All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8/ CONTENTS AT A GLANCE Chapter Becoming a CISSP Chapter Security Trends 17 Chapter Information Security and Risk Management Chapter Access Control Chapter Security Architecture and Design Chapter Physical and Environmental Security Chapter Telecommunications and Network Security Chapter Cryptography Chapter Business Continuity and Disaster Recovery 45 153 281 401 483 665 Chapter 10 Legal, Regulations, Compliance, and Investigations Chapter 11 777 845 Application Security 921 Chapter 12 Operations Security 1049 Appendix A Security Content Automation Protocol Overview Appendix B About the CD-ROM Glossary Index 1133 1141 1145 1161 vi FM.indd vi 12/16/2009 2:20:14 PM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8/ CONTENTS Forewords Acknowledgments Introduction Chapter Chapter Chapter Becoming a CISSP xviii xxi xxii Why Become a CISSP? The CISSP Exam CISSP: A Brief History How Do You Become a CISSP? What Does This Book Cover? Tips for Taking the CISSP Exam How to Use This Book Questions Answers 8 11 11 15 Security Trends 17 How Security Became an Issue Areas of Security Benign to Scary Evidence of the Evolution of Hacking How Are Nations Affected? How Are Companies Affected? The U.S Government’s Actions Politics and Laws So What Does This Mean to Us? Hacking and Attacking Management A Layered Approach An Architectural View A Layer Missed Bringing the Layers Together Education Summary 17 20 21 22 25 27 29 33 35 36 37 39 40 41 42 42 43 Information Security and Risk Management 45 Security Management Security Management Responsibilities The Top-Down Approach to Security Security Administration and Supporting Controls Fundamental Principles of Security Availability Integrity Confidentiality Security Definitions Security Through Obscurity Organizational Security Model Security Program Components Information Risk Management Who Really Understands Risk Management? Information Risk Management Policy The Risk Management Team 45 46 47 48 51 51 52 53 54 56 57 59 73 73 74 75 vii FM.indd vii 12/16/2009 2:20:14 PM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8 CISSP All-in-One Exam Guide viii Risk Analysis The Risk Analysis Team The Value of Information and Assets Costs That Make Up the Value Identifying Threats Failure and Fault Analysis Quantitative Risk Analysis Qualitative Risk Analysis Quantitative vs Qualitative Protection Mechanisms Putting It Together Total Risk vs Residual Risk Handling Risk Policies, Standards, Baselines, Guidelines, and Procedures Security Policy Standards Baselines Guidelines Procedures Implementation Information Classification Private Business vs Military Classifications Classification Controls Layers of Responsibility Who’s Involved? The Data Owner The Data Custodian The System Owner The Security Administrator The Security Analyst The Application Owner The Supervisor The Change Control Analyst The Data Analyst The Process Owner The Solution Provider The User The Product Line Manager The Auditor Why So Many Roles? Personnel Structure Hiring Practices Employee Controls Termination Security-Awareness Training Different Types of Security-Awareness Training Evaluating the Program Specialized Security Training Summary Quick Tips Questions Answers FM.indd viii 76 77 78 79 80 83 86 91 94 95 99 100 101 102 103 106 107 108 108 109 111 112 115 117 117 125 125 126 126 127 127 127 127 128 128 128 128 129 129 129 130 130 131 133 133 134 135 136 137 138 139 142 148 12/16/2009 2:20:15 PM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8 Contents ix Chapter Chapter FM.indd ix Access Control 153 Access Controls Overview Security Principles Availability Integrity Confidentiality Identification, Authentication, Authorization, and Accountability Identification and Authentication Password Management Authorization Access Control Models Discretionary Access Control Mandatory Access Control Role-Based Access Control Access Control Techniques and Technologies Rule-Based Access Control Constrained User Interfaces Access Control Matrix Content-Dependent Access Control Context-Dependent Access Control Access Control Administration Centralized Access Control Administration Decentralized Access Control Administration Access Control Methods Access Control Layers Administrative Controls Physical Controls Technical Controls Access Control