terminal Access Controller Access Control System
TACACS+ is the same as TACACS but has more advanced features.
CENTRALIZED/REMOTE AUTHENTICATION ACCESS CONTROLS
RADIUS and TACACS+ are used when users are required to authenticate to different
applications and you do not want to manage a separate listing of user accounts for
each application. All the applications point to the RADIUS or TACACS+ server to au-
thenticate the users. This way you only have to administer and manage only one set of
accounts and credentials.
RADIUS and TACACS+ are also used with devices and applications that do not have
built-in facilities for authentication, such as routers.
The (dis)advandage of centralized access control is that it is a SPOF (single point of
failure). It works well with small companies but not at bigger ones. You need backup
and failover capabilities or decentralized control.
DECENTRALIZED ACCESS CONTROL
With this kind of control each individual or department is responsible for its own access
control (i.e. Windows for Workgroups). Most organizations tend to use hybrid systems
and setup zones or domains with each a centralized access control for that domain.
A domain is a group of computers under the same administrative authority. From an
access control standpoint, a domain is a group of systems that all authenticate to a
central system or group of systems.
As each zone has its own controller, the controllers pushes a copy of their databases at
regular intervals to the other controllers. They are only allowed to read these data-
bases unless a controller goes down. Another controller then takes over the function of
the down controller.
If a user wants to get access to another domain, trust comes into play. This is done by
setting up trust relationships between domains. You can have a full trust or a one- way-
trust. Full trust means that two domains have access to the other s domain. One-way-
trust means that one domain does have access to another domain but not the other
way around.
1.8 Methods of Attack
Methods of attack are:

Brute force

Denial of service

Spoofing

Sniffing
BRUTE FORCE
Trying all possible combinations; most popular with cracking passwords. A subset of
the brute-force attack is the dictionary attack (passwords based on dictionary words).
DENIAL OF SERVICE
Preventing others from gaining access to a server. Ways to launch a DOS-attack
against control are:

locking all accounts by entering false passwords (most times the third time a
wrong password is provided the account is locked)
SSO

RADIUS

TACACS

Domain

Trust

CISSP 1-6

to flood the pipes (using up all available resources).
SPOOFING
Spoofing is using somebody else s identity pretending that you are that person. To
prevent this, you should have multilevel access control so that you need something
you know and something you have.
SNIFFING
Using a tool (sniffer) on a wire which reads unencrypted user IDs and passwords.
1.9 Monitoring
I NTRUSION DETECTION
Intrusion detection is the field of study dealing with monitoring networks and hosts and
looking for attacks. It is passive, the emphasis is on detection: you monitor a net-
work or host looking for signs of an attack. They do not prevent an attack, they alert
that a potential problem exists.
Types of intrusions are:

Host versus network

Passive versus active

Known versus unknown
Host versus network

Is the attacker trying to gain access to a single host or the entire network? Entering a
company s network through a single host requires physical access to that host or by a
stolen computer which has access to that host.
Intrusion Detection Systems (IDS) are broken down into host-based intrusion detection
systems (HIDS) and network-based intrusion detection systems (NIDS). HIDSs are
passive components (analyze logs) and sit on a single computer and are configured for
a special purpose and do not scale very well. NIDSs are active components, sit on a
network like a sniffer examining the network traffic real-time, scale very well and look
out for general types of attacks.
Passive versus active

An active attack means that an intruder is actively doing something on the network
once he has access to it. A passive attack means that once the intruder is in the net-
work, the attacker monitors traffic of keystrokes to find information. Active attacks are
more easy to detect because the intruder is actually doing something. Passive attacks
are very difficult to detect because they are just listening.
Known versus unknown

A known attack is something the vendor has acknowledged to be a security hole in its
software. Most times these holes are patched. But, as long as they are not applied by
the customer, their network is still vulnerable.
Unknown attacks are known by a small group of people but it is not public knowledge.
Because the vendor doesn t know these vulnerabilities, he cannot release a patch.
I NTRUSION PREVENTION
Till 2002 intrusion prevention was about preventing intrusions by strong identification
and authentication (one-time passwords, biometrics, ).
From 2002 intrusion prevention describes a new class of systems: IDS. The look for
possible attacks on the network (passive) but also act as an active device like firewalls
through which traffic must pass. If an attack is sensed, it stops the attack by blocking
the traffic of preventing malicious behavior by enforcing rules and policies.
HOW INTRUSION DETECTION WORKS
There are two typical types of IDS: signature matching and anomaly detection.
Signature matching

Signature or pattern matching uses a database of known attack signatures. When a
signature is found, it sends an alert.
Passive, detection, no
prevention, only alerts
IDS, HIDS, NIDS

HIDS are passive
NIDs are active
IDS

CISSP 1-7
Positive aspects of signature matching:

Easy to update

You can create your own signatures
Negative aspects of signature matching:

They detect only known attacks

They are based on static signatures thus tending to generate a high number of
false attacks
Anomaly matching

The concept is to determine what is normal traffic and not. Positive aspects of anomaly
matching are:

You don t have to worry about updates
Negative aspects of anomaly matching:

You have to determine what is normal and not
After an IDS determines that an attack has been detected, it sets of some type of
alarm. For example to a pager or to a firewall to update its rule sets (which can be
tricky because an intruder may want this to happen).
1.10Penetration testing
Penetration testing is also called ethical hacking. The idea is that you can find weak-
nesses in your access control system policy and fix them before a real attacker breaks
in.
PENETRATION TESTING VERSUS SECURITY ASSESSMENTS
A penetration test tests the security from the Internet using a domain and an IP ad-
dress; nothing else. The goal is to find out as much as possible about the company,
including ways to break in. You are proving that you can get in.
Security assessments do include a pen test but are much more thorough. You get ac-
cess to all the key systems within a company to evaluate the current level of security.
You are trying to paint a picture of the current threats that exist and what can be done
to protect against them.
ETHICAL I SSUES
First of all get written permission before starting a pen test. Keep in mind that al-
though you do not mean to do harm, the system doesn t belong to you. Therefore you
need permission before you can do anything.
PERFORMING A PENETRATION TEST
The steps are:
1. Perform passive reconnaissance
2. Perform active reconnaissance (scanning)
3. Exploit the system by gaining access through the following stacks:

Operating systems attacks

Application-level attacks

Scripts and sample program attacks

Misconfiguration attacks

Elevating of privileges

Denial-of-service attacks
4. Upload programs
5. Download data
6. Maintain access by:

Back doors

Trojan horses
7. Cover your tracks
In most cases the pen test includes just 1-3.
Common tools for pen tests are Nessus and NMAP. Nessus scans for (known) vulner-
abilities across various operating systems and reports back. NMAP scans which ports
are open, performs OS fingerprinting and has other advanced features like spoofing.
Nessus

NMAP
CISSP 2-1

2 Telecommunications and Network Secu-
rity
2.1 The Open Systems Interconnection Model
The need for network computers came with the desire to share resources like printers.
The biggest hindrance was the lack of networking standards. Clients could only be
connected to one kind of network, like Novell, Unix or Microsoft, which didn t scale at
all. The OSI-model was a scalable open standard facilitating the open communications
between all systems. It is a framework of how networking functions.
2.2 The OSI Layers
The benefits of a layered reference model are:

It divides the complex network operation into smaller pieces or layers;

It facilitates the ability to change at one layer without having to change all the
layers;

It defines a standard interface for multi-vendor integration.

LAYER 7

APPLICATION

Responsible for interfacing with the user

LAYER 6

PRESENTATION

Responsible for translating the data from something the user
expects to something the network expects

LAYER 5

SESSION

Responsible for dialog control between systems and applica-
tions

LAYER 4

TRANSPORT

Responsible for handling end-to-end data transport services

SEGMENT

LAYER 3

NETWORK

Responsible for logical addressing

PACKET

LAYER 2

DATALINK

Responsible for physical addressing

FRAME

LAYER 1

PHYSICAL

Responsible for physical delivery and specification

BITS

Note: A protocol may perform multiple functions across multiple layers.
LAYER 7 - APPLICATION LAYER
The Application layer is responsible for providing the user access to network resources
via the use of network-aware applications. Note: Not every program is network-aware
thus are not defined in the Application layer. Examples of network-aware programs
are:

Email gateways - POP3, SMTP, X.400. These programs deliver messages be-
tween applications;

Newsgroup and IRC programs using NNTP and IRC providing for communi-
cation between hosts by allowing posting messages to a news server or the typ-
ing of a live conversation between chat clients;

Database applications providing data storage and warehousing capabilities
in central data repositories that can be accessed, managed and updated;

WWW-applications providing access to Web resources; these applications
include client Web browsers and Web servers.

Monolithic networking
model
Telecommunication and Network Security
CISSP 2-2
LAYER 6 - PRESENTATION LAYER
The Presentation layer is the translator of the network. It translates data which the
user understands to data which the network understands. The following protocols re-
side at this layer:

Graphic formats such as JPEG, TIFF, GIF and BMP handle the presentation
and display of graphic images;

Sound and movie formats such as QuickTime, MPEG, WMF provide for the
translation and presentation of sound and video files;

Network redirectors handling the protocol conversions from the network
based formats (Server Message Block and Netware Core Protocol) and the end
user applications.
LAYER 5 - SESSION LAYER
Network hosts run multiple applications and can connect to several other hosts running
multiple applications. The Session layer sets up the logical communications channels
between network hosts and applications. Each time a connections is made, it is called a
session. It provides a mechanism for setting up, maintaining and tearing down ses-
sions, keeping data separate from other applications. Examples of Session layer proto-
cols are:

Network File Systems

used with TCP/IP and Unix for remote access to re-
sources;

Remote Procedure Calls a client/server redirection mechanism;

Structured Query Language

a mechanism to access and define a user s in-
formation requirements connecting to a database;
LAYER 4 - TRANSPORT LAYER
The Transport layer I responsible for handling the end-to-end communications between
host systems. I.e. via a process knows as segmentation and reassembly. Data from the
upper layer is broken up into segments with a certain maximum size and passed to the
Network layer. Segments are labeled so that the receiving system knows how to reas-
semble them. The logical communication between hosts is referred at as virtual cir-
cuits.
Protocols that reside on this layer are TCP (Transmission Control Protocol) and UDP
(User Datagram Protocol).
LAYER 3 - NETWORK LAYER
The Network layer is responsible for the logical addressing of packets end the routing
of data between networks. There are local and remote hosts. Local hosts can receive
the physical signal that the source host transmits. Remote hosts are hosts in physical
different locations and/or networks; they cannot receive the physical signal. Therefore
the network layer uses logical addresses to logically define hosts. The process of
transmitting data regardless of physical location is known as routing.
Protocols that reside on this layer are IP (Internet Protocol) and IPX (Internet Packet
Exchange). Routers and Layer-3 switches are considered Network layer devices be-
cause of their special capabilities. They know the difference between networks, thus
they can be used to separate broadcast domains; they will not forward broadcasts
1
from one network to another by default.
Broadcasts and collisions can greatly degrade the network performance. Forwarding
broadcasts prevents the host from doing other tasks. You can improve performance by
using routers to separate broadcast domains, thus reducing the number of systems
that have to deal with broadcasts. Collisions occur when multiple devices share the
same single segment of a cable. A cable can only carry one signal at a time. Collisions
cause devices to retransmit data thus decreasing the performance of the network.
IP handles the logical addressing of hosts and the routing of data via a hierarchal ad-
dressing scheme. The benefits are scalability (it can handle more addresses than a flat
scheme) and it is much easier to enable routing because networks can be grouped
together and treated as single entries in the routing table making routing much more
efficient. IP is defined in RFC 791.

1
A broadcast is data addressed for all the hosts regardless as to whether the destination can do
anything with the data.
NFS

RPC

SQL

Segmentation and reas-
sembly
Virtual circuits
TCP, UPD

Local hosts
Remote hosts
Routing
Broadcasts and collisions

Internet protocol - IP

CISSP 2-3
IPX is used primarily on Novell-based networks and provides for the logical addressing
of hosts via network and host addresses.
LAYER 2 - DATA LINK LAYER
This layer is responsible for the physical addressing of frames and the translations of
packets from the Network layer into bits for the Physical layer to transmit. Packets
from the Network Layer are encapsulated with datalink header and footer information
to become frames. CRC (Cyclic Redundancy Check) is used to ensure error-free deliv-
ery. The Data Link layer uses the hardware address to identify the source and destina-
tion devices. The following protocols are used at this layer:

The LLC sublayer it defines the interface between the Network layer and the
underlying network architecture.

The MAC sublayer it defines how the packets are transmitted on the data.
LAYER 1 - PHYSICAL LAYER
This layer is responsible for sending and receiving data. It also handles the specifica-
tions for the electrical, mechanical and procedural components of the communications
media. It also identifies DTE (Data Terminal Equipment) and DCE (Data Circuit-
Termination Equipment) used in physical signaling and transmitting and receiving of
data. Hubs and repeaters are considered physical-layer devices because the simply
receive, re-amplify and forward the signal without actually looking at the data that is
being transmitted.
2.3 Network Characteristics and Topologies
Types of networks and connection types
Network Connections
Ethernet Coax, UTP, fiber optic, wireless transmission
Thin coax / 10BASE-2 RG58/U
10BASE-T Category 3, 4, 5, 5E or better cabling
Fiber 62.5 / 125 micron multimode fiber (short haul) or 9 mi-
cron single mode (long haul)
Wireless Radio or microwave transmission methods
COAX
Thin coax networks (thin-net or 10BASE-2) use coaxial cabling with T-connectors to
connect to NICs. Thick-net or 10BASE-5 uses coaxial cabling with vampire tabs and
AUI transceivers to connect to the NICs. Existing cable specifications for coax cable are
RG-58 /U, RG-58 A/U, RG-58 C/U, RG-59, RG-6, RG-62 and RG-8.
Internet Packet Exchange
IPX
IEEE 802.2

IEEE 802.3

Upper Layer Data

Upper Layer Data

TCP/UDP Header

Data

IP Header

Data

LLC Header

Data MAC Header

FCS

FCS

01001101010101

Session Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

Segment

Package

Frame

Bits

CISSP 2-4
Coax is a bus network. There is a 50 resistor (terminator) at the end of a bus system
to stop the signal from bouncing back the wire (the resistance of the network is 50 at
three feet or more). Because coax has a single point of failure for the entire segment
which is difficult to troubleshoot, these networks are less commonly used. A TDR (Time
Domain Reflectometer) can be used to give an approximate distance to the break in a
wire.
10BASE-2 stands for 10Mbps for a maximum length of 200 meters (actually 185). It
adheres the 5-4-3 rule meaning that you can have a maximum of 5 segments via 4
repeaters but only 3 segments can have hosts on them. The other 2 segments are
called IRLs (Inter-repeater Links). The maximum number of nodes per segment is 30.
10BASE-2 uses BNC (British Naval Connector) type connections: a BNC cable connector
at the end of each cable and a BNC barrel connector or BNC T connector to establish
connections between cables.
10BASE-5 uses a Vampire tap and a transceiver tot connect to devices. 10BASE-5
supports a maximum of 100 taps. The transceiver provides for the connectivity to
devices via AUI (Attachment Unit Interface) connections. Per segment 10BASE-5 sup-
ports a maximum of 1024 hosts and the maximum length of a segment is 500 m.
10BASE-5 adheres to the 5-4-3 rule and uses barrels and terminators. It also uses N-
Type connections: plugs, jacks, barrels and terminators.
UTP
UTP comes in 10BASE-T and 100BASE-TX media type (10 Mbs / 100 Mbs). The cate-
gory indicates the quality of the signal carrying, the number of used wires and the
number of twists in the wires. These factors contribute to the potential speed.
Category Speed Rating
Category 3 Voice and data up to 10 Mbps / 16 MHz
Category 5e Voice and data up to 1.000 Mbps / 100 MHz
Category 6 Voice and data up to 1.000 Mbps / 250 MHz
Category 7 Voice and data up to 10.000 Mbps / 600 MHz
CAT5 and CAT5e are mostly used. These categories use RJ-45 connectors, modular
jacks, punch-down blocks or switches.
The four pairs of conductors twist around each other inside the cable jacket. UPT has
no shielding and is very susceptible to EMI (electromagnetic interference) and should
not be placed nearby EMI sources. It is also very easy to capture the data being
transmitted without placing a tap into the cable.
UPT has a maximum length of 100 meters and a maximum of 4 repeaters between end
stations (hubs act as repeaters). There can be a maximum of 1024 stations per net-
work.
UTP supports only two devices on a cable: a computer and a hub. Therefore, failures
are easy to pinpoint. Generally, if you have a link light with UTP the problem is else-
where.
FIBER OPTIC
Fiber-optic cable is used for backbone and device interconnectivity. Because of its costs
and fragility it is not used for end-user connectivity. It has now replaced 10BASE-5 for
the backbone device interconnectivity method due to speed and distance.
A fiber consists of a core (silica glass or plastic, 8-1000 microns) and a cladding which
reflects the light that tries to escape the core. The cladding is surrounded by a coating
(buffer). In a loose buffer construction, there is a layer of gel between the buffer and
the fiber, in a tight buffer construction there is not.
Fibers are typically bundled in (multiple) pairs (strands) because fiber can only send a
signal in a single direction. The strands are reinforced by a plastic coating and then
wrapped in Kevlar to provide both strength and flexibility.
10BASE-2

10BASE-5

CISSP 2-5
One pair cables are used in patch cord implementations. These are called simplex or
zipcord. Multiple fiber cable that is double buffered is referred to as distribution cable.
To terminate such a cable, one needs a breakout box. A breakout cable is made of
several simplex/zipcord cables.
MULTI-MODE FIBER
Multi-mode fiber is mainly used for short or medium distances and for low bandwidth
applications. It is called multi-fiber because it is designed to carry multiple light rays
(modes) each using a slightly different reflection angle within the core. For 100 Mbps
Ethernet the max. distance 2 km; for 1 Gbps Ethernet the max. distance is 550 m.
SINGLE-MODE FIBER
Because single-mode fiber carries only a single ray it can be used for longer distances
and a smaller core can be used. For 100 Mbps Ethernet the max. distance 20 km; for
1 Gbps Ethernet the max. distance is about 3 km up to 100 km.
The mostly used connectors are the Stick and Turn (ST), Stick and Click (SC) and SC
Duplex connectors. Fibers are connected via splicing (fusion or mechanical). Fusion
uses welding while mechanical uses an alignment fixture to mate the fibers.
DENSE WAVE DIVISION MULTIPLEXING
Dense Wave Division Multiplexing (DWDM) is one of the newest forms of fiber-optic
transmission and works by the principle that different color light resides at different
frequencies and the light at one frequency des not interfere with light in a different
frequency. The advantage is that you have multiple channels of data (4 to 32 and even
more as times goes by). OC-48 transmits at 2.5 Gbps per channel. The more channels
the more bandwidth you have.
WIRELESS
A big push for wireless has been with the small office/home office (SOHO) users be-
cause houses are not designed for network cabling. Another deployment has been with
the PoS (Point of Sales) systems.
Drawbacks are:

The lack of standardization. Think of 802.11 Wi-Fi to 802.11a to 802.11b to
802.11g to 802.15 Bluetooth. The signal can easily be picked up from the air.

Security. One can easily connect to such a system using the appropriate
equipment.

Interference. Interference can severely limit distances that wireless networks
cover.
2.4 Network Topologies
LINEAR BUS TOPOLOGY
Within a linear bus all systems are connected in a row to a single cable. All computers
share the same single piece of wire. This piece of cable is known as a segment.
Linear bus uses three core concepts:

How the signal is transmitted

Signal bounce

Signal termination
Transmission
The signal is sent to all devices connected to the linear bus
segment (this is not a broadcast!). All devices connected
to the segment get the signal but not all do process this signal.
Signal bounce
Only one signal can exist on the segment at a time. This means that only one device
can transmit at a time. The more devices you have, the worse the performance will get
(contention). It is also a passive technology because the devices do not move the data
from one device to another it is generated at the source and all devices passively
receive the signal.
To prevent the signal bouncing from the end may cause problems to other systems to
communicate. To prevent this, a linear bus uses terminators at the end of a bus to
absorb the signal.

