Thông tin tài liệu
LibraryPirate
LibraryPirate
CISSP Guide to Security Essentials
LibraryPirate
Australi a • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States
Peter Gregory
CISSP Guide to Security Essentials
LibraryPirate
CISSP Guide to Security Essentials,
Peter Gregory
Vice President, Career and Professional
Editorial: Dave Garza
Executive Editor: Stephen Helba
Managing Editor: Marah Bellegarde
Senior Product Manager: Michelle Ruelos
Cannistraci
Editorial Assistant: Sarah Pickering
Vice President, Career and Professional
Marketing: Jennifer McAvey
Marketing Director: Deborah S. Yarnell
Senior Marketing Manager: Erin Coffin
Marketing Coordinator: Shanna Gibbs
Production Director: Carolyn Miller
Production Manager: Andrew Crouth
Content Project Manager: Andrea Majot
Art Director: Jack Pendleton
Cover photo: iStock.com
Production Technology Analyst:
Tom Stover
Manufacturing Coordinator: Denise Powers
Compositor: PrePress PMG
© 2010 Course Technology, Cengage Learning
ALL RIGHTS RESERVED. No part of this work covered by the copyright
herein may be reproduced, transmitted, stored or used in any form or by
any means graphic, electronic, or mechanical, including but not limited to
photocopying, recording, scanning, digitizing, taping, Web distribution,
information networks, or information storage and retrieval systems, except
as permitted under Section 107 or 108 of the 1976 United States
Copyright Act, without the prior written permission of the publisher.
For product information and technology assistance, contact us at
Cengage Learning Customer & Sales Support, 1-800-354-9706
For permission to use material from this text or product,
submit all requests online at cengage.com/permissions
Further permissions questions can be emailed to
permissionrequest@cengage.com
Library of Congress Control Number: 2009925212
ISBN-13: 978-1-435-42819-5
ISBN-10: 1-435-42819-6
Course Technology
20 Channel Center Street
Boston, MA 02210
USA
Cengage Learning is a leading provider of customized learning solutions
with office locations around the globe, including Singapore, the United
Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at:
international.cengage.com/region
Cengage Learning products are represented in Canada by Nelson
Education, Ltd.
For your lifelong learning solutions, visit course.cengage.com
Visit our corporate website at www.cengage.com
Notice to the Reader
Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered tra-
demarks of their respective manufacturers and sellers.
Microsoft and the Office logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Course
Technology, a part of Cengage Learning, is an independent entity from the Microsoft Corporation, and not affiliated with Microsoft in any manner.
Any fictional data related to persons or companies or URLs used throughout this book is intended for instructional purposes only. At the time this book
was printed, any such data was fictional and not belonging to any real persons or companies.
Course Technology, the Course Technology logo, and the Shelly Cashman Series
®
are registered trademarks used under license.
Adobe, the Adobe logos, Authorware, ColdFusion, Director, Dreamweaver, Fireworks, FreeHand, JRun, Flash, and Shockwave are either registered trade-
marks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. All other names used herein are for identification purposes
only and are trademarks of their respective owners.
Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time in its content without notice.
The programs in this book are for instructional purposes only. They have been tested with care, but are not guaranteed for any particular intent beyond educa-
tional purposes. The author and the publisher do not offer any warranties or representations, nor do they accept any liabilities with respect to the programs.
Printed in the United States of America
123456712111009
LibraryPirate
Brief Table of Contents
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXV
LAB REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXXV
CHAPTER 1
Information Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 2
Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
CHAPTER 3
Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
CHAPTER 4
Business Continuity and Disaster Recovery Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
CHAPTER 5
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
CHAPTER 6
Legal, Regulations, Compliance and Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
CHAPTER 7
Operations Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
CHAPTER 8
Physical and Environmental Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
CHAPTER 9
Security Architecture and Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
CHAPTER 10
Telecommunications and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
APPENDIX A
The Ten Domains of CISSP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
APPENDIX B
The (ISC)
2
Code of Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
GLOSSARY 411
INDEX 428
vii
LibraryPirate
Table of Contents
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXV
LAB REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXXV
CHAPTER 1
Information Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Organizational Mission, Objectives, and Goals . . . 3
Mission . . 3
Objectives 3
Goals . . . 4
Security Support of Mission, Objectives, and Goals. . . 4
Risk Management 4