Types Preventive: Administrative Preventive: Physical Preventive: Technical Accountability Review of Audit Information Keystroke Monitoring Protecting Audit Data and Log Information Access Control Practices Unauthorized Disclosure of Information Access Control Monitoring Intrusion Detection Intrusion Prevention Systems A Few Threats to Access Control Dictionary Attack Brute Force Attacks Spoofing at Logon Summary Quick Tips Questions Answers 153 154 155 155 155 156 158 169 194 210 210 211 213 216 216 218 218 220 220 221 222 229 229 230 230 232 233 236 238 238 239 242 244 244 245 245 246 248 249 258 260 261 262 262 266 266 269 276 Security Architecture and Design 281 Computer Architecture The Central Processing Unit Multiprocessing 283 283 288 12/16/2009 2:20:16 PM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8 CISSP All-in-One Exam Guide x Operating System Architecture Process Activity Memory Management Memory Types Virtual Memory CPU Modes and Protection Rings Operating System Architecture Domains Layering and Data Hiding The Evolution of Terminology Virtual Machines Additional Storage Devices Input/Output Device Management System Architecture Defined Subsets of Subjects and Objects Trusted Computing Base Security Perimeter Reference Monitor and Security Kernel Security Policy Least Privilege Security Models State Machine Models The Bell-LaPadula Model The Biba Model The Clark-Wilson Model The Information Flow Model The Noninterference Model The Lattice Model The Brewer and Nash Model The Graham-Denning Model The Harrison-Ruzzo-Ullman Model Security Modes of Operation Dedicated Security Mode System High-Security Mode Compartmented Security Mode Multilevel Security Mode Trust and Assurance Systems Evaluation Methods Why Put a Product Through Evaluation? The Orange Book The Orange Book and the Rainbow Series The Red Book Information Technology Security Evaluation Criteria Common Criteria Certification vs Accreditation Certification Accreditation Open vs Closed Systems Open Systems Closed Systems Enterprise Architecture A Few Threats to Review Maintenance Hooks Time-of-Check/Time-of-Use Attacks Buffer Overflows Summary FM.indd x 289 296 297 300 308 309 312 313 314 316 318 320 320 324 325 326 329 330 331 332 332 334 336 338 341 344 347 348 350 351 351 353 353 353 354 354 356 357 357 358 362 363 364 367 370 371 371 372 372 373 373 382 382 383 384 388 12/16/2009 2:20:17 PM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8 Contents xi Chapter Chapter FM.indd xi Quick Tips Questions Answers 389 392 397 Physical and Environmental Security 401 Introduction to Physical Security The Planning Process Crime Prevention Through Environmental Design Designing a Physical Security Program Protecting Assets Internal Support Systems Electric Power Environmental Issues Ventilation Fire Prevention, Detection, and Suppression Perimeter Security Facility Access Control Personnel Access Controls External Boundary Protection Mechanisms Intrusion Detection Systems Patrol Force and Guards Dogs Auditing Physical Access Testing and Drills Summary Quick Tips Questions Answers 401 404 408 413 428 429 430 434 437 438 446 447 454 455 464 468 468 469 469 470 471 473 478 Telecommunications and Network Security 483 Open Systems Interconnection Reference Model Protocol Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer Functions and Protocols in the OSI Model Tying the Layers Together TCP/IP TCP IP Addressing IPv6 Types of Transmission Analog and Digital Asynchronous and Synchronous Broadband and Baseband LAN Networking Network Topology LAN Media Access Technologies Cabling Transmission Methods Media Access Technologies LAN Protocols 485 485 489 489 491 492 493 494 496 496 498 499 500 506 508 510 510 511 512 513 513 516 522 528 529 533 12/16/2009 2:20:18 PM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8 CISSP All-in-One Exam Guide xii Chapter FM.indd xii Routing Protocols Networking Devices Repeaters Bridges Routers Switches Gateways PBXs Firewalls Honeypot Network Segregation and Isolation Networking Services and Protocols Domain Name Service Directory Services Lightweight Directory Access Protocol Network Address Translation Intranets and Extranets Metropolitan Area Networks Wide Area Networks Telecommunications Evolution Dedicated Links WAN Technologies Remote Access Dial-Up and RAS ISDN DSL Cable