Segment

Contention,
Passive technology
CISSP 2-6

Signal termination
If any part of the bus is not properly terminated, the entire bus will cease to function
properly. Someone can take out all of the devices on the bys by removing the termina-
tion (by cutting the cable). Linear bus is very susceptible to cable faults.
STAR TOPOLOGY
All devices are connected to an active hub or switch. The benefit is that in case of a
cable fault only one device is affected. Logically this network operates as a bus due to
the hub/switch.
Star topologies are used to implement a collapsed back-
bone. The backbone exists between hubs/switches and
requires less cabling. If an individual cable fault occurs,
the hub/switch short the port on which the cable fault
occurs and allows the other devices to continue function-
ing. However, the hub/switch is a SPOF.
RING TOPOLOGY
A loop of cable is used to interconnect devices. The
signal is transmitted in a single direction with each de-
vice retransmitting the signal. Therefore, it is an active
topology.
A drawback is that if any system stops passing the sig-
nal or starts generating bad signals, it can take the en-
tire ring out.
TREE TOPOLOGY
The tree topology is based on the bus and star topology.
There are multiple nodes supported on each potential
branch.
MESH TOPOLOGY
In a mesh topology each node is connected to every other node. These networks are
typically deployed to create backbone and WAN-networks.
LAN AND WAN TECHNOLOGIES
Data is transmitted on LANs using one of three transmission techniques:

Unicast 1 specific destination host (physically and logically)

Broadcast To all hosts within a subnet or network. A directed broadcast is a
broadcast on Layer 2 but the destination address is a unicast ad-
dress on Layer 3.

Multicast To multiple hosts via the use of group membership addresses.
ETHERNET
Ethernet is the most popular topology because it can be implemented to be very toler-
ant of network failures. Ethernet is specified in the 802.3-spedifications al a CSMA/CD
methodology and is mostly used as a star topology (but functioning like a linear bus).
This means that multiple devices share the same bandwidth. CSMA/CD is also known
as collision management:

Carrier Sense The hosts checks if it can start a transmission.

Multiple Access Multiple devices access the same network. After sending
the data, the host checks if other hosts are trying to send
data. If so, it sends a warning signal and tries to resend
the data again after a while.

Collision Detection Detect if collisions take place the host will be informed so it
can retransmit the data.
Ethernet can function in half-duplex (like a walky-talky) or full-duplex mode. For full-
duplex mode you need two pairs of wires.
TOKEN-RING AND FDDI
Within a ring topology the most predominant method of transmitting data is token
passing. In a token-ring architecture the data is appended to a packet the token. The
Collapsed backbone

Active topology
CISSP 2-7
sending host must get the token first before it can append the data to it and transmit
the token. The token is sent through the ring until it reaches it designation or passes
the active monitor twice (in which case it is deleted).
Token ring uses a logical ring but is mostly cabled as a star. It is an active technology
which uses the following ports:

Station ports These exist on token ring NICs and connect to the
network

Lobe ports These exist on the token ring hub or MAU and connect
to station ports

Ring in / Ring out ports Connect one ring to another ring.
The first system brought alive in a network is assigned as the active monitor. The ac-
tive monitor is responsible for generating the token, removing bad tokens, providing
clocking, maintaining ring delay, handling orphaned frames en purging the ring. Mali-
cious users can try to take over the role of active monitor and create a DoS.
Token-ring can be designed very fault tolerant but it is very costly. FDDI uses a redun-
dant ring to ensure fault tolerance.
ARCNET

ATTACHED RESOURCE COMPUTER NETWORK
This is a dead network topology because it is a bus technology. ARCnet uses CSMA/CA
( Collision Avoidance) using a token to transmit data.
2.5 LAN Devices
LAN technologies tend to focus on connecting a large number of systems that are in
close proximity to each other to a very fast network.
HUBS AND REPEATERS
Hubs and repeaters do the same thing. As hubs have more ports than repeaters they
are also called multi-port repeaters. Hubs just amplify the signal and repeat it out all
ports. Therefore they are layer-1 devices.
SWITCHES AND BRIDGES
Switches and bridges are in general the same. Differences are:

Switches are hardware based and use ASICs to make decisions; bridges use
software and are therefore slower;

Switches have more ports (they are called multi-port bridge);

Switches can run multiple instances of running tree; bridged can run only one.
Spanning tree is a protocol used to determine redundant paths in a network and block-
ing any paths that would create loops (which can result in broadcast storms). Switches
are layer-2 devices because they are Data Link layer aware (they know how physical
addressing occurs and they use this to optimize network communications).
Switches use segmentation. Each port is considered by the switch as a segment. If a
signal is received, it tries to determine to which port the destination host of a signal is
connected and forwards the message to that specific port (designation port). If it can-
not, it falls back to basic Ethernet and forwards the signal to all ports. A switch can
provide some security via VLANs and port-based security.
Layer-3 switches are hybrid devices that combine layer-2 and layer-3 functionality
allowing the switch to forward frames when possible and route packets when needed.
Layer-3 switches are particularly suited for VLAN environments.
VLANS
The goal of VLANs (Virtual Local Area Network) is the separation of broadcast domains
and the creation of subnets. They are logically segmented networks within a single
switch or within a single switch fabric (group of physically connected switches). A
router is needed to communicate between subnets. By restricting the traffic at the
router and separating hosts between VLANs you gain a degree of security.
A drawback on security is that it is possible for data to transfer from one VLAN to an-
other even though it normally shouldn t due to exploits such as buffer overruns.
Layer-1 device

Layer-2 device

Segmentation

CISSP 2-8
ROUTERS
Routers are network aware: they can differentiate between different networks. They
use this information to build routing tables containing:

the networks the router knows about,

the remote router to use to connect to those networks,

the paths (routes) to the networks,

the costs (metrics) of sending data over the paths.
Routers are used to segment networks as well as to reduce broadcasts on a network.
They provide better traffic management and security capabilities than switches and
hubs can. They are able to examine logical addresses and layer-3 header information
to determine what application ports are being used. This information is used for traffic
filtering and blocking purposes.
FIREWALLS
Firewalls prevent traffic that is not authorized from entering or leaving the network.
They are deployed as a perimeter security mechanism. There are six main types (gen-
erations) of firewalls:
1. Packet filtering Traffic is checked against rules set that defines what traffic
is allowed and what is not by using IP-addresses and/or port numbers. If there
is a match, it can pass. Otherwise the packet is discarded. They operate very
fast because they only need to read the layer-3/4 information to make a deci-
sion. A packet filtering firewall is also called a screening router. These fire-
walls reside on the network/transport layer and use ACLs.
2. Application proxy

These kind of firewalls read the entire packet into the ap-
plication layer before making a decision. This allows an application proxy firewall
to recognize CodeRed data. They are slower than packet filtering firewalls. An-
other drawback is that the provided services are limited; if you need another
service, you need an additional proxy. An application proxy firewall is some-
times called an ALG (Application Level Gateway). These firewalls reside on the
application layer.
3. Circuit proxy

A bit of a hybrid between application proxies and packet filter-
ing firewalls. A circuit is created between the source and destination without ac-
tually reading and processing the application data. The functionality is close to a
packet filter. Circuit proxy firewalls are easier to maintain than an application
proxy.
4. Stateful inspection After a host sent a packet to a destination, the destina-
tion host processes the data and sends a response. This network connection
state is tracked by the firewall and then used in determining what traffic should
be allowed to pass back through the firewall. Because these firewalls can exam-
ine the state of the conversation, they can monitor and track protocols as well;
even UDP which is connectionless. Many Stateful packet inspection firewalls per-
form packet reassembly and check for harmful data. If so, the data is dropped.
These firewalls reside on the network layer.
5. Dynamic packet filtering A dynamic packet filtering firewall is used for pro-
viding limited support of connectionless protocols (UDP). It queues all the UPD
packets that crossed the network perimeter and based on that will allow re-
sponses to pass back through the firewall.
6. Kernel proxy These firewall are highly customized and specialized to function
in kernel mode of the operating system. This provides for modular, kernel-
based, multi-layer session evaluation using customized TCP/IP stacks and kernel
level proxies.
There are four general types of firewall architectures:

Packet-filtering routers A packet-filtering router sits along the boundary of
two networks and is therefore called a boundary or perimeter router. Security is
maintained by ACLs (Access Control Lists) that define allowed IP addresses, pro-
tocols and port numbers.

Layer-3 device

1
st

Generation

2
nd

Generation

3
rd

Generation

4
th

Generation

5
th

Generation

Firewall architectures

CISSP 2-9
Plusses:

Excellent first security boundary as a bulk filtering device
Minors:

Maintaining the ACL can be very complex and time-consuming.

Lack of authentication and weak auditing capabilities

Screened-host firewall These firewalls employ both a packet-filtering
firewall and a bastion host (a system that is directly exposed to external
threats. It is the only host on the internal network that is accessible to external
hosts. An intruder hast to pass the external router (packet filtering) and the
bastion host (proxy) to get access to internal resources.

When compromised, nothing stops the intruder having full run of the internal
network. Therefore is should never be used for high-risk access such as public
web server access.

Screened-subnet firewall (with demilitarized zone DMZ)

A screened-
subnet firewall system provide additional network security by introducing a pe-
rimeter network DMZ that the bastion host resides on. This requires an in-
truder to bypass two packet-filtering routers before he gains access to the in-
ternal network. This design is one of the most secure methods of providing ex-
ternal access to resources but it is costly and complex.

Dual homed host firewall

The bastion host has two interfaces (one con-
nected to the external network and one connected to the internal network) but
IP-forwarding is disabled. This means that there is no straight connection be-
tween hosts on the external and internal network.
Minors:

If the bastion host is compromised the intruder has potentially free access to
the internal network;

If you allow the bastion host to route, it doesn t perform well because it isn t
designed that way;
CISSP 2-10

Internal routing may accidentally become enabled.

GATEWAYS AND PROXIES
The term gateway has many meanings such as: a router, providing proxy functionality
and providing access to a network or service. Proxies are used as an intermediary
device between a client and a server providing transparent access to resources on the
server. All traffic goes through the proxy. This allows administrators to restrict access,
i.e. on outbound internet access. Proxies have caching functionality so they can provide
better network performance.
2.6 WAN Technologies
WAN technologies tend to focus on interconnecting LANs and making connection to
remote sites and resources.
There are three main categories of WAN networks:

Internet

Intranet

Extranet
WAN CONNECTIONS

Dedicated Connections

Dedicated connections exist between two point-to-
point sites and are available all the time. The connection is exclusive and tends
to be synchronous serial connections (using precision clocking and control bits).
Examples are T1, T3 and E1, E3 (Europe). OC-x is for optical carries. DS-0 thru
DS-3 define the framing specifications for transmitting data over Tx and Ex-
lines.

Circuit-Switched Connections

Circuit-switched connections dynamically
bring up the circuits (connections) between two devices. These circuits are
maintained for the duration of the call. They tend to use asynchronous serial
connections, dialup modems and ISDN and are thus used for low bandwidth or
backup purposes. Because with every connection authentication is required, it is
considered to be a fairly secure connection.

Packet-Switched Connections

Packet-switched connections use synchro-
nous serial connections (like dedicated connections) but share the network with
multiple systems. It is less secure but cheaper. The company simply purchases
a guaranteed amount of bandwidth. The classic packet-switched network is
frame relay or X.25.

Cell-Switched Connections

These connections are similar to packet-
switched connections but are ATM (Asynchronous Transfer Mode) networks. This
is a standard that use fixed length cells thus reducing transit delays. ATM is
used on high speed media (SONET, T3, E3). It is considered to be a fairly secure
technology.
WAN SERVICES

Point-to-point and Serial Line Internet Protocol (PPP and SLIP). These
protocols are used for providing data link connectivity over asynchronous (dial-
CISSP 2-11
up) and synchronous (ISDN, dedicated serial line) connections. PPP is the suc-
cessor of SLIP. Both provide to authenticate the connection.
PPP primarily exist to transport Network layer protocols across an point-to-point
connection. When an attempt is made, three phases of communication occur:

Link Establishment Phase LCP packets are exchanged to configure and
test the link;

Authentication Phase CHAP, PAP or manual authentication of the con-
necting devices occur;

Network Layer Protocol Phase NCP is used to determine what Network
layer protocols need to be encapsulated and are transmitted accordingly.
CHAP and PAP are authentication protocols. PAP (Password Authentication Pro-
tocol) is the less secure of the two because passwords are sent in clear text.
CHAP (Challenge Handshake Authentication Protocol) performs authentication
during the initial handshake phase and periodically revalidates the password for
the duration of the connection.

High-Level Data-Link Control

HDLC is an ISO-based standard for delivering
data over synchronous lines. This protocol is bit-oriented and uses frame char-
acters and checksums as part of the data encapsulation, but uses no authenti-
cation. Also it doesn t provide for specifying the network-layer protocol that was
encapsulated. Because each vendor developed its own method for doing this, it
cannot be used between devices from different vendors.

X.25 X.25 operates on the physical and Data Link layers. It uses virtual cir-
cuits for establishing the communication channel between hosts. Now, it has
been replaced by the faster Frame Relay.

Link Access Procedure Balanced LAPB is a bit oriented protocol like HDLC
and was originally created for use on the X.25 networks. It functions by assur-
ing that frames are correctly ordered and error free.

Frame Relay Reliable and supports multiple protocols. It is based on X.25
(uses virtual circuits, operates on the physical and Data Link layers) but is much
faster because error checking is left to the higher layers. It provides the com-
munication interface between the DTE (Data Terminating Equipment) and the
DCE (Data Circuit-Terminating Equipment). Frame Relay uses DLCIs (Data-Link
Connection Identifiers) to identify the end points of communication of a circuit.
It does not use authentication; you need something like PPP if needed. Frame
Relay is one of the most fault tolerant network topologies because network traf-
fic can be diverted to another network segment.

Synchronous Data-Link Control SDLC is designed by IBM for use in main-
frame connectivity but is also used for point-to-point WAN connections. It is in-
corporated into SNA and SAA but now largely replaced by HDLC.

Integrated Services Data Network ISDN was developed to transmit digital
signal over a standard telephone wire. The BRI is 128 Kbps; the PRI up to 1.544
Mbps. BRI is intended for small office and home user usage and uses 1 16 Kbps
D (Delta) channel and two 64 Kbps B (Bearer) channels. PRI is intended for
greater usage and uses one 64 Kbps D channel and 23 Mbps B channels.
In conjunction with PPP ISDN allows 128 Kbps by bonding together the two B
channels.

Digital Subscriber Line xDSL allows broadband transmission of data up to
53 Mbps over the existing telephone network. There are four primary types of
DSL:

Asymmetric Digital Subscriber Line ADSL delivers 1.5-9 Mbps
download speed and 16-640 Kbps upload speed up to 18,000 feet from the
central office using a single line;

Single-line Digital Subscriber Line SDSL delivers download and upload
up to 1.544 Mbps up to 10,000 feet from the central office using a single
line;

High-rate Digital Subscriber Line HDSL delivers download and upload
up to 1.544 Mbps using two lines thus allowing full duplex mode up to
12,000 feet from the central office. HDSL allows T1-functionality;

Very-high Digital Subscriber Line VDSL delivers 13-52 Mbps download
speed and 1.5-2.3 Mbps upload speed up to 1,000-4,500 feet from the cen-
tral office using a single line.

Switched Multimegabit Data Service SMDS is a high-speed packet-
switching technology for use over public networks. It is for companies that need
to send and receive large amounts of data on a bursty basis.

High Speed Serial Interface HSSI provides an extremely fast (53 Mbps)
point-to-point connection between devices up to 50 feet. It can be used to con-
nect devices at T3 or OC-1 speeds. It is often used for interconnect LAN equip-
ment for backup and fault tolerant network uses.
CISSP 2-12

WAN DEVICES
WAN devices are:

Routers

WAN switches to connect private data over public circuits

Multiplexors MUX enable more than one signal to be transmitted simultane-
ously over a single circuit;

Access Servers equipment used for dial-in and dial-out access to the net-
work.

Modems to convert digital and analog signals;

CSU/DSU Channel Service Unit / Data Service Unit digital devices used to
terminate the physical connection on a DTE-device ot the DCE.
2.7 Providing Remote Access Capabilities
Remote access techniques and technologies are used for telecommuting (a user is
called a telecommuter).
CLIENT-BASED DIAL-I N REMOTE ACCESS
Also called dial-in access, this connectivity needs a modem to dial in the corporate
network. Secure connections can be made via the ISP, using a POTS
2
and creating a
VPN tunnel to a VPN server on the corporate network.
USING TUNNELING AS A SECURITY METHOD
Tunneling is he process of transmitting one protocol encapsulated within another pro-
tocol. This can be used to transmit data that might not be supported on the network or
to create a secure channel. Tunnels designate two endpoints of communication and
than encapsulate the data within some other packet format.
Tunneling techniques are PPTP (Point-to-point Tunneling Protocol) which provide en-
cryption capabilities. Cisco uses GRE (General Routing Encapsulation). IPSec is often
used in conjunction with GRE.
VIRTUAL PRIVATE NETWORKS
A VPN is the sue of a tunnel or secure channel across the internet or other public net-
work. The data within the tunnel is encrypted. VPNs are client-based or site-to-site.

Client-based VPNs These VPNs provide remote access to users across the
Internet. Users have VPN client software on their PC which allow them to con-
nect to the network as if they are a (virtual) node on that network.

Site-to-site VPNs This is a (semi-) permanent connection across the Internet
between two devices, typically routers or firewalls. Clients do not need to have
special software; the secure connection is established by special VPN hardware
devices, such as routers. This is known as split tunneling.
VPN devices are IPSec-compatible or not. IPSec compatible devices are installed on a
network s perimeter using tunnel mode or transport mode. Non IPSec compatible de-
vices include SOCKS-based proxy servers, PPTP compatible devices and SSH-using
devices.
There are three protocols that provide remote access VPN capabilities:

PPTP

A Microsoft-developed technology that provides remote access by en-
capsulating PPP inside a PPTP packet. It uses the PP authentication mechanism
of PAP, CHAP or MS-CHAP and encryption (40 or 128 bit session keys and en-
cryption). PPTP supports multi-protocol tunneling. PPTP resides on the Data Link
layer.

L2TP

Layer 2 Tunneling Protocol. Simular to PPTP but supports RADIUS and
TACACS for authentication and IPSec and IKE for encryption and key exchange.
L2TP supports multi-protocol tunneling. L2TP resides on the Data Link layer.

IPSec

This is a network-layer encryption and security mechanism that can be
used a standalone VPN solution or as a component of an L2TP VPN solution. It
supports DES (hacked) and 3DES (recommended) as well as 128/160 bit en-
cryption. IPSec further support the use of AH (Authentication Header) security
and ESP (Encapsulation Security Payload). AH secures the IP header; ESP se-
cures the entire packet. IPSec resides on the Network layer.

2
Plain old telephone system
Tunneling

Split tunneling
CISSP 2-13

REMOTE ACCESS AUTHENTICATION
There are three technologies for authentication:

RADIUS A UDP based industry standard for authentication via a client/server
model. The user is asked for a name and password which is checked against a
database. RADIUS simply allows or denies access.

TACACS an older and end-of-life authentication technology.

TACACS+ Like RADIUS it separates the authentication and authorization ca-
pabilities but uses TCP for connectivity. Therefore it is regarded to be more reli-
able than Radius.
2.8 Networking Protocols
TCP/IP is a suite of protocols developed by the Department of Defense. It was designed
following a four layer architectural model:

APPLICATION

PRESENTATION

APPLICATION

SESSION

TRANSPORT

TRANSPORT /
HOST TO HOST

NETWORK

INTERNET

DATALINK

PHYSICAL

NETWORK

Application layer It provides for the application, services and processes that
run on a network.

