LibraryPirate LibraryPirate CISSP Guide to Security Essentials LibraryPirate Australi a • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States Peter Gregory CISSP Guide to Security Essentials LibraryPirate CISSP Guide to Security Essentials, Peter Gregory Vice President, Career and Professional Editorial: Dave Garza Executive Editor: Stephen Helba Managing Editor: Marah Bellegarde Senior Product Manager: Michelle Ruelos Cannistraci Editorial Assistant: Sarah Pickering Vice President, Career and Professional Marketing: Jennifer McAvey Marketing Director: Deborah S. Yarnell Senior Marketing Manager: Erin Coffin Marketing Coordinator: Shanna Gibbs Production Director: Carolyn Miller Production Manager: Andrew Crouth Content Project Manager: Andrea Majot Art Director: Jack Pendleton Cover photo: iStock.com Production Technology Analyst: Tom Stover Manufacturing Coordinator: Denise Powers Compositor: PrePress PMG © 2010 Course Technology, Cengage Learning ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher. For product information and technology assistance, contact us at Cengage Learning Customer & Sales Support, 1-800-354-9706 For permission to use material from this text or product, submit all requests online at cengage.com/permissions Further permissions questions can be emailed to permissionrequest@cengage.com Library of Congress Control Number: 2009925212 ISBN-13: 978-1-435-42819-5 ISBN-10: 1-435-42819-6 Course Technology 20 Channel Center Street Boston, MA 02210 USA Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at: international.cengage.com/region Cengage Learning products are represented in Canada by Nelson Education, Ltd. For your lifelong learning solutions, visit course.cengage.com Visit our corporate website at www.cengage.com Notice to the Reader Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered tra- demarks of their respective manufacturers and sellers. Microsoft and the Office logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Course Technology, a part of Cengage Learning, is an independent entity from the Microsoft Corporation, and not affiliated with Microsoft in any manner. Any fictional data related to persons or companies or URLs used throughout this book is intended for instructional purposes only. At the time this book was printed, any such data was fictional and not belonging to any real persons or companies. Course Technology, the Course Technology logo, and the Shelly Cashman Series ® are registered trademarks used under license. Adobe, the Adobe logos, Authorware, ColdFusion, Director, Dreamweaver, Fireworks, FreeHand, JRun, Flash, and Shockwave are either registered trade- marks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. All other names used herein are for identification purposes only and are trademarks of their respective owners. Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time in its content without notice. The programs in this book are for instructional purposes only. They have been tested with care, but are not guaranteed for any particular intent beyond educa- tional purposes. The author and the publisher do not offer any warranties or representations, nor do they accept any liabilities with respect to the programs. Printed in the United States of America 123456712111009 LibraryPirate Brief Table of Contents INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXV LAB REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXXV CHAPTER 1 Information Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 CHAPTER 2 Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 CHAPTER 3 Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 CHAPTER 4 Business Continuity and Disaster Recovery Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 CHAPTER 5 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 CHAPTER 6 Legal, Regulations, Compliance and Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 CHAPTER 7 Operations Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 CHAPTER 8 Physical and Environmental Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 CHAPTER 9 Security Architecture and Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 CHAPTER 10 Telecommunications and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 APPENDIX A The Ten Domains of CISSP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 APPENDIX B The (ISC) 2 Code of Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 GLOSSARY 411 INDEX 428 vii LibraryPirate Table of Contents INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXV LAB REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXXV CHAPTER 1 Information Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Organizational Mission, Objectives, and Goals . . . 3 Mission . . 3 Objectives 3 Goals . . . 4 Security Support of Mission, Objectives, and Goals. . . 4 Risk Management 4 Risk Assessment. 5 Qualitative Risk Assessment 5 Quantitative Risk Assessment . . . 5 Quantifying Countermeasures . 6 Geographic Considerations . . . 7 Specific Risk Assessment Methodologies 7 Risk Treatment . 7 Risk Avoidance 8 Risk Reduction 8 Risk Acceptance 8 Risk Transfer. 8 Residual Risk. 8 Security Management Concepts 8 Security Controls 9 The CIA Triad . . 