Modems VPN Authentication Protocols Remote Access Guidelines Wireless Technologies Wireless Communications WLAN Components Wireless Standards WAP i-Mode Mobile Phone Security War Driving for WLANs Satellites Rootkits Spyware and Adware Instant Messaging Summary Quick Tips Questions Answers 538 541 541 542 544 546 550 552 553 572 572 573 573 578 580 580 582 585 586 587 589 592 610 610 611 613 613 615 621 623 624 625 627 630 641 642 643 644 646 649 650 651 652 652 656 660 Cryptography 665 The History of Cryptography Cryptography Definitions and Concepts Kerckhoffs’ Principle The Strength of the Cryptosystem Services of Cryptosystems One-Time Pad Running and Concealment Ciphers Steganography 666 671 672 674 675 677 679 680 12/16/2009 2:20:19 PM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8 Contents xiii Types of Ciphers Substitution Ciphers Transposition Ciphers Methods of Encryption Symmetric vs Asymmetric Algorithms Symmetric Cryptography Block and Stream Ciphers Hybrid Encryption Methods Types of Symmetric Systems Data Encryption Standard Triple-DES The Advanced Encryption Standard International Data Encryption Algorithm Blowfish RC4 RC5 RC6 Types of Asymmetric Systems The Diffie-Hellman Algorithm RSA El Gamal Elliptic Curve Cryptosystems LUC Knapsack Zero Knowledge Proof Message Integrity The One-Way Hash Various Hashing Algorithms MD2 MD4 MD5 Attacks Against One-Way Hash Functions Digital Signatures Digital Signature Standard Public Key Infrastructure Certificate Authorities Certificates The Registration Authority PKI Steps Key Management Key Management Principles Rules for Keys and Key Management Link Encryption vs End-to-End Encryption E-mail Standards Multipurpose Internet Mail Extension Privacy-Enhanced Mail Message Security Protocol Pretty Good Privacy Quantum Cryptography Internet Security Start with the Basics Attacks Cipher-Only Attacks Known-Plaintext Attacks Chosen-Plaintext Attacks Chosen-Ciphertext Attacks FM.indd xiii 683 683 684 686 686 686 691 696 702 703 710 711 711 712 712 712 712 713 713 716 719 719 720 720 720 721 721 726 727 727 727 729 730 733 733 734 737 737 738 740 741 742 742 745 745 746 747 747 748 750 750 761 761 761 761 762 12/16/2009 2:20:20 PM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8 CISSP All-in-One Exam Guide xiv Chapter Chapter 10 FM.indd xiv Differential Cryptanalysis Linear Cryptanalysis Side-Channel Attacks Replay Attacks Algebraic Attacks Analytic Attacks Statistical Attacks Summary Quick Tips Questions Answers 762 763 763 764 764 764 764 765 765 769 773 Business Continuity and Disaster Recovery 777 Business Continuity and Disaster Recovery Business Continuity Steps Making BCP Part of the Security Policy and Program Project Initiation Business Continuity Planning Requirements Business Impact Analysis Preventive Measures Recovery Strategies Business Process Recovery Facility Recovery Supply and Technology Recovery The End-User Environment Data Backup Alternatives Electronic Backup Solutions Choosing a Software Backup Facility Insurance Recovery and Restoration Developing Goals for the Plans Implementing Strategies Testing and Revising the Plan Maintaining the Plan Summary Quick Tips Questions Answers 778 780 781 783 785 786 793 794 796 797 803 808 809 812 814 816 817 821 823 824 829 832 832 834 840 Legal, Regulations, Compliance, and Investigations 845 The Many Facets of Cyberlaw The Crux of Computer Crime Laws Complexities in Cybercrime Electronic Assets The Evolution of Attacks Different Countries Types of Laws Intellectual Property Laws Trade Secret Copyright Trademark Patent Internal Protection of Intellectual Property Software Piracy Privacy Laws, Directives, and Regulations 846 847 849 851 851 854 856 860 861 861 862 862 863 863 865 866 12/16/2009 2:20:21 PM ... Up the CISSP CBK ch01.indd 10/7/2009 11:01:50 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8 CISSP All-in-One Exam Guide Domain Description Cryptography This domain examines... 10/7/2009 11:01:49 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8 CISSP All-in-One Exam Guide have this sponsor lined up prior to registering for the exam and providing payment... All-in-1 / CISSP All-in-One Exam Guide, 5th Ed / Harris / 160217-8 CHAPTER Becoming a CISSP This chapter presents the following: • The definition of a CISSP • Reasons to become a CISSP • What the CISSP