Transport layer The host-to-host layer. It is responsible for handling the
end-to-end data delivery on a network.

Internet layer Provides logical addressing and routing of IP datagrams on
the network.

Network layer Responsible for the physical delivery of data on the network.
APPLICATION LAYER PROTOCOLS
These protocols are services. Some of the common protocols are:

Bootstrap Protocol

BootP provides automatic configuration of diskless work-
stations by looking up the MAC-address in the BootP-file. If found, it sends the
necessary information tot complete the system boot process.

File Transfer Protocol FTP is used to send and receive files between two
systems. It provides authentication using clear-text passwords. It doesn t pro-
vide for remote execution of programs.

Line Printer Daemon LPD is used in conjunction with LPR (Line Printer Re-
mote) for connecting to network-attached print devices.

Network File Systems NFS is a file-sharing protocol used in UNIX environ-
ments.

Post Office Protocol 3 POP3 provides for the connecting to and receipt of
email from a mail server to the email client.

Simple Mail Transfer Protocol

SMTP provides for the delivery of email
across servers. POP3 is responsible for the receipt of email; SMTP for sending it.

Simple Network Mangement Protocol SNMP supports the transmission
and collection of management information and statistics for network devices. It
CISSP 2-14
sends traps whenever a network event occurs. It also allows administrators to
make changes on remote systems via set operations. The information that a de-
vice can report on is maintained via MIBs (files containing Management Infor-
mation Bases).

Telnet A command line functionality (terminal-emulation program) used to
execute commands and run applications. Not suitable for file transfers.

Trivial File Transfer Protocol

TFTP is a subset of FTP for file transfer. It
doesn t support authentication and directory browsing and is used for updating
the configuration files of routers and switches.

X Windows A protocol that allows remote display of a GUI.
TRANSPORT LAYER PROTOCOLS
The most significant Transport layer protocols are TCP and UDP. Compared with com-
municating between two people TCP can be seen as using a telephone; UDP as using a
letter. TCP and UDP use port numbers as endpoints of communications.

TCP TCP is responsible for creating connection-oriented, reliable end-to-end
communications between host systems. It does this via series of synchroniza-
tions (SYNs) and acknowledgements (ACKs) prior to data transfer. This is called
the TCP three-way handshake. It also uses windowing to determine how much
data can be send before an ACK must be received. TCP also uses sequence
numbers for the segments it sends.

UDP

UDP is responsible for connectionless (doesn t check if a designation is
up, just sends), unreliable end-to-end communications between systems. It is
used when the receipt of data is not important (streaming audio/video) or when
the overhead of ensuring the reliable delivery is too high.
TCP UDP
Acknowledged data transfer Unacknowledged data transfer
Uses sequencing Does not use sequencing
Connection-oriented Connectionless
Reliable Unreliable
Higher overhead Lower overhead
TCP/IP protocols are:

Host-to-host Transport Layer Protocols such as TCP and UPD.

Internet Layer Protocols such as IP, ARP/RARP en ICMP.
TCP/IP provides simplex, half-duplex and full-duplex connections.
I NTERNET LAYER PROTOCOLS
The Internet layer is TCP/IP. Some common Internet-layer protocols are:

IP Responsible for handling the logical addressing of hosts. IP is considered to
be unreliable which is fine because TCP can provide reliability if needed.

I nternet Control Message Protocol ICMP is a management and control
protocol for IP and is responsible for delivering messages between hosts regard-
ing the health of a network. It is used by IP diagnostic tools such as PING and
Traceroute.

ARP

IP addresses and their respective MAC addresses. It issues an ARP broad-
cast with an IP address and the host that owns the IP address responds with its
MAC address.

Reversed ARP RARP is used to discover the IP-adresses if the MAC-address
is known. It is used in diskless workstations to get the IP configuration informa-
tion from a RARP server.
2.9 Protecting the Integrity, Availability and Confidenti-
ality of Network Data
THE CIA-TRIAD
Confidentiality is ensuring that the data transmitted is only able to be read by the in-
tended recipient. Confidentiality can be protected by network security protocols, net-
work authentication services of data encryption services.
Confidentiality

CISSP 2-15
Integrity is the assurance that the data that was received is the data that was trans-
mitted. Techniques are nonrepudiation
3
, firewall systems, communication security and
intrusion detection systems.
Availability is a concept that can be applied to create reliability and stability of network
systems and applications. It ensures tat data is available when required. Techniques
are fault tolerance of disks, systems and backups, acceptable log-in and process per-
formance, reliable and functional security processes and mechanisms.
SECURITY BOUNDARIES AND TRANSLATING SECURITY POLICY TO CONTROLS
There are three major groupings of networks:

External subnets Containing those resources that the administrator has no
control over (Internet). Systems connected to the boundary must be hardened
(run the bare minimum of services and applications).

Internal subnets

Containing those resources that the administrator has
control over. The key to securing internal subnets is the separation of resources,
auditing of transactions and the definition of an enforceable security policy.

Screened subnets Also referred at as DMZ, are used to provide limited ac-
cess to external users. An example is allowing external access to a server by
port 80 but preventing other external access by packet filtering.
Type enforcement is about defining groups of processes into domains and types based
on least privilege. You group resources based on how it can be used and by whom.
Access is only granted to users who need the data. These groups of resources can
further be separated onto different servers and subnets to provide for granular audit
and access control.
TRUSTED NETWORK I NTERPRETATION
The DoD develop a series of books the Rainbow Series

of which the Orange Book is
well known. The Orange Book defines the TCSEC (Trusted Computer Security Evalua-
tion Criteria). The other books expound upon the concepts described in this book. See
paragraph TCSEC The Orange Book and the Rainbow Series on page 6-4 for a de-
tailed description.
A security policy should:

Clearly define what is and is not permitted by both users and administrators;

Serve as the guideline for defining the types of resources and access that users
require to those resources;

Define the procedures that should be followed in the event of a compromise.
NETWORK LAYER SECURITY PROTOCOLS
Though encryption occurs at the Presentation layer, protocols have been designed to
provide this functionality at the Network layer:

IPSec IPSec offers two choices of security: AH and ESP. AH (Authentication
Header) authenticates the sender but the payload is not encrypted. ESP (Encap-
sulated Security Payload) also authenticates the sender but also encrypts the
payload. Key management is handled by the ISAKMP/Oakley protocol.
IPSec functions in tunnel and transport mode. Tunnel mode is used to encapsu-
late the entire original IP datagram in situations where the datagrams are
sourced or destined to systems that do not use IPSec (i.e. in the case of a VPN).
Transport mode encapsulates the upper layer (Transport layer and above) data
of the original packet and is used in cases where the end points of communica-
tions both support IPSec.
A drawback of IPSec is that it is largely incompatible with NAT because IPSec
requires that data integrity not be compromised and NAT translates data mid-
stream between hosts. Because source addresses are changed, the data is
dropped. A workaround is encapsulating IPSec traffic in TCP or UDP.

SWIPE SWIPE is the predecessor to IPSec and provides encryption at the
Network layer by encapsulation the packet within the SWIPE packet. It does not
have policy or key management functionality.

Simple Key Management for Internet Protocol SKIP is a stateless Net-
work layer encryption mechanism for primarily SUN Solaris environments.

3
Nonrepudiation is a way to guarantee that the sender of a message cannot later deny having
sent the message and that the recipient cannot deny having received the message.
See also Nonrepudiation on page 3-2.
Integrity

Availability

Type enforcement

Security policy

CISSP 2-16

(1) According to the DoD these protocols resides within the Application layer.
TRANSPORT LAYER SECURITY PROTOCOLS
A well known security protocol is SSL (Secure Socket Layer) which is supported by
firewalls and tunneling. It provides data encryption, server authentication, data integrity
and optional client authentication via TCP/IP. It is primarily used for HTTP-traffic and
securing the communications between Web browsers and Web servers. SSL uses digital
certificates for server authentication, encryption for transmission privacy and end-to-end
connections to ensure data integrity.
TLS (Transport Layer Security) is the successor to SSL. Though built on SSL 3.0, it
does not support SSL directly.
APPLICATION LAYER SECURITY PROTOCOLS
For securing email the following protocols are widely used:

S/MIME Secure / Multipurpose Internet Mail Extensions. Based on MIME to
secure email transmissions and RSA encryption, is provides for cryptographic
security through MIME encapsulation of digitally signed and encrypted objects.
It ensures that authentication, nonrepudiation, message integrity and confiden-
tiality occur.

PEM Privacy Enhanced Mail. PEM provides for message encryption and au-
thentication by using symmetric (secret-key) and asymmetric (public-key) en-
cryption methods for encryption of data encryption keys. through encapsulation
Secure / Multipurpose Internet Mail Extensions. It is rarely used.
For securing financial transactions the SET protocol can be used.

SET Secure Electronic Transmission is a framework for protection against
credit card fraud. It uses a PKI (Public Key Infrastructure) to provide for the
confidentiality and integrity of the cardholder data, while at the same time pro-
viding for the authentication of the card.
NETWORK MONITORING AND PACKET SNIFFERS
Packet sniffing is about capturing the data on a segment. A packet sniffer can be used
to observe traffic patterns that the software uses and use that information to configure
perimeter security devices (pattern-based application recognition).
I NTRUSION DETECTION
Intrusion detection is the process of monitoring systems for evidence of an intrusion or
misuse. Intrusion Detection Systems (IDSs) are responsible for performing the follow-
ing tasks:

Monitoring and analyzing user, system and network access

Auditing system configurations and vulnerabilities

Assessing the integrity of system and data files

Recognizing activity patterns that would seem to indicate and incident

Analyzing abnormal use patterns
SSL

TLS

CISSP 2-17

Operating system auditing

Automatic patching of vulnerable systems through recovery actions and script-
ing (*)

Installing and monitoring decoy servers to gather information (*)
(*) Only with advanced IDSs.
There are two kinds of IDSs: network-based versus server-based and knowledge-based
versus behavior-based IDSs.

Network-based IDSs

These IDSs analyze packets real time against a known
database or pattern attacks and are typically deployed to monitor traffic on a
network segment.

Host-based IDSs

These IDSs are often system-centric in their design. Most
host-based IDSs are designed to monitor logins and processes, typically through
the use of auditing system logs. These IDSs are designed to specifically identify
inappropriate activity on the host system only and are agent-based (an agent is
required to be running on monitored system. As a result, host-based IDSs can
be difficult to deploy and manage.

Knowledge-based IDSs

These IDSs are network- or host-based. It main-
tains a database of known attacks and vulnerabilities and detects whether at-
tempts to exploit these vulnerabilities are occurring. Knowledge-based IDSs are
more sometimes referred to as signature based.
Benefits of knowledge-based IDSs are:
- Low degree of false positives;
- Alarms are easy to understand.
Drawbacks are:
- Resource intensive because it must be constantly updated;
- New attacks can go unnoticed because of outdated signature files.

Behavior-based IDSs

These IDSs are more complex than knowledge-based
IDSs because they are capable to learn. Sometimes it is referred at as anomaly
based IDSs.
Benefits of knowledge-based IDSs are:
- Systems can dynamically respond to new, original or unique exploits and at-
tacks;
- Not dependent on specific operating systems.
Drawbacks are:
- High false alarms are very common;
- In environments where the usage patterns of users and network resources
frequently change, the IDS is unable to establish a baseline of normal be-
havior upon which to base any deviations.
Active IDSs check real-time for attacks; passive IDSs do log analyzing.
I NTRUSION RESPONSE
Intrusion Response occurs after an event has been detected. It is often defined as a
part of the responsibilities of a CIRT. The primary response of a CIRT is to define and
execute the company s response to an incident via a process known as Incident Re-
sponse Management. The CIRT response consists of the following:

Coordinate how the notification and distribution of incidents should occur. There
should be a defined escalation path.

Mitigate the risk of an incident by minimizing disruptions and the costs involveld
in remediating the incident.

Assemble teams of people to investigate and resolve potential incidents.

Provide active input in the design and development of the company security pol-
icy.

Manage and monitor logs.

Manage the resolution of incidents, including post mortems of incidents.
NETWORK ADDRESS TRANSLATION
Typically NAT translates each internal address to a unique external address (one to one
mapping). PAT (Port Address Translation) performs one to many mapping by using
unique port numbers.
Inbound NAT is used to provide access to internal resources in conjunction with policy
routing. The administrator creates a table in which an entry maps the externally used
IP address to the internally used IP address (the system that provides a service). In-
bound NAT can also be used with PAT.
Inbound NAT

CISSP 2-18
Because NAT can hide the internal IP addresses, it provides a (light) degree of security.
Effectively NAT provides a boundary between networks. It does not protect against
spoofing. Therefore NAT is nothing more than a component of a security solution.
Another drawback is the incompatibility of many types of encryption. NAT receives
packages, builds a new package and sends it to the host. A response from the host is
translated and sent to the original requestor. As many encryption methods do not allow
manipulation of data, the package is rejected. Unless the NAT-device is configured not
to do so. Another alternative is to encapsulate the encrypted data in TCP or UDP before
sending it.
PUBLIC AND PRIVATE IP ADDRESSES
There are five blocks of IP Addresses reserved by the IANA (Internet Assigned Num-
bers Authority:
Class Public IP Ranges
A 1.0.0.0 to 9.255.255.255
11.0.0.0 to 126.255.255.255
B 128.0.0.0 to 171.255.255.255
173.0.0.0 to 191.255.255.255
C 192.0.0.0 to 195.255.255.255
197.0.0.0 to 223.255.255.255
D 224.0.0.0 to 239.255.255.255 Multicast IP addresses
E 248.0.0.0 to 255.255.255.255
Experimental use.

3 Blocks of IP addresses are reseverd for private network use:

10.0.0.0 to 10.255.255.255

172.16.0.0 to 172.31.255.255

192.168.0.0 to 192.168.255.255
Available IP addresses are:

127.0.0.0 to 127.255.255.255 (loopback IP-addresses)

224.0.0.0 to 243.255.255.255

240.0.0.0 to 247.255.255.255
TRANSPARENCY
Transparency is the ability of a device to not appear to exist. By not responding to
illegal request an attacker doesn t know what kind of device exist at a given IP ad-
dress.
Another method of transparency is to configure a device to receive packets but not be
able to send (like IDSs).
HASH TOTALS
Hashing is the process of assigning a value to represent some original data string. The
value is the hash total. An example of the usage of hash totals is the Windows authen-
tication. The client generates a hash total based on the password and sends it to the
domain controller for validation against a database with hash totals.
EMAIL SECURITY
SMTP-servers should not permit relaying of mail because spammers look for these
servers to send bulk mail. If you don t, you may be added to various black lists of
Internet servers. Other email servers will not accept mail from blacklisted servers.
FACSIMILE AND PRINTER SECURITY
One should think carefully about the use of printers and faxes. Often they are used by
several employees but maybe it would be better to place them in separate rooms with
restricted access. The best way to handle the disposing of documents is to burn them.
COMMON ATTACKS AND COUNTERMEASURES
There are six classifications of network abuse: Class A thru Class F abuses.
IANA

CISSP 2-19
Class A Abuses
A class A network abuse is the result of unauthorized network access through the cir-
cumvention of security access controls. This is sometimes referred at as logon abuse.
Techniques for class A network abuses are:

Social Engineering

Brute force
Class B Abuses
A class B network abuse is defined by non-business use of systems. Examples are
visiting unauthorized websites or using companies resources for personal benefit. An
acceptable user policy (AUP) and enforceable security policy is an effective way to
handle class B network abuses. Types of these kind of abuses are:

PBX fraud and abuse

Email and Internet abuse
Class C Abuses
Class C network abuses are identified by the use of eavesdropping techniques. Exam-
ples are:

Network sniffing

Dumpster diving (going through the trash)

Keystroke recording
Class D Abuses
A class D network abuse is identified by denial of service saturation of network devices
and resources. Examples are:

SYN flooding -

Buffer overflows -

Teardrop attacks The use of overlapping IP fragments

LAND attacks A packet with the same source and destination IP address

SMURF attacks Using ICMP to spoof ICMP echo requests to a network
broadcast address.

DDos attacks Multiple hosts attacking one device and using all its band-
width.
Class E Abuses
A class E network abuse is defined by network intrusion and prevention. Examples are:

Spoof attacks An attacker appearing to be something other than he is. A
common spoof attack is an ARP redirect in a switched envi-
ronment.

Trojans -

Viruses and worms -

Back doors The only remedy is a format and complete rebuilding

TCP hijacking Inserting TCP-packets by using the sequence numbers.

Piggy-backing The process of using a legitimate user s connection to gain
access to a system (i.e. by using open not correctly
closed connections)
Class F Abuses
A class F network abuse refers to probing attacks. First information is gathered about
the network. Examples are:

Port scans

Banner abuse many services use banners that include information about
the type of system the service is running on. Examples are
HTTP, FTP and SMTP banners. This information can be used
to determine the types of exploits to which a system might
be vulnerable.

Sniffing -
2.10Fault Tolerance and Data Restoration
Reliability of data can be handled through the use of redundant array of inexpensive
disks (RAID). There are five levels of RAID:

RAID 0

Creates one large disk by using several disks. Used to improve per-
formance by simultaneous reads and writes through striping of data across mul-
tiple disks. It provides no fault tolerance.

RAID 1

Mirroring: data on one disk is duplicated on another disk. Fairly ex-
pensive because it requires the double amount of storage.

RAID 2

No longer in use. Used multiple disks and parity information. It con-
sists of bit-interleaved data on multiple disks. Parity information is created using
a hamming code. There are 32 disks used for storage and 7 for parity.
Striping

Mirroring

Hamming Code Parity

CISSP 2-20

RAID 3

Similar to RAID 0 but now uses parity information. Performs byte-
level striping. Parity information is stored on a specific parity drive.

RAID 4

As RAID 3 but it performs block level striping across multiple drives.

RAID 5

Stripes data and parity at the block level across all drives using inter-
leave parity for data re-creation. Reads and writes can be performed simultane-
ously, offering a very good performance.

RAID 7 A variation of RAID 5 wherein the array functions as a single virtual
disk in the hardware.
Clustering technologies are used to prevent a server entirely fail. There are two types
of clustering concepts:

Data clustering

Two data servers are configured exactly the same; one is
the mirror of the other. There is a fail-over link between the 2 servers.

Network services clustering or Server clustering

Load balancing. Used to
improve system performance by distributing network requests among multiple
servers who have the same functionality.
Of course you need data backups. Popular backup methodologies are:

Full backup

All data is saved every time. Can cost a lot of time and tapes.

Incremental backup Backing up only the changed and added files.

Differential backup

All files that have changed since the last full backup are
back upped. You only need the full backup tape and the last differential backup
tape.
Backup-media:

Digital audio tape (DAT) Cheap and compact; max. 40 Gb

Quarter-inch cartridge (QIC) 50 Gb (most systems 8 Gb)

8mm tape Older system; replaced by DLT

Digital linear tape (DLT) 4 mm tape; up to 320 Gb; very fast

CD/DVD Widely used for desktop backup

Zip For desktop backup; up to 250 Mb

Tape array Cluster of 32-62 tape drives; RAID fashion

Hierarchical storage Methodology for backing up and restoring data
management (HSM) in an enterprise.
Identity Management
Is a general term and encompasses technologies including password management
(synchronization and self reset), user provisioning and access management. Enables
and maintains user access to network resources. This includes the creation of the user
entity (functionality typically found in a human resource applications), authorization
and permissions (SSO and password management functionality), and a single point of
administration for de/provisioning accounts (as in provisioning).

2.11 Addendum
Data transmission methods:

Asynchronous Data transmission method using a start bit at the begin-
ning of the data value and a stop bit at the end.