9 Confidentiality 9 Integrity 10 Availability . . 10 Defense in Depth 10 Single Points of Failure 11 Fail Open, Fail Closed, Fail Soft . . 11 Privacy . . 12 Personally Identifiable Information . . . 12 Security Management . . . 12 Security Executive Oversight . 13 Security Governance . . 13 Security Policy, Guidelines, Standards, and Procedures 14 Policies . 14 Policy Standards. . 14 Policy Effectiveness 15 Requirements . 15 Guidelines . . . 15 Standards . . . 15 Procedures . . . 16 Security Roles and Responsibilities. 16 Service Level Agreements . . . 17 Secure Outsourcing . . 17 ix LibraryPirate Data Classification and Protection . . . 17 Sensitivity Levels 18 Information Labeling . 18 Handling . 19 Destruction 20 Certification and Accreditation 20 Internal Audit . . . 20 Security Strategies. . . 20 Personnel Security. . . 21 Hiring Practices and Procedures. 21 Non-Disclosure Agreement . . 21 Consent to Background Verification. 21 Background Verification 22 Offer Letter 22 Non-Compete . . 22 Intellectual Property Agreement . . . 23 Employment Agreement 23 Employee Handbook . 23 Formal Job Descriptions 23 Termination. 23 Work Practices. . . 24 Separation of Duties . . 24 Job Rotation . . . 24 Mandatory Vacations . 24 Security Education, Training, and Awareness 25 Professional Ethics . . 25 Chapter Summary . . 26 Key Terms. . . 27 Review Questions. . . 30 Hands-On Projects . . 32 Case Projects . 34 CHAPTER 2 Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Controlling Access to Information and Functions . . 36 Identification and Authentication 37 Authentication Methods 37 How Information Systems Authenticate Users. . 38 How a User Should Treat Userids and Passwords 39 How a System Stores Userids and Passwords . . 39 Strong Authentication. 39 Two-Factor Authentication 39 Biometric Authentication. . 41 Authentication Issues . 42 Access Control Technologies and Methods. 43 LDAP . . . 43 Active Directory . 44 RADIUS . 44 Diameter . 44 x Table of Contents LibraryPirate TACACS 44 Kerberos 44 Single Sign-On 45 Reduced Sign-On . . . 45 Access Control Attacks . . 46 Buffer Overflow . 46 Script Injection. . 47 Data Remanence 47 Denial of Service 48 Dumpster Diving 48 Eavesdropping . . 48 Emanations 49 Spoofing and Masquerading . 49 Social Engineering . . . 50 Phishing . 50 Pharming. 52 Password Guessing . . . 52 Password Cracking. . . 52 Malicious Code . 53 Access Control Concepts. 53 Principles of Access Control . 53 Separation of Duties . 54 Least Privilege 54 Least Privilege and Server Applications . . . 54 User Permissions on File Servers and Applications. 54 Least Privilege on Workstations 55 Types of Controls. . . . 55 Technical Controls . . 55 Physical Controls . . . 55 Administrative Controls . . 56 Categories of Controls 56 Detective Controls . . 56 Deterrent Controls . . 57 Preventive Controls . 58 Corrective Controls . 58 Recovery Controls . . 58 Compensating Controls . . 59 Using a Defense in Depth Control Strategy 59 Example 1: Protected Application 60 Example 2: Protected Facility . . . 60 Testing Access Controls . 61 Penetration Testing. . . 61 Application Vulnerability Testing . . 62 Audit Log Analysis. . . 62 Chapter Summary 63 Key Terms. . 64 Review Questions. 67 Hands-On Projects 69 Case Projects 75 Table of Contents xi LibraryPirate CHAPTER 3 Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Types of Applications 78 Agents 78 Applets 79 Client-server Applications 79 Distributed Applications . 81 Web Applications. 82 Application Models and Technologies . 83 Control Flow Languages. 83 Structured Languages . . . 83 Object Oriented Systems . 83 Object Oriented Programming 83 Class . . . 84 Object . . 84 Method . 84 Encapsulation 84 Inheritance. . . 84 Polymorphism 84 Distributed Object Oriented Systems 84 Knowledge-based Applications 84 Neural Networks 85 Expert Systems. . 85 Threats in the Software Environment. . 85 Buffer Overflow . . 86 Types of Buffer Overflow Attacks . 86 Stack Buffer Overflow . . . 86 NOP Sled Attack . . . 86 Heap Overflow 86 Jump-to-Register Attack . . 87 Historic Buffer Overflow Attacks. . 87 Buffer Overflow Countermeasures . 87 Malicious Software 88 Types of Malicious Software . 89 Viruses . 89 Worms . 90 Trojan Horses 90 Rootkits 91 Bots . . . 92 Spam. . . 92 Pharming 93 Spyware and Adware 93 Malicious Software Countermeasures 94 Anti-virus . . . 94 Anti-rootkit Software 95 Anti-spyware Software . . . 95 Anti-spam Software . 95 Firewalls 96 Decreased Privilege Levels . 96 xii Table of Contents LibraryPirate Penetration Testing 97 Hardening . . 98 Input Attacks . . . 98 Types of Input Attacks . . . 99 Input Attack Countermeasures . . 99 Object Reuse . . . 100 Object Reuse Countermeasures . . 100 Mobile Code . . . 100 Mobile Code Countermeasures . . 101 Social Engineering . . . 101 Social Engineering Countermeasures . . 101 Back Door 101 Back Door Countermeasures 102 Logic Bomb 102 Logic Bomb Countermeasures . . . 102 Security in the Software Development Life Cycle. . 103 Security in the Conceptual Stage . . 103 Security Application Requirements and Specifications . 104 Security in Application Design 104 Threat Risk Modeling . 105 Security in Application Coding . . . 