CISSP: Certified Information Systems Security Professional Study Guide 2nd Edition 4335cFM.fm Page i Wednesday, June 16, 2004 4:01 PM 4335cFM.fm Page ii Wednesday, June 16, 2004 4:01 PM San Francisco • London CISSP ® : Certified Information Systems Security Professional Study Guide 2nd Edition Ed Tittel James Michael Stewart Mike Chapple 4335cFM.fm Page iii Wednesday, June 16, 2004 4:01 PM Associate Publisher: Neil Edde Acquisitions and Developmental Editor: Heather O’Connor Production Editor: Lori Newman Technical Editor: Patrick Bass Copyeditor: Judy Flynn Compositor: Craig Woods, Happenstance Type-O-Rama Graphic Illustrator: Happenstance Type-O-Rama CD Coordinator: Dan Mummert CD Technician: Kevin Ly Proofreaders: Laurie O’Connell, Nancy Riddiough Indexer: Ted Laux Book Designer: Bill Gibson, Judy Fung Cover Designer: Archer Design Cover Photographer: Victor Arre, Photodisc Copyright © 2004 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written per- mission of the publisher. First edition copyright © 2003 SYBEX Inc. Library of Congress Card Number: 2003115091 ISBN: 0-7821-4335-0 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. Screen reproductions produced with FullShot 99. FullShot 99 © 1991–1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997–1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com. This study guide and/or material is not sponsored by, endorsed by or affiliated with International Information Systems Security Certification Consortium, Inc. (ISC) 2 ® and CISSP® are registered service and/or trademarks of the International Information Systems Security Certification Consortium, Inc. All other trademarks are the prop- erty of their respective owners. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 4335cFM.fm Page iv Wednesday, June 16, 2004 4:01 PM To Our Valued Readers: Thank you for looking to Sybex for your CISSP exam prep needs. We at Sybex are proud of our reputation for providing certification candidates with the practical knowledge and skills needed to succeed in the highly competitive IT marketplace. Certification candidates have come to rely on Sybex for accurate and accessible instruction on today’s crucial technologies. For the second year in a row, readers such as you voted Sybex as winner of the “Best Study Guides” category in the 2003 CertCities Readers Choice Awards. The author and editors have worked hard to ensure that the new edition of the CISSP®: Cer- tified Information Systems Security Professional Study Guide you hold in your hands is com- prehensive, in-depth, and pedagogically sound. We’re confident that this book will exceed the demanding standards of the certification marketplace and help you, the CISSP certification candidate, succeed in your endeavors. As always, your feedback is important to us. If you believe you’ve identified an error in the book, please send a detailed e-mail to support@sybex.com. And if you have general com- ments or suggestions, feel free to drop me a line directly at nedde@sybex.com. At Sybex we’re continually striving to meet the needs of individuals preparing for certification exams. Good luck in pursuit of your CISSP certification! Neil Edde Associate Publisher—Certification Sybex, Inc. 4335cFM.fm Page v Wednesday, June 16, 2004 4:01 PM Software License Agreement: Terms and Conditions The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the “Software”) to be used in connection with the book. SYBEX hereby grants to you a license to use the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Soft- ware will constitute your acceptance of such terms. The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the “Owner(s)”). You are hereby granted a single-user license to use the Software for your personal, noncommercial use only. You may not repro- duce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media. In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or war- ranties (“End-User License”), those End-User Licenses supersede the terms and conditions herein as to that par- ticular Software component. Your purchase, accep- tance, or use of the Software will constitute your acceptance of such End-User Licenses. By purchase, use or acceptance of the Software you fur- ther agree to comply with all export laws and regula- tions of the United States as such laws and regulations may exist from time to time. Software Support Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material, but they are not sup- ported by SYBEX. Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate read.me files or listed elsewhere on the media. Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility. This notice concerning support for the Software is provided for your information only. SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s). Warranty SYBEX warrants the enclosed media to be free of phys- ical defects for a period of ninety (90) days after pur- chase. The Software is not available from SYBEX in any other form or media than that enclosed herein or posted to www.sybex.com . If you discover a defect in the media during this warranty period, you may obtain a replace- ment of identical format at no charge by sending the defective media, postage prepaid, with proof of pur- chase to: SYBEX Inc. Product Support Department 1151 Marina Village Parkway Alameda, CA 94501 Web: http://www.sybex.com After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX. Disclaimer SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fit- ness for a particular purpose. In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequen- tial, or other damages arising out of the use of or inabil- ity to use the Software or its contents even if advised of the possibility of such damage. In the event that the Soft- ware includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting. The exclusion of implied warranties is not permitted by some states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state. The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agree- ment of Terms and Conditions. Shareware Distribution This Software may contain various programs that are distributed as shareware. Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights. If you try a share- ware program and continue using it, you are expected to register it. Individual programs differ on details of trial periods, registration, and payment. Please observe the requirements stated in appropriate files. Copy Protection The Software in whole or in part may or may not be copy-protected or encrypted. However, in all cases, reselling or redistributing these files without authoriza- tion is expressly forbidden except as specifically pro- vided for by the Owner(s) therein. 4335cFM.fm Page vi Wednesday, June 16, 2004 4:01 PM Acknowledgments Thanks to Neil Edde and Jordan Gold at Sybex for helping us hook up with this project; thanks also to Rodnay Zaks for numerous fine gastronomic experiences and for an even greater number of good ideas. But Neil wins the “great gastronomy prize” for taking me to Chez Panisse for lunch the last time I visited Sybex’s Alameda offices. Thanks to my mom and dad for providing me with the basic tools to become a writer and trainer: an inquiring mind, plus good verbal and debating skills. Thanks to Dina Kutueva, not just for marrying me and com- pleting my life, but also for her magnificent efforts and sacrifices in delivering our beautiful son, Gregory E. Tittel, in February 2004. You rule my world! And finally, thanks to the whole his- torical LANWrights gang—Dawn, Mary, Kim, Bill, Chelsea, Natanya, and Michael—for 10 great years of camaraderie, collaboration, and the occasional success. You guys are the greatest; I couldn’t have done it without you! I'm sorry we haven't all been able to stay together, but I'll always value our time together and our continuing friendships. —Ed Tittel Thanks to Ed Tittel and LANWrights, Inc. for allowing me to contribute to the revision of this book. Working with you guys is and always has been a pleasure. Thanks to my editor Dawn Rader for putting up with my bad grammar. Thanks to my third co-author, Mike Chapple, for helping make this book all it could be. To my parents, Dave and Sue, thanks for your love and consistent support. To my sister Sharon and nephew Wesley, it’s great having family like you to spend time with. To Mark, it’s time we bolth got a life. To HERbert and Quin, it’s great hav- ing two furry friends around the house. And finally, as always, to Elvis—where did you get that shiny gold suit? I want to wear it around town to blind anyone who gazes in my direction. —James Michael Stewart I’d like to thank Ed Tittel, Dawn Rader, and the team at LANWrights, Inc. for their assis- tance with this project. I also owe a debt of gratitude to the countless technical experts in gov- ernment and industry who’ve patiently answered my questions and fueled my passion for security over the years. Above all, I’d like to thank my wife Renee for her undying patience as I worked on this book. Without her support, this never would have been possible. —Mike Chapple 4335cFM.fm Page vii Wednesday, June 16, 2004 4:01 PM Contents at a Glance Introduction xxiii Assessment Test xxx Chapter 1 Accountability and Access Control 1 Chapter 2 Attacks and Monitoring 31 Chapter 3 ISO Model, Network Security, and Protocols 55 Chapter 4 Communications Security and Countermeasures 99 Chapter 5 Security Management Concepts and Principles 129 Chapter 6 Asset Value, Policies, and Roles 149 Chapter 7 Data and Application Security Issues 179 Chapter 8 Malicious Code and Application Attacks 219 Chapter 9 Cryptography and Private Key Algorithms 253 Chapter 10 PKI and Cryptographic Applications 287 Chapter 11 Principles of Computer Design 317 Chapter 12 Principles of Security Models 361 Chapter 13 Administrative Management 395 Chapter 14 Auditing and Monitoring 421 Chapter 15 Business Continuity Planning 449 Chapter 16 Disaster Recovery Planning 475 Chapter 17 Law and Investigations 507 Chapter 18 Incidents and Ethics 541 Chapter 19 Physical Security Requirements 563 Glossary 591 Index 649 4335cFM.fm Page viii Wednesday, June 16, 2004 4:01 PM 4335cFM.fm Page ix Wednesday, June 16, 2004 4:01 PM Contents Introduction xxiii Assessment Test xxx Chapter 1 Accountability and Access Control 1 Access Control Overview 2 Types of Access Control 2 Access Control in a Layered Environment 4 The Process of Accountability 5 Identification