Synchronous A message framed transmission method that used clock
pulses to match the speed of data transmission.

Isochronous Synchronous data transmission without a clocking source,
with the bits sent continuously and no start or stop bits.

Pleisiochronous A transmission method that uses more than one timing
source, sometimes running at different speed. It requires
master and slave clock devices.
The enforced path refers to the limitations for network access to users. Individuals are
authorized access to resources on a network through specific paths. The user is not
authorized to access a resource through a different route. VPN is an example of an
enforced path.
Byte Level Parity

Block Level Parity

Interleave Parity

Single Virtual Disk

Load balancing

CISSP 3-1

3 Security Management and Practices
3.1 Defining Security Principles
CIA: I NFORMATION SECURITY S FUNDAMENTAL PRINCIPLES
The building blocks, or primitives, based on the question What do we protect, why and
how of any security program are:

Confidentiality

Integrity

Availability
Confidentiality describes the secrecy of the information asset. It is about determining
the level of access in terms of how and where the data can be accessed. This can be
classified by a degree of confidentiality.
Protections however are as good as the security program itself. Therefore you must
pay attention to the tools used, install safeguards (such as encryption) and be aware of
social engineering techniques (which require a high level of user awareness).
Integrity justifies the cost of collecting and maintaining the data. You should put
mechanisms in place to prevent attacks on storage of data (contamination) and on its
transmission (interference). Protecting data involves both storage and network mecha-
nisms.
There are malicious and non-malicious attacks on the integrity of data. The first kind
are viruses, back doors and logic bombs. Non-malicious attacks are caused by users by
entering invalid or inaccurate data, by not following the procedures, or using wrong
programs to access data. You have to give users awareness trainings and programs
should be tested before they are placed on the network. In network environments,
data can be encrypted to prevent its alteration.
Availability is the ability of users to access an information asset. The organizational
policies should specify various controls and procedures to help maintain availability.
PRIVACY
Privacy relates to all the elements of the CIA-triad. It considers which information can
be shared with others (confidentiality), how that information can be accessed safely
(integrity), and how it can be accessed (availability).
Several laws and acts, such as the U.S. Federal Privacy Act (1974) and the Health
Insurance Portability and Accountability Act (HIPAA) pay attention to this issue. How-
ever, laws and regulations have difficulty to keep up with the technology.
Therefore organizations should look at the privacy of their own information assets.
They should have a privacy statement which must reflect how the data is handled and
available to the users which information is being collected.
I DENTIFICATION AND AUTHENTICATION
Information security is the process of managing the access to resources. If an entity
requires access to an information resource, you must identify (identification) it and
verify that the entity is who he claims to be (authentication). In most cases this proc-
ess is a two-step process.
The first step is identification. Identifiers can be public or private and are tied directly
to the entity. Normally a username is used.
The second step is authentication. There are three types of authentication:

What the entity knows A PIN or password

What the entity has An access card, a smart card or token

Who or what the entity is Usually identified through biometrics
If two or more are used, it is called strong authentication.
Passwords and PINs are the most common forms of authentication. They are also
the weakest link because users tend to create easily guessed passwords. Password
management tries to create a balance between creating password that cannot be
CIA-triad

Contamination
Interference
Strong authentication

Password management
Security Management and Practices
CISSP 3-2
guessed an password users don t need to write down. Methods for password manage-
ment are:

Password generators Usually third party products which create passwords
out of random characters.

Password checkers Tools that check passwords for their probability of being
guessed.

Limiting login attempts Setting a threshold for login failures after which an
account is locked.

Challenge-Response Cognitive passwords. Using random selected questions
which the user has to answer; normally used by voice response systems.

Token devices come in two versions: synchronous an asynchronous. Synchro-
nous token devices are time-based and generates a value that is valid for a set
period of time. An asynchronous token device uses a challenge-response
mechanism to determine whether the user is valid. The server displays a chal-
lenge, the users enters that challenge into a token device and generates a token
value. This value is entered by the user after which the server verifies the value
with an authentication server.

Cryptographic keys combine the concepts of something you have and some-
thing you know. The user has a private key that is used to sign a common hash
value that is sent to the authentication server. To strengthen the authentication
process, the user is asked to enter a PIN or passphrase that is also added to the
hash.
NONREPUDIATION
Nonrepudiation is the ability to ensure the authenticity of a message by verifying it
using the message s digital signature. You can verify the signature with the public key
obtained from a trusted certification authority (CA).
ACCOUNTABILITY AND AUDITING
System events can be tracked by using audit records. Systems and security adminis-
trators use these records to:

Produce usage reports;

Detect intrusions or attacks;

Keep a record of system activity for performance tuning;

Create evidence.
Accountability
4
is created by logging the system events with the information from the
authenticated users, including all necessary information such as date, time and net-
work addresses. If you set up auditing, you have to decide how much information you
want to gather by defining a threshold or clipping level.
The auditing of systems require active monitoring (such as keystroke monitoring) and
passive monitoring (examining audit data).
It is important to protect the integrity of the audit data. Not only for the analysis of this
data, but also for law enforcement. For use of this data in legal proceedings you must
prove that the integrity of the data has been maintained and there was no possibility
for it to be altered. This is called proving the chain of custody.
3.2 Security Management Planning
Before information security policies can be created, the management should plan a risk
analysis on the information assets. A risk analysis identifies the assets, determine the
risks to them and assign a value to their potential loss. Using this, the management
can make decisions to policies that best protect those assets by minimizing or mitigat-
ing the risks.
3.3 Risk Management and Analysis
Risk management is the process of assessing risk and applying mechanisms to reduce,
mitigate or manage risk to the information assets. Its purpose is not to create a totally

4
The principle that individuals, organizations and the community are responsible for their actions
and may be required to explain them to others.
Risk management

CISSP 3-3
secure environment but to define where risks exists, the probability that they occur,
the damage that they cause en the costs of securing the environment.
It is not possible or too expensive to reduce all risks to zero. You must look at the
likelihood of each risk and either look for other mitigations or accept it as a potential
loss.
Assessing risks, you must consider the types of loss (risk category) and how the risk
may occur (risk factor).
The risk categories are:

Damage a physical loss of an asset of the inability to access it

Disclosure disclosing critical information

Losses permanent or temporary loss of data.
The risk factors are:

Physical damage

Malfunctions

Attacks

Human errors

Application errors
RISK ANALYSIS
Risk analysis identifies the risks, quantifies the impact and assesses a cost for mitigat-
ing the risk. It also assesses the possibility that the risk will occur in order to weigh the
cost of mitigation. Risk analysis consist of three steps:
1. Asset identification and Valuation
2. Risk Assessment and Analysis
3. Select and implement countermeasures
On completion of the risk analysis the risk manager performs a cost-benefit analysis
(CBA) comparing safeguards or the costs of not adding safeguards. Costs are given as
an annualized cost and are weighed against the likelihood of occurrence. As a rule,
safeguards are not employed when the costs outweigh the potential loss.
In fact you can do three things:
1. Do nothing and accept the risk
2. Reduce the risk by implementing countermeasures and accept the residual
risk
3. Transfer the risk to an insurance company
I DENTIFYING THREATS AND VULNERABILITIES
The risk analysis should identify the threats and vulnerabilities that could occur. As
environments can be very complex, a vulnerability in one area of the business could
easily affect another area of the business. This is called a cascading error. These errors
may be caused by malicious attacks or by errors in processing (called illogical process-
ing).
Identifying the threats to assets is the process of identifying the threat agents. These
are what cause the threats by exploiting vulnerabilities and can be human, program-
matic or a natural disaster. After the threat agents, vulnerabilities and risks have been
identified, the risk concentrates on the loss potential. This is what would be the loss if
the threat agent is successful in exploiting a vulnerability. This should include the de-
layed loss; the amount of loss that can occur over time. Think of loss in productivity,
loss of clients and business et cetera.
ASSET VALUATION
Assets and risk can be valued the quantitative way (money) and the qualitative way
(ranking threats and the effectiveness of countermeasures). The steps in a risk as-
sessment are:
1. Identify the assets
2. Assign values to the assets
3. Identify the risks and threats corresponding to each asset
4. Estimate the potential loss from that risk or threat
5. Estimate the possible frequency of the threat occurring
6. Calculate the cost of the risk
7. Recommend countermeasures or other remedial activities
Risk categories

Risk factors

Risk analysis

Threat agent

Loss potential
Delayed loss
CISSP 3-4
Identify the assets
These are the systems, network components and information.
Assign values to the assets
To determine the value use the following questions:

How much revenue does this data generate?

How much does it cost to maintain?

How much would it cost if the data were lost?

How much would it cost to recover or re-create?

How much would it be worth to the competition?
Identify the risks and threats corresponding to each asset
Use your common sense to determine all risks and threats to each asset.
Estimate the potential loss from that risk or threat
Think of replacement costs and loss of productivity. The estimated cost is used to cal-
culate the single-loss expectancy (SLE). This is the amount of the potential loss for a
specific threat.
Estimate the possible frequency of the threat occurring
The frequency of occurrence is used to estimate the percentage of loss on a particular
asset because of a threat. This is called the exposure factor (EF). If a fiber-optic cable
between two buildings is cut causing 20% of the infrastructure to become inoperable,
the EF is 20%.
Next the annualized rate of occurrence (ARO) is calculated. This is the ratio of the
estimated possibility that the threat will take place in a one year time frame varying
from 0.00 (never) to 1.00 (certain). If a threat takes place once every four years, the
ARO is 0.25.
Calculate the cost of the risk
Based on the information gathered in the previous steps, the annualized loss expec-
tancy (ALE) can be calculated. The ALE tells the analyst the maximum amount that
should be spent on the countermeasure to prevent the threat from occurring.
SLE = asset value x EF
ALE = SLE x ARO
Asset Threat Value

EF

SLE

ARO

ALE

NOC Fire 500.000 0.45 225.000 0.20 45.000
Web servers Power failure 25.000 0.25 6.250 0.50 3.125
QUALITATIVE RISK ANALYSIS
To do a qualitative risk analyses you first identify the major threats and analyze the
scenarios for the possible sources of the threat. The scores show the likelihood of the
threat occurring, the potential for the severity and the degree of loss. Additionally
potential countermeasures are analyzed by ranking them for their effectiveness.
Finally the scores for the threat are compared to the countermeasures. If the score for
the countermeasure is greater than the threat, is means that the countermeasure will
be more effective in protecting the asset.
COUNTERMEASURE SELECTION AND EVALUATION
Determining the most cost-effective countermeasure is called a cost/benefit analysis.
The calculation is as follows:
Value of countermeasure = ALE (without countermeasure)

Cost (safeguard)

ALE (with countermeasure).
In the example of the Web servers. If a UPS is purchased ( 1.000) it reduces the EF
to 0.05. The change that an outage lasts longer than the UPS occurs once in five year
(ARO=0.20).
ALE (with UPS) = Cost x EF x ARO = 25.000 x 0.05 x 0.20 = 250
Value of countermeasure = 3.125 1.000 250 = 1.875.
The benefit of this countermeasure = 1.875 1.000 = 875 per year.
SLE

EF

ARO

ALE

CISSP 3-5
3.4 Policies, Standards, Guidelines and Procedures
Information Security Policies are high-level plans that describe the goals of the proce-
dures. They describe security in general terms. Information Security Policies are the
blueprints, or specifications, for a security program.
The first step in writing policies is to determine the overall goal. Secondly you have to
determine for which systems and processes you want to write a policy. There is no
need for one document which describes all policies; it is better to write one policy for
each topic, such as user and physical policies, access control policies or external access
policies.
The third step is to identify what is to be protected. You need to have a complete in-
ventory of the information assets supporting the business processes. Including any
material that has the organization s name or logo on it.
The fourth step is to identify from whom it is being protected. The focus should be on
who can access resources and under what conditions. Some considerations for data
access are:

Authorized and unauthorized access to resources and information

Unintended or unauthorized disclosure of information

Enforcement procedures

Bugs and user errors.
Baselines are used to create a minimum level of security necessary to meet policy
requirements. Baselines can be configurations, architectures or procedures.
Standards and baselines describe specific products, configurations or other mecha-
nisms to secure the systems. In cases in which security cannot be described as a stan-
dard or set as a baseline, you need guidance: recommendations are created as guide-
lines; i.e. for risk analyses. You do not describe in detail how to perform an audit; a
guideline can specify the methodology leaving the team to fill in the details.
Procedures describe how to use the standards and guidelines to implement the coun-
termeasures that support the policy. The kinds of procedures differ per organization
but the following are quite common:

Auditing what to audit, how to maintain audit logs.

Administrative separation of duties.

Access control how to configure authentication and other access control fea-
tures

Configuration firewalls, routers, switches and operating systems

Incident response how to respond to security incidents

Physical and environment air conditioning for server rooms, shielding of
Ethernet cables.
Implementation of these procedures is the process of showing due diligence in main-
taining the principles of the policy. True diligence is important because it demonstrates
commitment to the policies.
3.5 Roles and Responsibilities
The most important role belongs to the management who must set the tone for the
entire information security program. They have to become part of the process. This
involves showing leadership in the program. Further more the management is respon-
sible for doing the risk analysis and conveying this to the technical people responsible
for implementing these policies.
Policies

Baselines

Guidelines
Procedures

Management

Policies

Standards

Guidelines

Procedures

CISSP 3-6
One way to ensure that every employee knows that security is part of his job is to
make it part of each job description. After it has been made part of the job description,
it becomes something that can be considered in performance evaluations.
The same goes for outside contractors and vendors. They should include similar lan-
guage within their statements of work.
The IT staff is responsible for implementing and maintaining organization-wide infor-
mation security policies, standards, guidelines and procedures. They should provide
input into security awareness education programs and ensure that everyone knows his
role in maintaining security.
Information security must also integrate into the business environment. Jobs that sup-
port security through the processes should be defined. One way of doing this is separa-
tion of duties and assigning ownership to assets.
Further more you must consider how security is administered throughout the organiza-
tion. There should be a central information security management group who is in
charge of the monitoring and enforcement of the policy and procedures.
3.6 Understanding Protection Mechanisms
Protection mechanisms are used to enforce layers of trust between security levels of a
system. Trust levels are used to provide a structured way to compartmentalize data
access and create a hierarchical order. There are four protection mechanisms:

Layering Processes are placed in layers/zones and need to request ac-
cess to a protected resource in another layer/zone. Bell-
LaPadula is an application of this concept in military systems.

Abstraction

Data Hiding

Encryption Encryption uses cryptography to convert data into an unintelli-
gible form.
3.7 Classifying Data
Commercial classification of data consists of five levels:

Sensitive Most limited access; should not be disclosed.

Confidential Less restrictive within the company but might cause dam-
age if disclosed

Private Compartmental data which must be kept private.

Proprietary Data that is disclosed outside the company on a limited or
restricted manner

Public The least sensitive data which would cause the least harm
if disclosed.
Government classification of data is based on laws, policies and executive directives
which sometimes conflict which each other. This classification consists of five levels:

Top Secret Disclosure would cause severe damage to national secu-
rity.

Secret Disclosure would cause serious damage to national secu-
rity.

Confidential Data that is exempt from disclosure under laws such as the
Freedom of Information Act but is not classified as national
security data.

Sensitive But Data that is not considered vital to national security but its
disclosure would do some harm (i.e. data from citizens).
Unclassified (SBU) Data that is disclosed outside the company on a limited or
restricted manner

Unclassified Data with has no classification or is not sensitive.
Criteria for setting a classification scheme are:

Who should be able to access or maintain the data?

Which laws, regulations, directives or liability might be required in protecting
the data?

For government organizations, what would the effect on national security be if
the data were disclosed?

For nongovernmental organizations, what would the level of damage be if the
data was disclosed or corrupted?

Where is the data to be stored?

What is the value or usefulness of the data?
Users

IT staff

Commercial classification

Government classification

Object-oriented design
and programming.

CISSP 3-7
The steps for creating data classification procedures are:
1. Set the criteria for classifying the data.
2. Determine the security controls that will be associated with the classification.
3. Identify the data owner who will set the classification of the data.
4. Document any exceptions that might be required for the security of this data.
5. Determine how the custody of the data can be transferred.
6. Create criteria for declassifying information.
7. Add this information to the security awareness and training programs so users
can understand their responsibilities in handling data at various classifications.
3.8 Employment Policies and Practices
Employment policies can be used to protect information security assets by setting
guidelines for:

Background checks and security clearances

Employment agreements, hiring and terminations

Setting and monitoring of job descriptions

Enforcement of job rotation
Employment agreements are made to protect the organization from the inner threat.
By having the employer sign the agreements, the organization has the ability to en-
force the policies behind them. You can use an UAP, which summarizes the overall
information policy for the users, to make the other aware of the security policies.
When a contract with an employee (or contractor) is terminated, all access rights
should be revoked immediately. Also, the former employee or contractor should be
escorted out of the building.
Job descriptions define the roles and responsibilities for each employee. Within these
roles and responsibilities, procedures are used to set the various access controls.
3.9 Managing Change Control
Change control, configuration management and revision control help to determine the
security impact of changes.
CISSP 4-1
4 Applications and System Development
Security
4.1 Software Applications and Issues
CENTRALIZED, DECENTRALIZED AND DISTRIBUTED SYSTEMS
Even in the old days, when we had centralized systems, there was a security risk of
disrupted data caused by:

Incorrect data entered in error;

Incorrect data entered on purpose;

Someone entering code which extracted, modified, destroyed or disrupted data;

Unauthorized access to data or seeing data on screens;

Unauthorized use of unattended terminals with active sessions.
There is a difference between decentralized and distributed systems:

Centralized

All computing takes place in one place.

Centrally controlled computing

Computers are distributed physically but
maintained and controlled by a central authority.

Decentralized

Computing facilities exist throughout the company; they may
be linked with each other.

Distributed Computers are everywhere, and so is the process of processing.
There is no centralized control. Examples are PDA-applications, internet-
applications, fileservers and email.
The internet is an example of a massively distributed system. These are systems that
are ubiquitous across time and space and consist of a lot of connected systems.
MALICIOUS SOFTWARE ( MALWARE)
Malicious software falls into one of the following categories:

Viruses Programs which run on a computer without the permission
of its owner. There are polymorphic viruses, boot sector vi-
ruses, multipartite viruses and macro viruses.

Trojans Programs that masquerade as something else.

Logic bombs Program designed to execute because of some event.

Worms Malware that replicates and spreads itself across a net-
work. It might use its own communication code (SMTP) of
use one of the existing services (FTP, email, telnet);

ActiveX/Java These controls are used by webbased applications but may
contain harmful code. Nimda is an example of a harmful
applet.

Blended malware Malware using the results of previous malware to attack a
system.