Risk Assessment. 5
Qualitative Risk Assessment 5
Quantitative Risk Assessment . . . 5
Quantifying Countermeasures . 6
Geographic Considerations . . . 7
Specific Risk Assessment Methodologies 7
Risk Treatment . 7
Risk Avoidance 8
Risk Reduction 8
Risk Acceptance 8
Risk Transfer. 8
Residual Risk. 8
Security Management Concepts 8
Security Controls 9
The CIA Triad . . 9
Confidentiality 9
Integrity 10
Availability . . 10
Defense in Depth 10
Single Points of Failure 11
Fail Open, Fail Closed, Fail Soft . . 11
Privacy . . 12
Personally Identifiable Information . . . 12
Security Management . . . 12
Security Executive Oversight . 13
Security Governance . . 13
Security Policy, Guidelines, Standards, and Procedures 14
Policies . 14
Policy Standards. . 14
Policy Effectiveness 15
Requirements . 15
Guidelines . . . 15
Standards . . . 15
Procedures . . . 16
Security Roles and Responsibilities. 16
Service Level Agreements . . . 17
Secure Outsourcing . . 17
ix
LibraryPirate
Data Classification and Protection . . . 17
Sensitivity Levels 18
Information Labeling . 18
Handling . 19
Destruction 20
Certification and Accreditation 20
Internal Audit . . . 20
Security Strategies. . . 20
Personnel Security. . . 21
Hiring Practices and Procedures. 21
Non-Disclosure Agreement . . 21
Consent to Background Verification. 21
Background Verification 22
Offer Letter 22
Non-Compete . . 22
Intellectual Property Agreement . . . 23
Employment Agreement 23
Employee Handbook . 23
Formal Job Descriptions 23
Termination. 23
Work Practices. . . 24
Separation of Duties . . 24
Job Rotation . . . 24
Mandatory Vacations . 24
Security Education, Training, and Awareness 25
Professional Ethics . . 25
Chapter Summary . . 26
Key Terms. . . 27
Review Questions. . . 30
Hands-On Projects . . 32
Case Projects . 34
CHAPTER 2
Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Controlling Access to Information and Functions . . 36
Identification and Authentication 37
Authentication Methods 37
How Information Systems Authenticate Users. . 38
How a User Should Treat Userids and Passwords 39
How a System Stores Userids and Passwords . . 39
Strong Authentication. 39
Two-Factor Authentication 39
Biometric Authentication. . 41
Authentication Issues . 42
Access Control Technologies and Methods. 43
LDAP . . . 43
Active Directory . 44
RADIUS . 44
Diameter . 44
x Table of Contents
LibraryPirate
TACACS 44
Kerberos 44
Single Sign-On 45
Reduced Sign-On . . . 45
Access Control Attacks . . 46
Buffer Overflow . 46
Script Injection. . 47
Data Remanence 47
Denial of Service 48
Dumpster Diving 48
Eavesdropping . . 48
Emanations 49
Spoofing and Masquerading . 49
Social Engineering . . . 50
Phishing . 50
Pharming. 52
Password Guessing . . . 52
Password Cracking. . . 52
Malicious Code . 53
Access Control Concepts. 53
Principles of Access Control . 53
Separation of Duties . 54
Least Privilege 54
Least Privilege and Server Applications . . . 54
User Permissions on File Servers and Applications. 54
Least Privilege on Workstations 55
Types of Controls. . . . 55
Technical Controls . . 55
Physical Controls . . . 55
Administrative Controls . . 56
Categories of Controls 56
Detective Controls . . 56
Deterrent Controls . . 57
Preventive Controls . 58
Corrective Controls . 58
Recovery Controls . . 58
Compensating Controls . . 59
Using a Defense in Depth Control Strategy 59
Example 1: Protected Application 60
Example 2: Protected Facility . . . 60
Testing Access Controls . 61
Penetration Testing. . . 61
Application Vulnerability Testing . . 62
Audit Log Analysis. . . 62
Chapter Summary 63
Key Terms. . 64
Review Questions. 67
Hands-On Projects 69
Case Projects 75
Table of Contents xi
LibraryPirate
CHAPTER 3
Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Types of Applications 78
Agents 78
Applets 79
Client-server Applications 79
Distributed Applications . 81
Web Applications. 82
Application Models and Technologies . 83
Control Flow Languages. 83
Structured Languages . . . 83
Object Oriented Systems . 83
Object Oriented Programming 83
Class . . . 84
Object . . 84
Method . 84
Encapsulation 84
Inheritance. . . 84
Polymorphism 84
Distributed Object Oriented Systems 84
Knowledge-based Applications 84
Neural Networks 85
Expert Systems. . 85
Threats in the Software Environment. . 85
Buffer Overflow . . 86
Types of Buffer Overflow Attacks . 86
Stack Buffer Overflow . . . 86
NOP Sled Attack . . . 86
Heap Overflow 86
Jump-to-Register Attack . . 87
Historic Buffer Overflow Attacks. . 87
Buffer Overflow Countermeasures . 87
Malicious Software 88
Types of Malicious Software . 89
Viruses . 89
Worms . 90
Trojan Horses 90
Rootkits 91
Bots . . . 92
Spam. . . 92
Pharming 93
Spyware and Adware 93
Malicious Software Countermeasures 94
Anti-virus . . . 94
Anti-rootkit Software 95
Anti-spyware Software . . . 95
Anti-spam Software . 95
Firewalls 96
Decreased Privilege Levels . 96
xii Table of Contents
LibraryPirate
Penetration Testing 97
Hardening . . 98
Input Attacks . . . 98
Types of Input Attacks . . . 99
Input Attack Countermeasures . . 99
Object Reuse . . . 100
Object Reuse Countermeasures . . 100
Mobile Code . . . 100
Mobile Code Countermeasures . . 101
Social Engineering . . . 101
Social Engineering Countermeasures . . 101
Back Door 101
Back Door Countermeasures 102
Logic Bomb 102
Logic Bomb Countermeasures . . . 102
Security in the Software Development Life Cycle. . 103
Security in the Conceptual Stage . . 103
Security Application Requirements and Specifications . 104