and Authentication Techniques 7 Passwords 7 Biometrics 10 Tokens 13 Tickets 14 Access Control Techniques 15 Access Control Methodologies and Implementation 17 Centralized and Decentralized Access Control 17 RADIUS and TACACS 18 Access Control Administration 19 Account Administration 19 Account, Log, and Journal Monitoring 20 Access Rights and Permissions 20 Summary 21 Exam Essentials 22 Review Questions 24 Answers to Review Questions 28 Chapter 2 Attacks and Monitoring 31 Monitoring 32 Intrusion Detection 33 Host-Based and Network-Based IDSs 33 Knowledge-Based and Behavior-Based Detection 35 IDS-Related Tools 36 Penetration Testing 37 Methods of Attacks 37 Brute Force and Dictionary Attacks 38 Denial of Service 40 Spoofing Attacks 43 Man-in-the-Middle Attacks 43 Sniffer Attacks 44 4335cFM.fm Page x Wednesday, June 16, 2004 4:01 PM [...]... The CISSP: Certified Information Systems Security Professional Study Guide, 2nd Edition offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification This introduction provides you with a basic overview of this book and the CISSP. .. follows: ISSAP (Information Systems Security Architecture Professional) ISSMP (Information Systems Security Management Professional) ISSEP (Information Systems Security Engineering Professional) For more details about these concentration exams and certifications, please see the (ISC)2 website at www.isc2.org Notes on This Book’s Organization This book is was designed to cover each of the 10 CISSP Common... domains covered by the CISSP exam If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently prepared to use this book to study for the CISSP exam For more information on (ISC)2, see the next section (ISC)2 The CISSP exam is governed by the International Information Systems Security Certification Consortium, Inc (ISC)2 organization (ISC)2 is a global not-for-profit organization... Mechanisms Managing E-Mail Security E-Mail Security Goals Understanding E-Mail Security Issues E-Mail Security Solutions Securing Voice Communications Social Engineering Fraud and Abuse Phreaking Security Boundaries Network Attacks and Countermeasures Eavesdropping Second-Tier Attacks Address Resolution Protocol (ARP) Summary Exam Essentials Review Questions Answers to Review Questions Chapter 5 Security Management... certifications: CISSP, ISSAP, TICSA, CIW SA, Security+ , CTT+, MCT, CCNA, MCSE +Security Windows 2000, MCSE NT & W2K, MCP+I, and iNet+ Mike Chapple, CISSP, currently serves as chief information officer of the Brand Institute, a Miami-based marketing consultancy He formerly served as an information security researcher with the National Security Agency developing cutting-edge network intrusion detection systems. .. website at www.isc2.org CISSP and SSCP (ISC)2 supports and provides two primary certifications: CISSP and SSCP These certifications are designed to emphasize the knowledge and skills of an IT security professional across all industries CISSP is a certification for security professionals who have the task of designing a security infrastructure for an organization System Security Certified Practitioner... certification for security professionals who have the responsibility of implementing a security infrastructure in an organization The CISSP certification covers material from the 10 CBK domains: 1 Access Control Systems and Methodology 2 Telecommunications and Network Security xxiv Introduction 3 Security Management Practices 4 Applications and Systems Development Security 5 Cryptography 6 Security Architecture... who want to study for the CISSP certification exam If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you The purpose of this book is to adequately prepare you to pass the CISSP exam Before you dive into this book, you need to have accomplished a few tasks on your own You need to have a general understanding of IT and of security You... field of information systems security Provide certification for information systems security professionals and practitioners Conduct certification training and administer the certification exams Oversee the ongoing accreditation of qualified certification candidates through continued education The (ISC)2 is operated by a board of directors elected from the ranks of its certified practitioners More information. .. 188 189 190 190 xiv Contents Polyinstantiation Data Mining Data /Information Storage Types of Storage Storage Threats Knowledge-Based Systems Expert Systems Neural Networks Security Applications Systems Development Controls Software Development Systems Development Life Cycle Life Cycle Models Change Control and Configuration Management Security Control Architecture Service Level Agreements Summary Exam . CISSP: Certified Information Systems Security Professional Study Guide 2nd Edition 4335cFM.fm Page i Wednesday, June 16, 2004 4:01. Wednesday, June 16, 2004 4:01 PM San Francisco • London CISSP ® : Certified Information Systems Security Professional Study Guide 2nd Edition Ed Tittel James Michael Stewart Mike Chapple . 108 Miscellaneous Security Control Characteristics 108 Transparency 108 Verifying Integrity 109 Transmission Mechanisms 109 Managing E-Mail Security 109 E-Mail Security Goals 110 Understanding E-Mail Security