Agents / remote control programs Programs that remote control another
computer.
The border between normal programs and malware may be thin. A program that rein-
stalls the operating systems may be considered to be malware but is also helpful as an
administrator tool. The purpose after the software defines it as malware or not.
The threat of malware can be managed by following the next steps:
1. Have a malware policy that specifies the use of antivirus products and pro-
vides for regular maintenance. Ensure its approval and support by top man-
agement.
2. Make virus protection software an absolute must for every device.
3. Make updating your virus protections products a priority on all systems.
4. Install and properly configure special mail server virus protection.
5. Configure mail server antivirus programs to block executable attachments.
6. Keep all systems patched.
7. Reduce attack vectors by scanning removable media.
8. Reduce attack vectors by disallowing ActiveX of Java script download where
possible.
9. Keep up-to-date on trends and actual virus threats.
10. Use recommended steps to clean infected systems.
Malware

Applications and System Development Security
CISSP 4-2
DATABASES
A DBMS provides access to the items in a database and maintains the information in
the database. Objectives of most database management systems (DBMSs) are:

Data independence

Minimal data redundancy

Data reuse

Data consistency

Persistence

Data sharing

Data recovery

Security controls

Data relationships defined by primary and foreign keys

Data integrity consisting of semantic and referential integrity

Utilities of processes to ensure efficient processing overtime
The following data models are commonly used:

Relational (Oracle, DB2, SQL Server)

Hierarchical (IMS)

Network (IDMS/R)

Object-oriented (ODBMSs)

Distributed
Security issues regarding databases are:

Default administrator passwords;

Misuse of the production database as a test database;

Lack of separation of data administration from application system development
(programmers should only have special rights during the development phase);

Distributed databases:

Having multiple access points;

database processing is much harder to get right you need transaction con-
trol mechanisms;

Aggregation of data can expose sensitive information use views to access spe-
cific data;

Denial-of-service attacks by using improperly formatted queries;

Improperly modifying data;

Access to some data can provide the ability to deduce or infer data that is pro-
tected.
The DDL (Data Description Language) provides the means to define a database. A
schema is a description of the database.
DATA WAREHOUSES
Data warehouses contain lot of (historical) information which makes it interesting for
attackers. You must pay attention to developing proper access controls to ensure that
the data is entered correctly and by authorized people.
STORAGE AND STORAGE SYSTEMS
There are a few kinds of storage:

Primary storage (volatile storage) data in RAM;

Secondary storage (nonvolatile storage) data on disk;

Real memory RAM provided in hardware;

Virtual memory swap files, disk pages;

Sequential access tapes;

Random access disks;

Registers high-speed memory locations in the CPU;

Cache CPU memory storage that is quicker than RAM;

Static RAM Level 2 cache memory;

Dynamic RAM FPM DRAM, EDO, SDRAM, RAMBUS DRAM, RIMM;

BIOS provides basic information on hardware devices.
A specific risk is at virtual memory because it uses the disk and creates temporary files
which could be copied and then be analyzed by an attacker.
Some storage devices are:

Credit card memory a proprietary DRAM memory;

PCMCIA Card a nonproprietary DRAM memory;

Flash RAM

Real-time clock (RTC) which stores floppy and hard drive configuration informa-
tion needed during boot;

Video RAM VRAM, used for video adapters and 3D accelerators.
CISSP 4-3

Storage Area Networks (SANs) are centrally managed networks accessible storage
systems. They are accessible from all servers and other storage systems. The benefits
of SANs are:

Centralized control, including backup and management;

Access from anywhere at anytime;

Can improve data protection;

Additional storage can be added with little to no disruption;

Better physical security;

Improved availability;

Business flexibility;

Can improve disaster tolerance.
As SANs are moving to IP-based networks, they become vulnerable to attacks. SAN
administrators apply the following security principles:

Physical security They are placed in secure data centers;

Confidentiality Using IP-networks IPSec can be used to encrypt data in
transit;

Authenticate users SANs must have mechanisms to validate the identity of in-
dividuals;

Authorization Access controls should have granular application. File and
folder controls are commonly available. Additional some
SANs offer the ability to zone or segment. Within a zone
only some devices are accessible.

Interoperability Using SANs from different vendors can cause difficulties in
communication between them; resulting in security prob-
lems due to the lack of security controls in another SAN.
KNOWLEDGE-BASED SYSTEMS
To develop an expert system you use an expert system shell which consists of an in-
ference engine and a user interface. The process of taking of expert knowledge and
coding it in a database is called knowledge engineering.
Rule-based expert systems use forward chaining or backward chaining for reasoning.
Forward chaining starts with a question and a set of known facts and fires rules to
evaluate. The process ends when no new facts are found or the result for the question
is found. Backward chaining starts with a hypothesis that can determine the answer
and then works backward through the rules attempting to determine whether the an-
swer is correct.
WEB SERVICES AND OTHER EXAMPLES OF EDGE COMPUTING
Grid computing allows the gathering in of the excess processing capability from the
proliferation of computers in the organization. Clustering is the combining of multiple
computers for the sharing of processing power and storage.
Web services dissect the program processing into its smallest chunks and spread these
pieces across the Internet. These pieces can be recombined in many different ways.
Web services are small reusable programs that can be accessed from otherwise uncon-
nected sources. Web services work in many scenarios, such as:

Client-to-client sharing data between clients

Client-to-server the same in a master-slave setting

Server-to-server Processing takes place across multiple servers

Service-to-services Services working together
4.2 Attacking Software
See also paragraph Common Attacks and Countermeasures (page 18) for more in-
formation. There are several kinds of attacks and countermeasures:

Brute force and dictionary attacks Add additional authentication factors such
as smart cards or biometrics

DoS (smurf attack) Use modern TCP/IP stacks which prevent
these problems

DDoS Apply all current patches and service
packs; make sure your programs cannot
create a buffer overflow;
CISSP 4-4

Spoofing (such as SMBRelay attack) SMB signing, a process that authenticates
each packet in the file sharing session.
Miscellaneous attacks are:

Hidden code Code inserted in approved software. Examine application
development teams and audit their work, scan code for the
use of file streams and viruses;

Logic bombs Audit activities involving code maintenance, code produc-
tion and access to servers.

Trap door Insist on code review and look for removal of break points
and other programmer-debugging techniques.

TOC/TOU Time of Check to Time of Use. Compromising a system be-
tween two steps (IBM 360).

NAK attacks Software interrupts. The normal response to an action is
the ACK or a NAK (negative acknowledgement). A system
must be able to handle these events.

Pseudoflaw A technique used on the Internet to get your userid and
password by presenting a familiar login-screen.
Some software seems to be legitimate administrative software but are in fact a hacker
tool. Examples are Netbus, Back Orifice and Netcat. Also common network software
can make you network vulnerable:

In Windows you can access drives of other machines by clicking in your
browser. You have to set the proper permissions.

You can use network sniffers to find passwords and valuable data. Encrypt in-
formation; send fake but plentiful messages at all times to all stations.

Protocols may have vulnerabilities. TCP/IP has some flaws.
4.3 Understanding Malicious Code
Hackers originally tried to learn how things work; today it has a negative connotation.
Crackers are guys who intentional break in whether for profit or bragging rights.
Phreakers are guys who used to hack phone systems (PBXes and Telcos).
Malicious code, such as worms, try to accomplish one of the following:

Modifying computer programs

Crashing programs or systems

Stealing of or modifying data

Inserting or adding code for later damage.
Hoaxes are threats that do not exist but can cause a lot of harm because a lot of unso-
licited mail is sent by users across the organization. To prevent this you can:

Check Internet hoax busting sites

Check well-known alert sites

Report the warming to the security department
You can use antivirus software on your edge servers. These are servers that accept
input from untrusted networks and make it available to the trusted network. An exam-
ple of an edge server is a firewall. It checks incoming data for viruses and removes all
untrusted attachments.
4.4 Implementing System Development Controls
There are two methods of system development: the waterfall and the spiral system
development lifecycle.
The waterfall system development lifecycle consist of:

Conceptual Definition / Feasibility Study

System Analysis / Functional Requirements Determination

Design / Specifications Development

Design Review

Construction

Code Review / Walk-through

System Test Review

Certification / Accreditation

Implementation

Maintenance

Disposal
CISSP 4-5

The spiral system development lifecycle uses the following steps:
1. Develop a preliminary design
2. Develop a prototype from the design
3. Develop the next prototype
4. Evaluate
5. Define further requirements
6. Plan and design another prototype
7. Construct and test this prototype
8. Repeat steps 3-7 until the customer is satisfied
9. Construct the system
10. Thoroughly test the final system
Barry Boehm added the element of risk analysis to the model in which four steps are
repeated over and over again until the right design is created. These steps are:
1. Planning/review Determine the objectives of the system
2. Risk analysis, prototype First identify all alternative solutions and perform
a risk analysis. Resolve the risks and create the prototype;
3. Engineering Develop and verify the product requirements. Validate the de-
sign. Do a detailed design and validate it. Code a test product.
4. Plan the next phase Review for customer satisfaction. Perform require-
ments planning, development planning and integration planning and create a
test plan.
RAD seeks the 20/80 rule meaning that 80 percent of the desired goals are established
in 20% of the time. The RAD process includes the following time-boxed stages:

High-level end users and designers convene a Joint Application Development
meeting (a brainstorm session);

Developers build a prototype;

Designers review the prototype;

Customers try out the prototype;

A focus-group meeting takes place in which customers and developers refine its
requirements;

A new prototype is developed and the process begins again.
A security control architecture is the sum of the controls built into the system and
might be enforced by the hardware or the software. The security architecture can in-
clude features as:

Process isolation

Hardware segmentation

Memory protection

Least privilege

Separation of duties by assigning privileges to special functions

Layering of system functions

Security kernel

Modes of operation

Accountability
The highest security level supported by a system is called system high; the lowest level
system low. A system can be tested to ensure it conforms to the appropriate level for
use. This is called accreditation if it is an official authorization and approval. As this is a
management process, it cannot be done before a certification (technical evaluation)
has been done.
The best practices of system development are:

Partition development from production.

Promote documentation of code and code changes.

Backup development and production code.

Continuous train the staff.

Adopt coding standards.
4.5 Using Coding Practices That Reduce System Vulner-
ability
The following development methods are used today:

Structured programming

OO-programming

CASE

Prototyping
Security control architec-
ture
CISSP 4-6
Software has security flaws because of the following reasons:

The time to market is short and software is feature rich which means that there
is little time to test;

Software must run on multiple platforms which require drivers from other com-
panies;

Software must be backward compatible;

The software is not complete; missing functionality is added via patches and
upgrades;

Consumers have accepted the flaws as normal;

The complexity of software makes it difficult to eliminate errors and vulnerabili-
ties in a short timeframe;

More connectivity means more exposure to danger;

An ethical poor attitude and the availability of prewritten attack code.
Techniques for writing safe software are:

Eliminating buffer overflows. Buffer overflows can cause a program to crash or
give an attacker the opportunity toe execute further attack code.

Prevent array indexing errors.

Utilizing good access control.

Principle of least privilege.

Defense in depth.

Hiding secrets (such as user passwords).

Remember the weakest link.
CISSP 5-1
5 Cryptography
5.1 Uses of Cryptography
Cryptography (crypto) has four main goals:

Confidentiality Preventing, detecting or deterring unauthorized access to
information. Make sure no one else can read it.
Note: not all encryption provides confidentiality!

Integrity Preventing, verifying and detecting the alteration of data
you sent. Make sure that no one can modify your data.

Authentication Identifying an individual or find out that he belongs to a
certain group. Authentication is based on the three attrib-
utes: something the person knows, has or is. All these au-
thentication methods use encryption.

Nonrepudiation Critical when it comes to digital signatures. It deals with
proving in a court of law that someone was the originator.
It is a asymmetric encryption that allows you to prove that
someone actually sent a message.
5.2 Cryptographic Concepts, Methodologies and Prac-
tices
Plain text is a message in its original form. Ciphertext is a message after it has been
encrypted. Encryption is the process of taking a plain text message and convert it into
ciphertext; decryption is the process of taking ciphertext and convert it back to plain
text.
SYMMETRIC ALGORITHMS
Symmetric encryption is also called single-key or secret-key encryption. It uses one
key to encrypt en decrypt messages. Therefore the sender and receiver must know the
key. Because you only use encryption when you use a not secure channel, the problem
arises how to sent the key to the receiver: you need a secure channel to do that. An-
other problem with symmetric encryption is nonrepudiation.
The most used symmetric key encryption schemes are DES (56-bit) and triple DES.
DES is considered unsafe because a brute force attack nowadays take a little while to
break the code. Triple DES is preferred.
AES (Advanced Encryption Standard) is now being developed by the NIST (National
Institute of Standards and Technology) which uses the Rijndael-algorithm. This will be
the future standard for symmetric encryption. It uses a block size of 128 bits and the
key can be 128, 192 or 256 bits.
ASYMMETRIC ALGORITHMS
Asymmetric encryption uses two keys: a private key and a public key. Only the owner
Bob has the private key; everybody else can get the public key through a trusted (not
necessarily secure) channel. The public key is used by people who want to send an
encrypted message to Bob. This public key cannot decrypt which makes it impossible
to intercept and decrypt a message for Bob. Only Bob can decrypt the message with
his private key.
Because of this, asymmetric encryption supports nonrepudiation. If you get a message
from Bob, you know it is from Bob because he encrypted it using his private key.
Confidentiality and nonrepudiation is assured. If Alice sends a message to Bob, she
uses her private key to encrypt the message and next, she uses Bobs public key to
encrypt the output. Only Bob can decrypt the message using his private key and then
decrypt it again with Alice s public key.
Asymmetric encryption is powerful. The reason for still using symmetric encryption is
that asymmetric encryption is very slow. The algorithm widely used is RSA.
SAFETY MECHANISMS
There are some mechanisms you can you for encryption:
Crypto

Cryptography
CISSP 5-2

Message authentication codes (MACs) which are used to make sure that the
massage has not changed in transit. You can use a simple parity check or more
complex methods;

Hash functions can be used and are very popular with digital signatures: you
reduce the amount of information that has to be encrypted. A common imple-
mentation of hash functions is MD5.

Digital signatures are used to ensure nonrepudiation. The message is proc-
essed by a hash function which produces a fixed length output. Thus the length
of the message is reduced after which is can be encrypted with the private key
of the sender.

The key length determines the time before a code is broken. Long encryption
keys ensure that a computer needs a lot of time to break the code with a brute
force attack. However, computers become faster every year.

One-time Ciphers are considered to be unbreakable because with every mes-
sage you create a new key. So, if the encryption of one message is broken, the
key is of no use for other messages sent by you.
5.3 PKI and Key Management
With asymmetric encryption the public key is sent trough a trusted channel. If you
have a lot of friends (or employees) this becomes a hell of a job. You need a trusted
third party who distributes your public key. This centralized authority that manages
keys is the public key infrastructure server (PKI-server).
You cannot offer your keys that simple to a PKI-server. You achieve trust with KPI
through digital certificates. There are authorities (Verisign) who validate persons and
companies. After the approve, this authority will sign the certificate.
A digital certificate requires at least the following information: name, expiration date
and the digital signature of the certifier.
5.4 Methods of Attack
Encryption schemes are considered to be not secure until it has been proven to be
secure. People who are testing these schemes are called cryptanalysts. Only if a crypt-
analyst has been unsuccessful for three to five years in an attempt to break a method,
it is considered to be safe.
With a safe algorithm, it doesn t matter if you know how it looks like. Therefore these
methods are published freely.
There are four general attacks that can be performed against encrypted information:

Ciphertext only attack (COA). You have an encrypted message that can be
decrypted by using brute force attack.

Known plaintext attack (KPA). You have the encrypted message and its plain-
text equivalent. You use these to find the key so you can use it to decrypt other
messages. The longer the message is, the more accurate you can determine the
key.

Chosen plaintext attack. You have access to the encryption device and you
can enter anything you want. In this way you can build up your knowledge
about the encryption method.

Chosen ciphertext attack. This is a theoretical attack. You feed a system with
ciphertext and receive plaintext.
Specific attacks are:

Brute force attack.

Replay attack. Used to gain access to a system with an encrypted password.
An attacker can replay the password. You can prevent this by adding a time-
stamp.

Man-in-the-middle attacks. An evildoer (Eve) intercepts the exchange of
public keys between Bob and Alice and sends fake keys to Bob and Alice. Eve
can now control the keys and encrypt and decrypt messages.

Meet-in-the-middle attacks. Given a message M1 which has to be encrypted
with key K1; you get ciphertext C1: E(M1,K1)=C1. If can now encrypt this re-
sult with key K2 to get ciphertext C2. If you try to decrypt C2 to get C1 using
brute-force, with DES you have 2^56 possibilities. From C1 to M1 you also need
2^56 possibilities thus totally needing 2^57 possible keys. This is why double-
DES never made it.
Cryptography
CISSP 5-3

Birthday. This refers to the change that two people in a group have the same
birthday. In reality this change is greater than statistically expected. The same
is for two people having the same key and so on.
A block cipher is a symmetric key algorithm that operates on a fixed-length block of
plaintext and transforms it into a fixed-length block of ciphertext.
Using a modulo of 26 substitution cipher where the letters A-Z of the alphabet are
given the value of 0-25 the message OVERLORD BEGINS is encrypted with a key
K=NEW and D=3 where D is the number of repeating letters representing the key. The
encrypted message is BFAEPKEH XRKEAW:
OVERLORD = 14 21 04 17 11 14 17 03
BEGINS = 01 04 06 08 13 18
NEW = 13 04 22
Text = O V E R L O R D B E G I N S
Code = 14 21 04 17 11 14 17 03 01 04 06 08 13 18
Key = 13 04 22 13 04 22 13 04 22 13 04 22 13 04

Translation = 27 25 26 30 15 36 30 07 23 17 10 30 26 22
Modulo 26 = 01 25 00 04 15 10 04 07 23 17 10 04 00 22

= B Z A E P K E H X R K E A W
The National Computer Security Center (NCSC) is a branch of the National Security
Agency (NSA) that initiates research and develops and publishes standards and criteria
for trusted information systems.
Security Architecture and Models
CISSP Visit http://www.enacom.nl

6-2

6 Security Architecture and Models
6.1 Requirements for Security Architecture and Models
There are a few differences between government security issues and business security
issues:

Governmental security is centered on confidentiality where business security is
centered on integrity and consistency.

Governmental information tends to be more confidential than business informa-
tion.

Few companies can afford such measures as the government takes to protect its
information.
Because of the several classes of confidentiality, the increasing power of computers
and the easiness to use computers and even build viruses, there is a need for security
models and architecture.
6.2 Security Models
Some better known security models are:

Bell-Lapula (see page 1-3)

Biba (see page (1-3)

Clark-Wilson

Access control lists
CLARK-WILSON MODEL
The Clark-Wilson model is a government model and emphasizes data integrity for com-
mercial activities and uses software engineering concepts such as abstract data types,
separation of privilege, allocation of least privilege and non-discretionary access con-
trol. The three integrity goals are:

Prevent unauthorized users from making modifications;

Prevent authorized users from making improper modifications;

Maintain internal and external consistency.
ACCESS CONTROL LISTS
See also page 1-2 where ACL is discussed with rules. It is not a governmental model.
In this model the objects (resources) are assigned lists of approved subjects (users
and groups). Each entry consist of a user identification and the approved access level.
These lists are used by network administrators in Unix and Windows systems.
6.3 Security System Architecture
A security architecture is the sum of the components used and the way they are put
together to build security functionality into a computer operating system or device.
Windows NT has the security subsystem SRM (Security Reference Monitor) which ex-
amines the credentials of the requestor for access to resources. Windows NT uses a
Security ID (SID) to identify subjects and Access Control Lists for objects.
SECURITY PRINCIPLES
Open systems provide a user with total systems access. A closed or secure system is
totally secure. Many open systems nowadays offer features that make them more
secure. A good security system architecture however is designed to maximize the use
of recognized security principles. Among these are:

Trusted Computing Base The sum of the security functions of the sys-
tem

Execution Domain The OS is run in a secured area which is
protected from tampering. Application pro-

Governmental model Primary directive
Biba Yes Integrity
Bell-LaPadula Yes Confidentiality
Clark-Wilson Yes Integrity
Access Control Lists No Confidentiality / Integrity

6-3
grams are run in the user area.

Layering Processes are layered with each layer having
a specific job.

Abstraction Acceptable operations are characterized but
not spelled out in detail.

Process isolation Processes running without interfering each
other (own memory space).

Least privilege A process has only the rights and access it
needs to run.

Resource Access Control Access to resources is limited.

Security perimeter The boundary of the TCB. A security kernel
and other related functions are running within
this perimeter. A security kernel is the im-
plementation of the reference monitor con-
cept.

Security policy enforcement The policy set is operational and is always
followed.

Domain separation The subject has only access to the objects it
needs.