105 Common Vulnerabilities to Avoid 105 Use Safe Libraries. . . 106 Security in Testing . . . 106 Protecting the SDLC Itself. . . 107 Application Environment and Security Controls . . 108 Authentication . . 108 Authorization. . . 108 Role-based Access Control 108 Audit Log 109 Audit Log Contents . 109 Audit Log Protection 109 Databases and Data Warehouses 109 Database Concepts and Design . . . 110 Database Architectures . . . 110 Hierarchical Databases . . 110 Network Databases 110 Relational Databases . . . 110 Object Oriented Databases . . . 111 Distributed Databases. . . 111 Database Transactions . . . 111 Database Security Controls . . 112 Access Controls 112 Views . . 112 Chapter Summary 112 Key Terms. . 113 Review Questions. 116 Hands-On Projects 119 Case Projects 122 Table of Contents xiii [...]... instructor, CISSP Guide to Security Essentials has arrived just in time Intended Audience This book is written for students and professionals who want to expand their knowledge of computer, network, and business security It is not necessary that the reader specifically target CISSP certification; while this book is designed to support that objective, the student or professional who desires to learn... slides are meant to be used as a teaching aid for classroom presentations, to be made available to students on the network for chapter review, or to be printed for classroom distribution Instructors are also at liberty to add their own slides to cover additional topics How to Earn and Maintain a CISSP Certification In order to become CISSP certified, you must: 1 Select a test location and date from the... Domains of CISSP Security, ” provides a background on the CISSP certification, and then describes the ten domains in the CISSP Common Body of Knowledge Appendix B, “The (ISC)2 Code of Ethics,” contains the full text of the (ISC)2 Code of Ethics, which every CISSP candidate is required to support and uphold The Code of Ethics is a set of enduring principles to guide the behavior of every security professional... questions Information Security Community Site The Information Security Community Site was created for students and instructors to find out about the latest in information security news and technology xxx Introduction Visit www.community.cengage.com /security to: ■ Learn what’s new in information security through live news feeds, videos, and podcasts ■ Connect with your peers and security experts through... certification; while this book is designed to support that objective, the student or professional who desires to learn more about security, but who does not aspire to earn the CISSP certification at this time, will benefit from this book as equally as a CISSP candidate CISSP Guide to Security Essentials is also ideal for someone in a self-study program The end of each chapter has not only study questions, but... certification cycle (ISC)2 recognizes that security practices and technologies constantly change, which is why staying current is a requirement for keeping your CISSP You will also be required to pay an annual fee to maintain your certification You are encouraged to volunteer your time and talent in the CISSP community Opportunities include proctoring CISSP exams, writing CISSP exam questions, public speaking,... and tactics that are required to protect an organization’s assets The CISSP (Certified Information Systems Security Professional) is easily the most recognized security certification in the business CISSP is also one of the most difficult certifications to earn, because it requires knowledge in almost every nook and cranny of information technology and physical security The CISSP is a jack-of-all-trades... going to the page for this book, and clicking the “Download Instructor Files & Teaching Tools” link Electronic Instructor’s Manual—The Instructor’s Manual that accompanies this textbook provides additional instructional material to assist in class preparation, including suggestions for lecture topics, suggested lab activities, tips on setting up a lab for the hands-on assignments, and solutions to all... the Internet The information security industry is barely able to keep up Cybercriminals and hackers always seem to be one step ahead, and new threats and vulnerabilities crop up at a rate that often exceeds our ability to continue protecting our most vital information and systems Like other sectors in IT, security planners, analysts, engineers, and operators are expected to do more with less Cybercriminals... lists common information security and risk management terms that are found in this book Features To aid you in fully understanding computer and business security, this book includes many features designed to enhance your learning experience • Maps to the CISSP Common Body of Knowledge (CBK) The material in this text covers all of the CISSP exam objectives Aside from Information Security and Risk Management . Gregory CISSP Guide to Security Essentials LibraryPirate CISSP Guide to Security Essentials, Peter Gregory Vice President, Career and Professional Editorial:. Majot Art Director: Jack Pendleton Cover photo: iStock.com Production Technology Analyst: Tom Stover Manufacturing Coordinator: Denise Powers Compositor: PrePress