Security in Application Design 104
Threat Risk Modeling . 105
Security in Application Coding . . . 105
Common Vulnerabilities to Avoid 105
Use Safe Libraries. . . 106
Security in Testing . . . 106
Protecting the SDLC Itself. . . 107
Application Environment and Security Controls . . 108
Authentication . . 108
Authorization. . . 108
Role-based Access Control 108
Audit Log 109
Audit Log Contents . 109
Audit Log Protection 109
Databases and Data Warehouses 109
Database Concepts and Design . . . 110
Database Architectures . . . 110
Hierarchical Databases . . 110
Network Databases 110
Relational Databases . . . 110
Object Oriented Databases . . . 111
Distributed Databases. . . 111
Database Transactions . . . 111
Database Security Controls . . 112
Access Controls 112
Views . . 112
Chapter Summary 112
Key Terms. . 113
Review Questions. 116
Hands-On Projects 119
Case Projects 122
Table of Contents xiii
[...]... instructor, CISSP Guide to Security Essentials has arrived just in time Intended Audience This book is written for students and professionals who want to expand their knowledge of computer, network, and business security It is not necessary that the reader specifically target CISSP certification; while this book is designed to support that objective, the student or professional who desires to learn... slides are meant to be used as a teaching aid for classroom presentations, to be made available to students on the network for chapter review, or to be printed for classroom distribution Instructors are also at liberty to add their own slides to cover additional topics How to Earn and Maintain a CISSP Certification In order to become CISSP certified, you must: 1 Select a test location and date from the... Domains of CISSP Security, ” provides a background on the CISSP certification, and then describes the ten domains in the CISSP Common Body of Knowledge Appendix B, “The (ISC)2 Code of Ethics,” contains the full text of the (ISC)2 Code of Ethics, which every CISSP candidate is required to support and uphold The Code of Ethics is a set of enduring principles to guide the behavior of every security professional... questions Information Security Community Site The Information Security Community Site was created for students and instructors to find out about the latest in information security news and technology xxx Introduction Visit www.community.cengage.com /security to: ■ Learn what’s new in information security through live news feeds, videos, and podcasts ■ Connect with your peers and security experts through... certification; while this book is designed to support that objective, the student or professional who desires to learn more about security, but who does not aspire to earn the CISSP certification at this time, will benefit from this book as equally as a CISSP candidate CISSP Guide to Security Essentials is also ideal for someone in a self-study program The end of each chapter has not only study questions, but... certification cycle (ISC)2 recognizes that security practices and technologies constantly change, which is why staying current is a requirement for keeping your CISSP You will also be required to pay an annual fee to maintain your certification You are encouraged to volunteer your time and talent in the CISSP community Opportunities include proctoring CISSP exams, writing CISSP exam questions, public speaking,... and tactics that are required to protect an organization’s assets The CISSP (Certified Information Systems Security Professional) is easily the most recognized security certification in the business CISSP is also one of the most difficult certifications to earn, because it requires knowledge in almost every nook and cranny of information technology and physical security The CISSP is a jack-of-all-trades... going to the page for this book, and clicking the “Download Instructor Files & Teaching Tools” link Electronic Instructor’s Manual—The Instructor’s Manual that accompanies this textbook provides additional instructional material to assist in class preparation, including suggestions for lecture topics, suggested lab activities, tips on setting up a lab for the hands-on assignments, and solutions to all... the Internet The information security industry is barely able to keep up Cybercriminals and hackers always seem to be one step ahead, and new threats and vulnerabilities crop up at a rate that often exceeds our ability to continue protecting our most vital information and systems Like other sectors in IT, security planners, analysts, engineers, and operators are expected to do more with less Cybercriminals... lists common information security and risk management terms that are found in this book Features To aid you in fully understanding computer and business security, this book includes many features designed to enhance your learning experience • Maps to the CISSP Common Body of Knowledge (CBK) The material in this text covers all of the CISSP exam objectives Aside from Information Security and Risk Management . Gregory
CISSP Guide to Security Essentials
LibraryPirate
CISSP Guide to Security Essentials,
Peter Gregory
Vice President, Career and Professional
Editorial:. Majot
Art Director: Jack Pendleton
Cover photo: iStock.com
Production Technology Analyst:
Tom Stover
Manufacturing Coordinator: Denise Powers
Compositor: PrePress
Ngày đăng: 09/03/2014, 07:20
Xem thêm: CISSP Guide to Security Essentials pptx