Resource isolation Subjects and objects are kept separate for
control purposes.
SECURITY MODES
A security subsystem can run in a particular mode. The modes are:

Dedicated There are no restrictions. Users have a valid
need to know for all information.

System high Users have access approval and clearance for
all information. They have a need to know
and signed nondisclosure agreements.

Compartmented Users have valid clearance for most restricted
information, formal access and non disclosure
for that information on a need to know basis.
Data is partitioned and each area of data has
different requirements for access.

Multilevel secure (MLS) Users have different levels of clearance (Bell-
LaPadula). Some do not have valid personnel
clearance for all information but all have a
valid need to know for the information they
have access to.

Controlled mode Multilevel in which more limited amount of
trust is placed in the hardware or software.
This results in more restriction on classifica-
tion level and clearance levels.

Limited access mode Minimum user clearance is not cleared and
maximum data sensitivity is not classified by
sensitivity.
There is no clear answer whether labeling systems (Biba, Bell LaPadula, Clark-Wilson)
are better than ACL or reverse. Labels are more rigid; cannot be changed and there-
fore it is more predictable what a user will be able to access. Labeling sysems can in
this way be more secure but are very expensive to administer and difficult to use in a
world with shifting requirements.
Covert channels are flaws, unexpected vulnerabilities in a secure system. There are
covert storage channels and covert timing channels.
A covert storage area allows writing by one process to a storage area that allows read-
ing by another process which has less clearance than the first process. A covert timing
channel exists when a signal of information is modified due to some other system func-
tion. The modified signal may allow other individuals to determine the systems function
through observation of the other.
6.4 Information System Security Standards
Before a system is taken into production it must have a technical evaluation and it
must be certified that it has the required security features. Secondly, the management
Covert channels


6-4
must decide to accept the risk of using the system and approve its operation and envi-
ronment (accreditation) or reject it. If this must be done for every system, a backlog
can be created. To resolve this issue efforts resulted in the Trusted Computer System
Evaluation Criteria (TCSEC). This standard is also known as the Orange Book and con-
sists of a rating system against which systems can be formally evaluated. In Europe
the ITSEC was created. Both standards were later merged with other standards into
the Common Criteria.
TCSEC

THE ORANGE BOOK AND THE RAINBOW SERIES
The emphasis of TCSec is confidentiality. It divides operating systems into four primary
divisions around three different concepts:

Ability to separate users and data

Granularity of access control

Trust or overall assurance of the system
The four primary divisions are:

D

Minimal protection

C Discretionary protection

C1 Discretionary security protection

C2 Controlled access protection

B Mandatory protection

B1 Labeled Security Protection

B2 Structured protection

B3 Security domains

A Verified protection

A1 Verified design
TCSEC defines four broad classifications for system security: Division A thru D.

Division D Minimal protection is available or the system has failed to meet all
other classifications.

Division C Need to know protection, accountability of subjects, accountability
of actions, and audit. Through the use of auditing, discretionary protection and
accountability of subjects and the actions they initiate are covered.

C1 Systems satisfy discretionary security by providing for the separation
of users and data.

C2 Systems provide more granular degree of access through the use of
login procedures, auditing of security events and resource isolation.

Division B Mandatory access control rules are required.

B1 Like a C2 system added with an informal statement of the security
policy model, data labeling and mandatory access control over named
subjects and objects.

B2 B2-systems require a formal, structured security policy model that
requires the discretionary and mandatory access control be extended
to all subjects and objects in the system.

B3 B3-systems require the use of security domains to mediate all ac-
cesses of subjects to objects to ensure tamperproof function.

Division A These systems use formal security verification to assure that all of
the security controls employed can effectively protect classified or other sensi-
tive information via a stringent design verification.

A1 Like a B3-system but also a formal design specification and verifica-
tion techniques are used, resulting in a high degree of security.
Criticisms of the Orange Book say:

It primarily addresses confidentiality; you don t have to worry about the cor-
rectness of data;

It emphasizes controlling users but doesn t say much about what they might do
with the information they get;

It doesn t fully address procedural, physical and personnel safeguards or how
they might impact system security;

It doesn t address networked computers.
The Orange Book is an older standard however and additional guides covered many of
these criticisms. Totally there are about 30 security guides.
ITSEC

I NFORMATION TECHNOLOGY SECURITY EVALUATION CRITERIA
This European standard is founded in 1991 and embedded in the Common Criteria in
1998. Differences between TCSEC and ITSEC are:

6-5

ITSEC addresses the CIA

In the specifications the Target of Evaluation (TOE) is the product or system to
be evaluated. The TOE s functionality and assurance
*
are evaluated separately.

ITSEC does not require the security components of a system to be isolated into
a TCB;

ITSEC provides for the maintenance of TOE evaluation.
(*) The separation of functionality and assurance is accomplished by recognizing
three objectives of evaluation:

Security functions What is done.

Security mechanisms How it is done.

Certification The TOE meets the security target on the claimed assurance
level.
As with TCSEC there are ITSEC-levels of certification. Certification is done by the CLEFs
(Commercial Evaluation Facilities). The certification levels are:
E0 Inadequate
E1 Definition of security target and informal architecture design exists,
User/Admin documentation on TOE security. TOE is uniquely identified and
documentation exists which includes delivery, configuration, start-up and
operations. The evaluator tests the security functions. Secure distribution
methods are utilized.
E2 Informal detailed design and test documentation are produced. Separation
of TOE into security enforcing and other components. Audit trail of start up
and output required. Assessment includes configuration control, devel-
oper s security and penetration testing for errors.
E3 Source code or hardware drawing must accompany the product and a cor-
respondence between design and source code must be shown. Standard,
recognized implementation languages are used. Retesting is required after
correction for errors.
E4 Formal security model. Semi-formal specification for security enforcing
functions, architecture, detailed design. Sufficient testing. TOE and tools
under configuration control. Changes are audited, compiler options docu-
mented. TOE retains security after a restart from failure.
E5 Relationships between security enforcing components are defined in archi-
tectural design. Integration processes and runtime libraries are provided.
Configuration control is possible independently of developer. Configured,
security enforcing or relevant items can be identified. There is support for
variable relationships between them.
E6 Formal description of architecture and security enforcing functions with
correspondence between formal specification through source code and
tests. All TOE configurations defined in terms of the architecture design and
all tools can be controlled.
COMMON CRITERIA
The Common Criteria has the following objectives:

Ensure IT product evaluations are performed to high and consistent standards;

Guarantee that evaluations contribute to the confidence in the security of the
products;

Increase the availability of evaluated, security-enhanced IT products;

Eliminate duplicate evaluation;

Continuously improve efficiency and cost-effectiveness of security evaluations
and certification/validation process for IT products and protection profiles.
6.5 Common Criteria
A CC evaluated product does not guarantee that it is free from exploitable vulnerabili-
ties. You need to ask yourself the following questions:

Which version was certified?

Is the environment in which it was evaluated the same as the one I have?

Are things this product was tested for important to my needs? And do they
match all my criteria.
The founders of CC
5
have the following objectives:

Ensure IT product evaluations are performed to high and consistent standards;

5
United States, Canada, France, Germany and the United Kingdom.

6-6

Guarantee that evaluations contribute to the confidence in the security of the
products;

Increase the availability of evaluated, security-enhanced IT products;

Eliminate duplicate evaluation;

Continuously improve efficiency and cost-effectiveness of security evaluations
and certification/validation process for IT products and protection profiles.
Products which are tested in one country of the partners does not have to be tested in
the other countries. The CC is divided into three parts:
1. Introduction and general model
2. Security Functional Requirements
3. Security Assurance Requirements
I NTRODUCTION AND GENERAL MODEL
This part provides definitions and thoughts how the CC can be used. Two important
parts of any CC submission are the definition of a Security Target (ST) and the Protec-
tion Profile (PP).
The security requirements are described in the PP and indicate the security problem
that the TOE will solve. Within the PP the functional and assurance requirements are
stated along with its rationale for its components. An EAL (evaluation) may be part of
the PP. A PP evaluation indicates that the PP can be used as a statement of require-
ments for an available TOE.
A ST is the basis against which the evaluation is done. It contains the TOE security
threats, objectives, requirements and a summary specification of security functions,
assurance functions and assurance measures. Also, consumers can see whether the
product meets its requirements in which environment.
SECURITY FUNCTIONAL REQUIREMENTS
The components of the CC are represented by eleven functional classes which are each
divided into families.
FAU Audit. Security events are recognized, recorded and analyzed to produce
audit records.
FCS Cryptographic Support. Consists of a family for operational use and a
family for management of cryptographic keys.
FCO Communication. The way that identity of parties is assured in data ex-
change. One family is concerned with non-repudiation.
FDP User Data Protection. These families show how user data is protected
during import, export and storage. Security attributes of data are detailed.
FIA Identification and Authentication. Families determine and verify user
identity, their authority to interact with the target and correct association
of security attributes with users.
FMT Security Management. Specifies management of security attributes, data
and function. Management roles are defined.
FPR Privacy. Protection of the user preventing discovery and misuse of iden-
tity by other users.
FPT Protection of the TSF. Protection of the TOE Security Functions data.
Integrity and management, CIA, trusted recovery, replay detection, do-
main separation, time stamps,

FRU Resource Utilization. Availability of resources. Details for fault tolerance,
service priority, resource allocation.
FTA TOE Access. Controlling establishment of user s session, limit number and
scope of session, displaying access history, modification of access parame-
ters.
FTP Trusted Path. Trusted communication paths between users, TSF and in
between.
SECURITY ASSURANCE REQUIREMENTS
Assurance is defined for PPs, STs and TOEs.
APE Protection Profile Evaluation. Demonstrates that the PP is complete,
consistent and technically sound and states the requirements for an evalu-
able TOE.
ASE Security Target Evaluation. Demonstrates that the ST is complete, con-
sistent and technically sound. It is suitable for TOE evaluation.

6-7
ACM Configuration Management. Integrity of TOE is preserved, TOE and
documentation used for the evaluation that is distributed.
ADO Delivery and Operation. Security protection of TOE is not compromised
during delivery, installation and operations use.
ADV Development. A mapping from security requirements to a low-level repre-
sentation.
AGD Guidance Documents. Secure operations use of TOE by admins and us-
ers.
ALC Life Cycle Support. The lifecycle definition, tools, techniques, security of
development environment and the correction of flaws found by consumers.
ATE Tests. TOE meets the functional requirements in the class.
AVA Vulnerability Assessment. Identification of exploitable vulnerabilities
introduced by construction, operation, misuse of incorrect configuration.
Uses covert channel analysis, analysis of configuration, strength of mecha-
nisms of security function, identifies flaws.
AMA Maintenance of Assurance. Requirements the product should meet after
certification as measured against the CC.
EVALUATION ASSURANCE PACKAGES OR LEVELS - EALS
EALs are combinations of assurance components. There are seven levels:
EAL1 Functionally tested

Confidence in correct operation is required but threats
are not serious.
EAL2 Structurally tested Delivery of design information and test results are
consistent with good commercial practice. Low to moderate level of inde-
pendently assured security.
EAL3 Methodically tested and checked Security engineering at design states,
requires minimal alteration of existing sound development practices to
meet.
EAL4 Methodically designed, tested and reviewed Use of positive security engi-
neering, good commercial development practices, rigorous, but does not
require substantial specialist knowledge, skills or testing.
EAL5 Semi-formally designed and tested

Using rigorous commercial develop-
ment practices, application of specialized security engineering techniques.
High level independently assured in planned development, rigorous devel-
opmental approach.
EAL6 Semi-formally verified, designed and tested

Specialized security engi-
neering techniques in rigorous development environment. Protection of
high value assets against significant risks. Modular, layered approach to
design, structured presentation of the implementation. Independent search
for vulnerabilities ensures resistance to penetration, systematic search for
covert channels, development environments and configuration manage-
ment controls.
EAL7 Formally verified, designed and tested Used for extremely high risk situa-
tions. White box testing is used.
AREAS NOT ADDRESSED BY THE COMMON CRITERIA
CC does not test secure usage. There is no evaluation of organizational, personnel,
physical or procedural controls. Areas that are not covered are:

Electromagnetic control

Procedures for accreditation

Criteria for assessment of cryptographic algorithms.
A COMPARISON OF THE ORANGE BOOK, ITSEC AND COMMON CRITERIA
Orange

book

TCSEC

ITSEC
Assurance
level
D Minimal protection E0 EAL0
EAL1
C1 Discretionary Security Protection F1 + E1 EAL2
C2 Controlled Access F2 + E2 EAL3
B1 Labeled Security Protection F3 + E3 EAL4
B2 Structured Protection F4 + E4 EAL5
B3 Security Domains F5 + E5 EAL6
A Verified Design F6 + E6 EAL7

6-8

6.6 IPSec
IPSec is an IETF standard that describes an communications protocol. This because
TCP/IP was not designed with security in mind. IPSec was developed for IPv6 but
works on IPv4 as well.
USES FOR IPSEC
The use of IPSec involves the implementation of a VPN, the protection of communica-
tion between two computers or a computer and a security device on the same LAN. It
can also be used to block specific computers or communication protocols from entering
or leaving a computer. An additional use can be authentication only.
When used for communication between computers either tunnel mode (VPN) or trans-
port mode, IPSec provides the following:

Access Control restricting access by identifying the IP address of the com-
puters;

Connectionless integrity using a checksum and a hash across the payload
and is also encrypted;

Mutual computer authentication each computer must authenticate to the
other. The standard allows a multiple authentication technique. Implemented
products use certificates, shared keys and Kerberos;

Confidentiality during transit the information is protected.

Data-origin authentication each packet can be attributed to the sending
computer;

Protection against replay attacks

packages are provided with the following
tripled of information:
- a Security Parameters Index (SPI) which identifies the appropriate Security
Association (connection)
- a sequence number
- the authenticated computer s IP address
IPSec checks this information and drops packages which have the same infor-
mation because this might be an attack.
IPSec can be configured in allow mode or block mode. In allow mode all data ad-
dressed to the computer is accepted by the network card and passed up the TCP/IP
stack.
IPSec configured in block modes blocks certain protocols such as FTP, HTTP and SMTP.
ARCHITECTURAL COMPONENTS OF IPSEC
IPSec uses Internet Key Exchange (IKE) for master key creation. This key is used to
create session keys (used for encryption).
It is composed of two subprotocols:

AH IP Authentication Header

ESP Encapsulation Security Payload
Both subprotocols provide integrity, data origination authentication, mutual computer
authentication and anti-replay. ESP can also provide confidentiality.
To set up IPSec sessions between two computers, two phases are used. In phase I,
after machine authentication, a security association (SA) is created and used for the
exchange of keying material, using IKE. This key is used in phase II and can be recal-
culated periodically.
In phase II session keys are created and two SA s are established: one for outgoing
data and one for incoming data. Session keys can be set to be renewed at periodic
intervals; thus reducing the risk of compromise.

7-1
7 Operations Security
7.1 Examining the Key Roles of Operations Security
Operations Security starts by identifying the resources to protect, privileges to be re-
stricted and controls necessary to do so.
The resources are many: computers, routers, switches, printers, databases, security
software and appliances, media, phones, wireless devices, modems, software, source
code, documentation and people.
For each asset you have to think about the way it is used and how it can be protected.
Then, you have to define permission sets (read, write, execute, ) for the different
types of objects within the infrastructure. The privileges (access rights) for each object
can differ. For example, the kernel or ring 0 of an OS can only be used by privileged
instructions. Another example are data center operations with a load of privileges
which have to be managed.
Controls are the means to prevent misuse or abuse of privileges while allowing author-
ized individuals or processes to do their jobs. There are three classification schemas.
Schema 1:

Operational controls Day to day procedures, change control management,
hardware controls, I/O-controls;

Audit and variance detection controls

using audit logs and variance detec-
tion tools, such as IDSs;

Application software maintenance tools controls that monitor installation
and updates to applications. They keep a record of changes;

Technical controls

controls that audit and journal integrity validations such
as checksums, authentication and file system permission;

Administrative or management controls controls such as personnel
screening, separation of duties, rotation of duties and least privilege.
Schema 2:

Deterrent controls

Controls that reduce the likelihood of attack;

Preventative controls

Controls that protect vulnerabilities; reduce the im-
pact of attacks;

Detective controls

Controls that detect an attack and may activate correc-
tive controls or preventative controls;

Corrective controls

Controls that reduce the impact of an attack.
Schema 3 (controls applicable to equipment or functions):

Disk locks to prevent the use of portable media;

Required passwords for access;

Acceptable user policies and rules;

Requiring virus checking on all disks before use;

The use of antivirus software;

All these controls can be classified as technical, operational, management, preventa-
tive, corrective, detective, I/O and so on.
THE OPSEC PROCESS
The OPSEC (Operations Security) process is the process of understanding your day-to-
day operations from a competitor s/hacker s viewpoint and then developing and apply-
ing countermeasures. OPSEC applies five principles to for effective defenses:
1. Identify critical information
2. Analyze threats
3. Assess vulnerabilities
4. Assess risks
5. Apply countermeasures
The need of analyzing threats is a repeating step. If you think your system is hard-
ened, new vulnerabilities are found. This is why OPSEC focuses on indicators: informa-
tion that can be heard or found on the Web, documents and tapes. Such as observing
people entering and leaving the building, emblems used can provide attackers valuable
information.

Permission sets
Privileges
Kernel
Privileged instructions
Operations Security
CISSP 7-2
Tip-off indicators provide focus for the attacker by telling him where to concentrate his
efforts. This might be an increased number of visitors, arrival of important staff and so
on.
Countermeasures for making indicators are document shredding, not replying to unso-
licited mail and so on.
7.2 The Roles of Auditing and Monitoring
Auditing is the process of checking current activity against policy. An audit of an infor-
mation system implies that the security configuration is checked against the norm and
that audit logs can be inspected for deviation. Audit logs can be used by programs
which can be trained to detect anomalies which may indicate intrusion. Such as intru-
sion detection programs.
USING LOGS TO AUDIT ACTIVITY AND DETECT I NTRUSION
Audit logs cannot be used real-time but they can provide evidence of attack. Audit logs
can be provided by OSs such as malfunctioning, changes in security policies, failures of
application services, successful logon and so on.
DETECTION I NTRUSION
Detection Intrusion is a technique used to identify intrusion attempts at and successful
intrusions into a network or host machine.
Packet analyzers, monitors and sniffers can be used for troubleshooting network prob-
lems and revealing attacks. This process is called intrusion detection. By using the raw
captured data, trained individuals can deduce what is happening.
IDSs are either host-based or network-based. Host-based IDSs is software loaded on a
host machine. It listens to traffic coming and going from this host machine and uses its
logs. To be effective, the host IDS software should be loaded on every computer. It is
considered to be more effective in detecting insider-based attacks.
Network-based IDSs analyzes all traffic on the network. A central management station
manages the information gathered by the host and network-IDSs.
Both types of IDSs are based on attack signature recognition and must be tuned and
updated. One tuning mechanism is setting the clipping level. This is the number of
errors or unusual activity causing an alarm.
PENETRATION TESTING TECHNIQUES
Penetration testing can be useful to detect vulnerabilities. This kind of ethical hacking
is performed in seven steps:
1. Determine the target
Select the company to penetrate;
2. Footprint or profile
Use social engineering techniques or doing desk research about any informa-
tion published by or about the company;
3. Enumerate the network
This is about mapping out machine names, IP addresses and services by using
tools such as Tracert. You can use WhoIs and the domain names registered
with the company to find out further information such as the name of the
website administrator and the registrars and the IP address of the DNS serv-
ers. These are important as it may lead to the IP addresses of other com-
puters in the network.
4. Scan and enumerate services
Knowing the IP addresses from step 3 you can use tools to check the exis-
tence (PING) and TCP- and UDP-ports (NMAP). With a port scan, the service be-
hind the port issues a banner (string of information).
5. OS enumeration
With the banner information and tools as NETCAT you can determine the OS
and exploit its vulnerabilities. The banner information can be used to identify
and attack the services behind the ports.
6. Penetration test
Based on the knowledge gained, an attack against a particular machine is per-
formed.
Auditing

Detection Intrusion

Operations Security
CISSP 7-3

7.3 Developing Countermeasures to Threats
The way to eliminate or to mitigate risks is to develop and follow countermeasures for
each identified threat. The problem is that threats change by day.
RISK ANALYSIS
Risk analysis determine which threats require development and implementation of
countermeasures. You can use either quantitative or qualitative risk analysis (see page
3-3).
THREATS
The common information system threats are:

Errors

Omission

Fraud

Misuse of information

Employee sabotage

Ignoring policy

Physical accidents

Software malfunction

Loss of resources

Loss of infrastructure

Hackers and crackers

Espionage

Malicious code
Within the mainframe world, several operations personnel were required and for each
the job was carefully defined:

Computer operator

Operations analyst

Job control analyst

Production scheduler

Production control analyst

Tape librarian
John Kindervag developed a new taxonomy of threats for the modern world:

Strategic attack your company is picked as the target;

Collateral attack The attack is on another company but affects you as
well

Nuke attack You suffer because you re connected to the internet
(worms, viruses);

Random attack Automated tools scan huge numbers of IP addresses
looking for vulnerabilities. You may be attacked;

Jump-point attack Your computer is compromised and used to attack
others.
COUNTERMEASURES
Countermeasures can include general system and hardware hardening steps. Many
threats however can be classified as employee related. Some risk mitigating proce-
dures you can apply are:

Provide clear definition of authority

Structure along functional lines

Ensure that any type of fraudulent behavior requires collaboration of two or
more individuals;

Separate job functions when combining them provides too much control;

Rotate people within their own areas;

Prevent family members from holding jobs in areas which you would not com-
bine into one person s responsibilities;

Provide clean, accurate, detailed job description;

Include as part of every employee performance review, evaluation and consid-
eration for raise and promotion the employee s observance of security practice;

Provide annual training for all employees

Encourage IT security to work with other security specialists, such as plant and
physical security;

Maintain a standards manual and enforce the standard;

Require vacations be taken and require that they be taken contiguously;
Operations Security
CISSP 7-4

Require sophisticated access controls at the entrances to sensitive areas and
systems.
Countermeasures for hiring and firing:

Require business and personal references;

Make employment contingent upon receiving a reference from the candidate s
current employer;

Check public records including court records, marital record, education record,
military record, law enforcement records, public documents and credit bureaus;

Require drug testing;

Consider insurance and bonding;

Look for conflict of interest.
Countermeasures for disgruntled employees:

Respect employees and consider individual situations;

Consider morale-building programs;

Provide security training on an annual basis;

Provide professional development opportunities;

Provide rewards for good behavior, such as bonuses and other recognition of
accomplishments;

Increase communications through staff meetings, group meetings and discus-
sions in which employees can air gripes and grievances.
Countermeasures for common internet-based threats. These are the same steps as in
the penetration test but now performed on your own network to detect and mitigate
vulnerabilities:

Footprinting / enumerating the network (contact information in the domain reg-
istration is not an individual s name);

Scanning / enumerating services;

OS enumeration;

Penetration test.
Countermeasures for physical threats. Just think of one .
7.4 Concepts and Best Practices
PRIVILEGED OPERATIONS FUNCTIONS
Privileged operations are system commands and parameters and the configuration
commands and activities for any device that handles information or controls the trans-
mission of data on the network.
As this knowledge is widely spread, you must:

Make sure that system commands and utilities are reserved for administrative
use;

Provide training and guidance for all administrators

Ensure that job interviews also stress these aspect.
UNDERSTANDING ANTIVIRAL CONTROLS
With a proper use of antiviral products five areas must be addressed:

Antiviral products must be installed on servers and desktops;

Automatic, regular updating of both engine and patterns is a must at the server
and desktop levels;

Server side products should be configured to use additional features;

Attention should be paid to new viral/worm vectors;

All users should be trained to not accept defaults, to be proactive and to resist
social engineering techniques.
PROTECTING SENSITIVE I NFORMATION AND MEDIA
Information has a life cycle, as all things do. It is created, handled, stored and de-
stroyed.

Creation. Newly created information should immediately be classified and la-
beled. The label must indicate when it was obtained, its source and an indication
of its sensitivity level.

Handling. All data within the data center must be properly handled to assure
viability and confidentiality.

Storage. Provide environmental controls such as the ideal temperature and
humidity level.

Cleaning. Wax and cleaning agents should not be used in a computer room or
storage area floors.
Operations Security
CISSP 7-5

Destruction. If it is no longer necessary to maintain data, it should be properly
destroyed. Methods of destroying data on magnetic media are multiple over-
write of data, encryption, media destruction and degaussing.
CHANGE MANAGEMENT CONTROL
Computer operations should institute a change management control system for IT
infrastructure. There must be developed detailed information about:

Network configuration

Computer configuration

System parameters and settings

Application configuration

Device configuration

Locations for all the computers, devices, media storage and other parts of the
infrastructure

Job titles and description of duties

Test environment specifications

Disaster and continuity plans

Other aspects of computer operations
There must be policy that require that changes to these items should be properly
documented and approved. The policy should detail the change management process:
request, review, approval, documentation, testing, implementation and reporting.
CISSP 8-1
8 Business Continuity Planning and Disas-
ter Recovery Planning
8.1 What Are the Disasters That Interrupt Business Op-
eration?
Reasons for having a Business Continuity Plan (BCP) are:

50 percent of the companies that lose data in a disaster never reopen; 90% of
them are out of business within two years;

In the USA the Foreign Corrupt Practices Act (1977) and the IRS 91-59 mandate
protection of business records respectively make management responsible.

Some types of businesses might be required to have a plan; such as financial
institutions;

Employees and shareholders suing companies for not having a plan;

Insurance companies requiring such a plan;

Business partners.
The first step is to list catastrophic events in the following categories:

Natural events, including weather earthquake, hurricane, flood

Terrorism, sabotage and acts of war bombing, kidnapping

Accidents, including environmental spills explosion, fire, broken pipes

Miscellaneous events HW/SW failure, human error, riot
Every possible disaster should be mentioned; there must be no filtering in advance.
The next step is to determine the possible damage.
8.2 Quantifying the Difference Between DRP and BCP
Disaster recovery planning is the process of bringing back into production a critical
business process that has been crippled or destroyed by some catastrophic event.
Disaster recovery planning is the process of developing a plan to do so. Its focus is an
immediate or short-term fix for affected business processes. Business continuity plan-
ning seeks to minimize the impact of catastrophic events on critical business proc-
esses, get the processes up and operational should some event occur and bring the
company back to full recovery after the immediate crisis has passed. It represents the
big picture. A DRP cannot exist without a BCP and vice versa.
8.3 Examining the BCP Process
The steps in developing a BCP are:
1. Define the scope
2. Perform a business impact analysis (BIA)
3. Develop operational plans for each business process
4. Test plans
5. Implement plans
6. Maintain plans
DEFINE THE SCOPE
Focus on the recovery some part of the organization from some type of event if there
isn t any BRP. Later you can create a master plan for the entire organization. Take into
consideration that regulations or law may require continuity (such as HIPAA). These
are probably the first processes to put into scope.
PERFORM A BUSINESS IMPACT ANALYSIS (BIA)
Keep in mind that resources are not unlimited. The goal of recovery is to get critical
services up and running. You have to define the maximum tolerable downtime (MTD).
Others call this the recovery time objective (RTO).
The steps in a BIA are:

Identify the time-critical business processes

Identify supporting resources for the critical processes

Determine the MTDs

Return to business units for validation

Provide the final report to senior management

MTD
RTO
Business Continuity Planning and Disaster Recovery Planning
CISSP 8-2
What may help is to define the cost of processes being not available. What will happen
if a process isn t available for some weeks? What are relations with other processes?
A lot of interviews must be held to define the possible loss. Think of losses as revenue
loss, sales loss, interest lost, penalties for late payments, contractual fines and can-
celled orders. Besides financial loss other kinds of losses should be taken into account.
Next the business unit responsible for the process should validate the MTD derived
from all this information. The correctness of the MTD is essential for further develop-
ment of the plan. Finally the final report is created including an assessment of all the
threats and vulnerabilities to time-critical business functions and suggested recover
approaches.
DEVELOP OPERATIONAL PLANS FOR EACH BUSINESS PROCESS
The planning process is divided into four phases. Each phase must have its own plan:

Preventative measures Take preventive actions before an emergency
takes place such as inspections, backups and
reviews;

Emergency response Actions to be taken immediately after an event
has occurred such as alert authorities and no-
tify management;

Recovery Putting critical operations back into operation;

Return to normal operations Activities that turn the business into normal
operations such as facility repair, establish-
ment of new data and recall of employees.
The business owners are key players in the development of the plans. They define
what is necessary. They must also be trained in the process of evaluating alternatives
for recovery, documentation of the strategies and selection of personnel to carry out
the plans.
There should be a plan for getting help addressing:

Telephone numbers of restoration companies;

Phone numbers for insurance vendors;

Instructions on proper notification.
The planning process should include a review of insurance coverage. Items that should
be questioned are:

The type of risk covered

The type of property policy valuation

The need for specific additional assurance.
Other considerations:

Assurance policies can be based on named perils or all risks. Named perils
specifies that the cause of the loss must be enumerated. If the cause is not
listed, there is no coverage for the risk. If all risks is specified then all causes of
loss that are not explicitly excluded are covered.

The value of the lost properties can be calculated on basis of actual cash value
(ACV) or replacement cost.

Some losses may not be covered, such as additional costs of business interrup-
tion. Special coverage may be required. Think of:
- Business interruption insurance
- Boiler and machinery
- Valuable papers
- Accounts receivable
Most insurance plans require business to take appropriate steps during and after busi-
ness interruption. Each company should review its insurance plans with the insurance
company. Generic steps in obtaining insurance claims are:

Notify insurance company of claim immediately

Secure the area

Restore fire protection

Prevent further damage / take action to minimize loss

Provide security

Take pictures and video of the site and (un)damaged property

Determine the cost of these and other temporary measures deemed necessary
to resume operations and maintain security

Obtain property replacement and repair costs from several sources

Require all recovery personnel, including contractors, to log all activities
CISSP 8-3

Some steps are considered emergency response and simply must be done im-
mediately

Partial payment might allow you to proceed with certain efforts

You might need to negotiate the final claim settlement

After the claim settlement is received, implement planning, acquisition and in-
stallation of facility and resources.
Quick action immediately after an event has taken place can help to reduce damage.
Think of quickly putting out a fire, pumping out water, conserving disks and tapes.
I MPLEMENT PLANS
The implementation consist of two phases:
1. The acquisition of alternative equipment and locations, the acquisition of con-
tractual arrangement with restoration specialists, training of employees in
their responsibilities and action.
2. The actual operation of the plan when an event occurs.
TEST PLANS
Ways to test a plan are:

Desk checking

Reviewing the plan for currency

Performing full parallel system tests

Running through scenarios and mock emergencies

Testing calls to contractors

Remote operations testing

Switching to the mirror system or site

Reviewing insurance

Testing by departments or business process groups.
A plan is considered valid and effective if it passes the following test:

Response is within the allowed time frame

Operations at alternative systems and locations are adequate

Backups can be successfully restored

Emergency personnel, service personnel and contractors can be reached any
time of day or night

Team members are aware of specifics of the current plan

Team members are able to perform associated duties

The plan is up-to-date.
MAINTAIN PLANS
The BCP must be reviewed at least once a year or every time the business makes a
change in its processes. Change Management should therefore include a review of the
BCP as part of its checklist. The review should include:

Is the insurance plan up-to-date?

Have new processes and equipment been added and are they covered in the
plan?

Has team membership been adjusted to include or exclude changes in person-
nel?

Is testing being done?

Are there new types of events or changes in the likelihood of them occurring?

Have mergers, acquisitions or divestitures occurred and has the plan been ad-
justed?
8.4 Defining DRP
Before going into defining a DRP the following assumptions are made to prevent over-
lap:

The scope of BCP encompasses DRP and a BIA has been made

The testing and maintenance portion of the DRP can use the same instructions.
The planning process for disaster recovery includes seven things:

The scope of the plan

Procedures that help to prevent disasters

A list of resources that need to be available

The backup strategy

A to-do list for the emergency response process

Step-by-step instructions for implementing the plan

Phone numbers or restoration and alternative sites
CISSP 8-4

DETERMINING THE SCOPE OF THE RECOVERY PLAN
The plan must identify which processes and equipment will be covered. The BIA identi-
fies critical data processing operations; DRP determines which equipment, software,
environment, facilities and personnel will be necessary. Special consideration should be
made with distributed environments: who is responsible?
CREATING ANTIDISASTER PROCEDURES
An organization need to implement standard procedures and directives, such as:

Close safes (don t leave them open);

Don t leave network equipment in open places;

Limit access to data centers and other private spaces;

Use fire-retardant materials in the construction of data centers;

Provide fire-extinguishing equipment and sprinkler systems;

Perform background screening of personnel;

Use antivirus products and screening firewalls, routers and so on.
LISTING NECESSARY RESOURCES
For the relocation of critical business procedures and so on you must have a complete
listing of necessary resources. Also there must be plans for the movement of personnel
and the required work space.
EMERGENCY RESPONSE PROCEDURES
During a crisis, people who are trained in handling emergency response procedures
perform better than untrained people. There must be list with instructions how to han-
dle in case of an emergency and people must be empowered to act. To goal is to pre-
vent people to respond blindly. An example of a list is:

Shut down running programs;

Remove critical data files;

Shut down equipment in a proper sequence and shut off power;

Establish damage control;

Evacuate buildings;

Reconvene at alternative sites.
8.5 Developing a Backup Strategy
A backup strategy includes the capability to move processing to alternative locations if
necessary; it is not just about placing copies of data in safe places. The backup process
needs to be validated, monitored, controlled and tested.
A backup plan should provide for:

Data backup

Alternative sites

Data vaulting

Co-location (hosting a backup site at an ISP)

Hardware backup

Hardware- or software based RAID

Fail-over clustering
BACKUP PROCEDURES AND POLICIES
Kind of backups:

Full backup All data is copied

Partial backup Changed data is back upped

Incremental backup Partial backup of files changed since the previ-
ous incremental backup (backup flag is set)

Differential backup Partial backup since the last full backup (backup
flag is not set)
At a point of total restore you need the full backup and either a) all incremental back-
ups or b) the latest differential backup.
VITAL RECORDS PROGRAM
In addition to the critical business processes and the supporting data systems, plan-
ners need to assure the integrity and availability of vital records (records that have
CISSP 8-5
critical importance to the organization). Vital records may be archived electronically or
on microfiche, paper and so on.
HARDWARE BACKUPS
As with data also hardware may need to be back upped. This can be at an alternative
site or in the same building.
Alternative sites are classified as:

Hot completely configured with equipment. You only need to provide person-
nel, programs and data for recovery;

Warm partially configured; may need days to make it operational;

Cold only the basic environment (wiring, power, airco) is available;

Redundant Set up exactly as the primary site;

Mobile a site configured in a trailer or van;

Hybrid A combination of the sites above.
Special attention must be paid for keeping the alternative sites up-to-date. In addition
to data the following should also be back upped: operating system software, program-
ming languages, utilities, database management software, input and output docu-
ments, transaction logs and system and audit logs. Of course all backups need to be
stored nearby the alternative sites. Locations for backups include the following:

A fire-resistant safe close to the computer room;

A fire-resistant vault in another building within half a mile radius (for daily and
weekly backups);

A fire-resistant vault at least five miles from the primary site;

Underground fire-resistant and earthquake-resistant storage for at least 50
miles away (for long term storage)
Good backup plans include instruction and information on:

Where backups are kept;

Labeling schematics for backup tapes;

Frequency of backup cycles and retention time;

Instructions on restoration which include making a copy before trying to use it
in a restore;

How to recover from a failure during any step in the cycle;

Steps for special processing of special types of files such as database agents;

Documentation on backup files that create sets such as transaction action logs
and database files;

Locations of real-time or duplicate logs for transactions;

Information on ensuring the integrity of backup media;

The systems that require all files to be closed in order to be backed up and
those that have available special agents that can be used in online backup.
Backup recommendations include:

Use a different tape for every day of the week;

Create a weekly backup an use a separate tape for each week of the month;

Verify each tape after creation;

Check tapes for errors;

If unattended backups are made, make sure errors are logged to a file;

Clean the tapes;

Use high-quality media;

Change out tapes frequently, retire old tapes and use new media;

Use a paper-based log to record when backups were made, what was backed up
and the location of the tapes;

Test backups by doing a restore.

Log backup errors, exceptions and anomalies.
CISSP 9-1
9 Law, Investigation and Ethics
9.1 Fundamentals of Law
In the US there are federal laws and state laws; they can overlap. Criminals may
therefore be prosecuted and convicted by both federal and state law.
Criminal law authorize the government to punish wrongdoers. Criminal prosecution
requires a higher standard of proof beyond a reasonable doubt that the suspect
intentionally did something wrong.
Civil laws, on the other hand, enables private parties to enforce their rights. To win
relief under a civil lawsuit, a plaintiff must satisfy a lower standard of proof proof by
a preponderance of the evidence that he is entitled to relief.
Administrative law allows governmental agencies to interpret the laws the administer
through official statements or regulations and to enforce those laws through investiga-
tions, fines and other sanctions.
I NTELLECTUAL PROPERTY LAW
These are: patents, copyrights and trade secrets. To obtain a patent an investor must
apply to the USPTO (US Patent and Trademark Office) and wait 2-3 years before a
decision is made.
Copyrights must be registered at the US Copyright Office. A copyright covers only the
expressions of ideas, not the ideas themselves. The DMCA (Digital Millennium Copy-
right Act) makes it a crime to circumvent encryption or other copyright protecting
techniques.
Trade secrets are secrets which are kept to prevent others using or exploiting them,
such as customer lists or algorithms. Companies protect these secrets by applying
security methods such as encryption.
A license allows the customer to use the software (including patents, copyrights and
trade secrets) under restricted terms but does not allow remarketing of the product.
PRIVACY LAW
There is not a federal law on privacy; the US laws tend to apply on a sector-by-sector
basis:

The healthcare have HIPAA (Healthcare Insurance Portability and Accountability
Act) which deals with confidentiality of patient information.

The financial sector have the Gramm-Leach-Bliley Financial Modernization Act
that requires financial institutes to give customers notice about how their pri-
vate information will be protected or shared with third parties.

Further more there is the Privacy Act which limits the ability of federal govern-
ment agencies to disclosure information about individual citizens.
In the US employees have no right to privacy when they communicate through corpo-
rate information resources if the employees are informed in advance that they have no
privacy.
The European Community have more comprehensive rules on privacy. It is forbidden to
transfer individually identifiable information to countries outside of the European Union
unless the receiving country grants individuals adequate privacy protection. The EU
and the US have negotiated a safe harbour for granting EU citizens the rights to the
following:

Notice about which data will be collected and how it will be used;

Choice about whether the data will be collected;

Access to collected data;

Reasonable protections for accuracy, integrity and security of collected data;

Rights to seek redress for abuse of data.
Some companies have privacy offices who monitor the use of private information and
make recommendations to management.
GOVERNMENTAL REGULATIONS
The government have issued several laws to enterprises to mandate information secu-
rity controls.
Law, Investigations and Ethics
CISSP 9-2

The federal FCPA (Foreign Corrupt Practices Act) requires publicly owned com-
panies to maintain adequate books and records and an adequate system of in-
ternal controls;

The federal Gramm-Leach-Bliley Financial Modernization Act require financial in-
stitutions to implement a security program to safeguard private customer in-
formation.

The US Export Administration Regulations prohibit the transfer of military capa-
bilities to undesirable countries; the US Commerce Department s Bureau of Ex-
port Administration (BXA) administers and enforce these export controls.
9.2 Criminal Law and Computer Crime
A person can only be convicted if he breaks a law. To convict computer fraud laws have
been created such as the federal Computer Fraud and Abuse Act that punishes people
who intentionally cause harm by accessing computers without authority. This law is
known as 18 US Code Section 1030 and prohibits the use of computers if that leads to:

Classified or national security-related information;

Records of a financial institution;

Government records;

Information on a computer involved in interstate commerce;

Fraud;

Damage;

Trafficking in passwords;

Extortion.
To help provide proof that a hacker intentionally committed a crime, you should pro-
vide your computer system with a banner that warns that unauthorized access to a
network is forbidden. If he continues, he intentionally does something wrong and can
therefore be proscecuted.
Other laws are:

The federal Wiretap Act, 18 US Code Section 2511. Punishes unauthorized inter-
ception of electronic communications in transit;

The Wiretap Act. Covers the interception of email while being transmitted;

The federal Electronic Communications Privacy Act, 19 US code Section 2701.
Forbids unauthorized people from accessing or damaging electronic messages in
storage.
9.3 Computer Security Incidents
There a lot of security incidents in different areas such as military and intelligence,
business, financial, terrorist, grudge, consumer fraud and fun. But how does an enter-
prise respond to security breaches?
ADVANCE PLANNING
Establish an incident plan in advance. This plan contains the following steps:

Centralize management of the attacks so all of the response can be coordi-
nated;

Designate a single person to receive and analyze reports of suspicious or ab-
normal activities;

Make a list of whom to notify;

Set procedures for identifying, analyzing and responding to the attack;

Decide how an when to escalate the response to an attack if it grows worse;

Designate who has responsibility for which tasks and who within the organiza-
tion is to be kept informed and mobilized;

Specify how to log records of the event and preserve evidence;

Establish priorities if there is a tradeoff between preserving evidence and keep-
ing systems in production;

Become familiar with the relevant law enforcement authorities and information
sharing organizations in advance and determine which ones to notify at which
time;

Recognize that a security incident could be more than a technical matter and
might warrant coordination with public relation people, corporate attorneys,
human resources and upper management;

Reevaluate security, personnel and the incident response plan afterwards.
CISSP 9-3
COMPUTER CRIME INVESTIGATION
The objective of computer crime investigation is to minimize risk while gathering and
securing reliable evidence that could be used in a criminal trial. The steps taken in such
a process are:
1. Detect the intrusion (events, audit trail review, abnormal activity).
2. Try to avoid further damage.
3. Report the incident to the management.
4. Start the preliminary investigation by assign damage, witnesses and deter-
mine what is needed to proceed.
5. Decide whether disclosure to media or government is necessary.
6. Decide on a course of action; what to do next.
7. Assign responsibility for conduct of the investigation. Decide whether it will be
done by internal staff or external experts.
8. Pinpoint potential suspects and witnesses; designate who should investigate
witnesses;
9. Plan and prepare for seizure of target systems.
10. Designate a search and seizure team.
11. Evaluate the risk tot the target system before seizing it.
12. Execute the seizure plan. Secure and search the location, preserve evidence,
record each action, videotape the process, photograph the system configura-
tion and monitor display and move the system to a secure location.
13. Prepare a detailed report documenting facts and conclusions.
9.4 Legal Evidence
An objective of incident response is to gather evidence. Evidence is anything that dem-
onstrates a point to a court of persuades the court that a fact is true. Strong evidence
is called direct evidence, weaker evidence is called circumstantial evidence.
Evidence must proven to be what it is to be considered authentic.
The hearsay rule is a statement made outside the court which is repeated for the
course of showing the statement is true. The best evidence rule says that an original
writing must be produced in court because the original is more reliable.
Controls are measures that reduce the change records are changed or corrupted. Ex-
amples of controls are audit trails and segregation of duties. Another form of control is
a chain of evidence also known as chain of custody. It is a series of records showing
where the evidence came from, who was responsible for it, what happened to it, how it
was protected, whether it was changed and so on.
THE FOURTH AMENDMENT
The Fourth Amendment to the US Constitution protect US citizens from unreasonable
searches and seizures by government. They need a court-issued warrant except when
evidence is in plain view.
9.5 Computer Forensics
Forensics is the use of science and technology to investigate and establish facts that
can be used in court. Techniques for seizing and preserving electronic evidence are:

Restrict physical and remote access to the computer.

If the computer is off, do not turn it on.

If the computer is on, photograph the screen and then unplug the computer.

Do not touch the keyboard.

Do all forensic analysis of the electronic evidence form a mirror copy of the disk.

Don t trust the subject computer s OS; conduct analysis on a copy using the OS
of a trusted computer.
Step by step examination of a PC:
1. Before starting the examination get authority from corporate management.
2. Turn the machine of by pulling its plug. First photograph the screen image.
3. Before moving the computer, document the hardware configuration with pho-
tographs and tags on cables. Do the same with removable media.
4. Transport the computer to a safe area.
5. Boot the computer (but not from the hard disk). Examine the computer.
6. Use forensic software to make a bit-stream image of the hard disk, run a hash
of the hard disk and the image and confirm that both are the same.
CISSP 9-4
The steps a computer forensic expert takes are:
1. Make a bit-level image of the disk.
2. Make a cryptographic hash of digest the disk.
3. Perform analysis in a secure environment.
4. Use forensics software to find hidden, deleted or encrypted files.
5. Boot the suspect system with a trusted OS. Run a complete system analysis.
6. Reboot the system to discover any background or malicious programs and
learn from system interrupts.
7. Examine backup media.
8. Investigate protected files.
9.6 Computer Ethics
The Request for Comments (RFC) 1087 titled Ethics and the Internet declares activi-
ties unethical and unacceptable if these:

Seek to gain unauthorized access to the resources of the Internet.

Disrupt the intended use of the internet.

Waste resources through such actions.

Destroy the integrity of computer-based-information.

Compromise the privacy of users.
The (ISC)
2
Code of Ethics requires CISSPs to:
Code of Ethics Canons:

Protect society, the commonwealth, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Advance and protect the profession.
Seel also https://www.isc2.org/cgi/content.cgi?page=31 for detailed information.
CISSP 10-1
10 Physical Security
Physical security refers to the provision of a safe environment for information process-
ing activities and the use of the environment to control the behavior of personnel.
The (ISC
2
) groups physical security issues into the following categories:
1. Facility requirements
2. Technical controls
3. Environmental/life and safety
4. Physical security threats
5. Elements of physical security
10.1 Classifying assets to Simplify Physical Security Dis-
cussions
The principles of physical security are the same as information security: identification,
assessment of vulnerabilities and threats and selection of countermeasures. The same
as with information assets, rings of protection are a good strategy.
There are four kinds of physical assets:

Facility buildings, rooms

Support airco, communication, water, fuel supplies

Physical an components hardware, printers, storage

Supplies and materials disks, removable media
10.2 Vulnerabilities
A common list of types of vulnerabilities is: destruction, disclosure, removal and inter-
ruption. These vulnerabilities can be held against the four classes. Of course not every
vulnerability applies to each class. For example:
Facility

Destruction

Accidental (fire, flood, earthquake, wind, snow, construction faults)

Deliberate (vandalism, sabotage, arson, terrorism)
Theft is probably the most likely physical security issue. It is controlled by the follow-
ing:

Authorizing or hiring trustworthy people

Maintaining a corporate culture in which honesty is expected and normal

Motivating people by good work environment and competitive remuneration

Minimizing opportunities that would allow the easy theft of assets.
10.3 Selecting, Designing, Constructing and Maintaining
a Secure Site
The controls to mitigate risk of sites are:

Site location and construction

Physical access controls

Power issues and controls

Environmental controls

Water exposure problems and controls
SITE LOCATION AND CONSTRUCTION
With the selection of a site the following should be considered:

Vulnerability to crime, riots and demonstrations

Adjacent buildings and businesses

Emergency support response

Vulnerability to natural disasters

General building construction (hurricanes, earthquakes)

Computer room considerations (location within the building)
PHYSICAL ACCESS CONTROLS
This is usually a perimeter control. Areas, such as computer rooms, should have re-
stricted access and need to be identified and marked. Think of doors, key card systems
and mantraps. Both active and passive access controls should be considered.
Physical Security
CISSP 10-2

Active physical access controls

Physical access controls are people (guards, receptionists), computer-controlled card-
access systems in combination with badges and ID-cards.
Guards and receptionists should maintain access logs. Everybody should log in and out.
The use of closed circuit TV (CCTV) may detect unwanted inhabitants.
Besides preventative controls, reactive controls must be included. Such as procedures
defining what receptionists should do if unauthorized persons are discovered.
Passive controls

Passive measures of access controls include doors and locks. Doors must be fireproof
and solid. In addition to locks, alarms can be added to indicate that doors are opened.
Combination locks have the disadvantage of being more difficult to open than key locks
but they can more easily be changed (re-keyed). Another kind of locks are remote
control magnetic locks in combination with (smart) cards or other tokens. Dumb cards
have a magnetic stripe with 80 bytes of information; smart cards contain processors
and kilobytes of information enough for biometric information and authorizations.
The processor is powerful enough to encrypt information.
Which kind of token to use depend on the cost and required safety. Regarding safety
you have to consider:

Fail-open

If power outage or a computer crash occurs, it defeats the lock
system. You need a UPS (Uninterruptible Power Supply) to prevent this;

Fail-closed Means that in case of a fail the lock remains closed.
Price of cards can vary from cheap ($2-7) for dumb cards to very expensive for smart
cards. Systems involving biometrics have issues such as reliability and errors. False
positives and false negatives vary in the range from 0.01%-1.0%. Face recognition is
even worse: up to 5%.
POWER ISSUES AND CONTROLS
Most computers are sensitive for dirty power (significant voltage variations and inter-
ference). Other electrical equipment on the same power line can create such disrup-
tions. The first rule of computer power is isolation there should be no other equip-
ment on the same power line. Surge protectors and filters can protect computers from
most dirty power problems.
The most common power risks are:

Brownouts or total power loss

Spikes and surges - spikes occur with lightning; surges when electric motors
stops;

Static i.e. generated by people in cold climates. This risk can be reduces by
controlling humidity and using antistatic mats.
A UPS supports the power system for a time when it needs to start up backup genera-
tors. Self contained power supplies detect a power failure due to battery exhaustion
and shut down the computer automatically in a soft way.
Computers must be approved by Underwriter s Laboratory (US) or Canadian Standards
Association (CSA). UL or CSA relates to safety features.
ENVIRONMENTAL CONTROLS
This section is about air conditioning, humidity and temperature. Most large computers
require special dedicated air conditioning. Airco s extract water from the air and must
be removed. Leakage of pipes can destroy the hardware. Also the airco needs its own
power because it uses a lot of energy. A second cooling can be considered in case the
first one fails.
Automatic humidity and temperature monitoring devices should be installed in climate
controlled rooms; records should be examined regularly.
WATER EXPOSURE PROBLEMS AND CONTROLS
Examples of water exposure problems are:

Flood

Basements

Roofs

Snow load problems
Physical Security
CISSP 10-3

Hurricane and other weather phenomena

Sprinklers

Air conditioning
FIRE PREVENTION AND PROTECTION
Fire protection refers to detecting fire and minimizing damage to people and equip-
ment. Prevention is avoiding the problem in the first place which is less costly en more
effective in minimizing danger.
Four elements of prevention are outlined in the following list:

Construction Materials in a computer room must be fireproof as possi-
ble. False ceilings and ventilation shafts can become chim-
neys. Rugs do not belong in a computer room.

Training Fire regulations should and known.

Testing Fire procedures should be tested periodically.

No smoking policy
Fire detection systems are inexpensive. There are ionization-type smoke detectors and
photoelectric detectors. The first rule after a fire is detected is to evacuate people. Fire
spreads quickly and fire produces smoke, heat and toxic gasses. After people are safe
you can start to attempt to put out the fire.
Combustibles are rated as follows, based on their material composition:

Class A Wood, cloth, paper, rubber, most plastics, ordinary combustibles

Class B Flammable liquids and gases, oils, greases, tars, oil-based paints
and lacquers

Class C Energized electrical equipment

Class D Flammable chemicals such as magnesium and sodium.
Portable fire extinguishers should be available near any electrical equipment. They
must be examined periodically. For computers, type ABC extinguishers exist. Extin-
guishers are labeled as follows:

Class A extinguishers are for combustible solids

Class B extinguishers are for combustible liquids

Class C extinguishers are for electricity.
Fixed systems include carbon dioxide extinguishers. A problem with CO2 is that it
leaves a corrosive residue on electrical parts. Safer for people is the use of Halon 1301.
The problem is that Halon contains CfC s.
Sprinkler systems use a separate water supply to become independent from the elec-
tricity network. A reservoir can be put on top of the building and filled with distilled
water; distilled water doesn t conduct electricity; polluted water does. Sprinkler sys-
tems use wet pipes or dry pipes. Dry pipes are filled with air to prevent breakage due
to frozen pipes. When there is a fire, first the air flows out before the water comes.
10.4 Tape and Media Library Retention Policies
Media storage issues are:

Access should be restricted;

Access should be controlled;

The room should be locked;

The room should be protected from fire.
A basic rule is that any sensitive data should have at least two backups and at least
one should be stored in a different building separate from the others.
10.5 Document (hard-copy) Libraries
Physical storage for paper documents needs to be:

Larger in volume than for magnetic disks;

Protected from water damage more carefully;

Treated as a fuel repository and kept separate from other sensitive media.
A checklist for paper storage is:

Keep passages unobstructed;

Do not store records on the floor;

Do not leave original documents on desks overnight;
Physical Security
CISSP 10-4

Store cellulose-based nitrate films separately and treat them as flammable and
hazardous goods;

Set material back slightly from shelf edges to lessen vertical fire propagation;

Avoid basement storage;

Check areas where condensation can be a problem;

Install shelving at least 12 from outside walls and 2 from inside walls and
place bottom shelves at least 4 above the floor;

Store more valuable material on upper shelves and upper floors;

Avoid carpeting in storage areas.
10.6 Waste Disposal
Dumpster diving is going through company s waste bins. It can reveal valuable infor-
mation. Therefore classified wastes should be in place and:

Stored in separate containers;

Collected frequently by security-cleared personnel;

Retained in a secure area;

Destroyed by cleared personnel using a approved and effective method.
To keep in mind:

Computers do not erase data; they just flag files as erased;

Databases do not erase records until they are packed;

Degaussing is a way to destroy magnetically stored data;

Optical media must be shredded;

Core dumps from computer memory can reveal valuable data;

Some computer memories stay live for a serious long period even after power
shutdown.
10.7 Physical Intrusion Detection
Physical intrusion detection can be implemented by:

Motion detectors;

Heat detectors;

Vibration sensors;

Capacitance detectors;

Magnetic sensors;

Sniffers;

X-rays and other see-through devices;

Cameras.
10.8 Addendum
The salami fraud is an automated fraud technique in which a programmer moves
small amounts of money into his own bank account (e.g. rounding up amounts).
CISSP I
Abbreviations
Abbr. Meaning
ACL Access Control List
ADSL Asymmetric Digital Subscriber Line
AES Advanced Encryption Standard
AH Authentication Header
ALE Annualized loss expectancy
ALG Application Level Gateway
ARO Annualized rate of occurrence
ARP Address Resolution Protocol
ATM Asynchronous Transfer Mode
AUI Attachment Unit Interface
AUP Acceptable User Policy
BCP Business Continuity Planning
BIA Business Impact Analysis
BMP Bitmap
BNC British Naval Connector
BootP Bootstrap Protocol
BRI Basic Rate Interface
CBA Cost-benefit Analysis
CC Common Criteria
CHAP Challenge Handshake Authentication Protocol
CIRT Computer Incident Response Team
COA Ciphertext Only Attack
CRC Cyclic Redundancy Check
DAC Discretionary Access Control
DCE Data Circuit-Terminating Equipment
DDoS Distributed Denial of Service
DES Data Encryption Standard
DIVX Digital Video Express
DLCI Data-Link Connection Identifier
DoD Department of Defense
DoS Denial of Service
DRP Disaster Recovery Planning
DSL Digital Subscriber Line
DTE Data Terminal Equipment
DWDM Dense Wave Division Multiplexing
EAL Evaluation
EF Exposure factor
EMI Electromagnetic Interference
ESP Encapsulated Security Payload
FTP File Transfer Protocol
GIF Graphic Interchange Format
GRE Generic Routing Encapsulation
HDLC High-Level Data-Link Control
HDSL High-rate Digital Subscriber Line
ICMP Internet Control Message Protocol
IDS Intrusion Detection System
IEEE Institute of Electrical and Electronics Engineers
IKE Internet Key Exchange
IKE Internet Key Exchange
IP Internet Protocol
IPSec IP Security
IPX Internet Packet Exchange
IRC Internet Relay Chat
IRL Inter-repeater Link
ISAKMP Internet Security Association & Key Manage-
ment Protocol
ISDN Integrated Services Data Network
JPEG Joint Photograpic Experts Group
KPA Known-Plaintext Attack
L2TP Layer 2 Tunneling Protocol
Abbr. Meaning
LAPB Link Access Procedure Balanced
LPD Line Printer Daemon
MAC Media Access Control
MAC Mandatory Access Control
MAC Message Authentication Code
MAU Multi-Access Unit
MIDI Musical Instrument Digital Interface
MLS Multi Level Secure
MP3 Moving Pictures Experts Group Layer-3 Audio
MPEG Moving Picture Experts Group
NAT Network Address Translation
NCP Netware Core Protocol
NFS Network File System
NIC Network Interface Card
NNTP Network News Transfer Protocol
OPSEC Operations Security
PAP Password Authentication Protocol
PAT Port Address Translation
PEM Privacy Enhanced Mail
PING Packet Inter-Network Groper
PKI Public Key Infrastructure
POP3 Post Office Protocol 3
PP Protection Profile
PPTP Point-to-Point Tunneling Protocol
PRI Primary Rate Interface
RAID Redundant Array of Inexpensive Disks
RARP Reverse ARP
RBAC Role Based Access Control
RPC Remote Procedure Call
RTC Real-time Clock
S/MIME Secure/Multipurpose Internet Mail Extensions
SA Security Association
SAA Service Application Architecture
SAN Storage Area Network
SDLC Synchronous Data-Link Control
SDSL Single-line Digital Subscriber Line
SET Secure Electronic Transmission
SKIP Simple Key Management for Internet Protocol
SLE Single-loss expectancy
SMB Server Message Block
SMDS Switched Multimegabit Data Service
SMTP Simple Mail Transfer Protocol
SNA System Network Architecture
SNMP Simple Network Management Protocol
SOHO Small office/home office
SPOF Singe Point Of Failure
SQL Structured Query Language
SSL Secure Socket Layer
ST Security Target
TACACS Terminal Access Controller Access Control
System
TCB Trusted Computing Base
TCP Transmission Control Protocol
TCP/IP TCP and IP
TCSEC Trusted Computer Security Evaluation Criteria
TCSEC Trusted Computer System Evaluation Criteria
TDR Time Domain Reflectometer
TFTP A subset of FTP
TIFF Tag Image File Format
TLS Transport Layer Security
CISSP II
Abbr. Meaning
TOE Target of Evaluation
TSF TOE Security Functions
UCE Unsolicited Commercial Email (SPAM)
UDP User Datagram Protocol
UPS Uninterruptible Power Supply
Abbr. Meaning
UTP Unshielded Twisted Pair
VDSL Very-high Digital Subscriber Line
VPN Virtual Private Network
WAV Windows Audio Volume
WMF Windows Media File

CISSP Training Guide - Robert Bragg

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISSP Training Guide - Robert Bragg

Uploaded by

Copyright:

Available Formats

CI SSP

You might also like