CISSP Training Guide - Robert Bragg

CI SSP

Certified

I nformation

System

Security

Professional

Bezoek ook onze website http://www.enacom.nl.

Op basis van de boeken:

CISSP Certification, Training Guide, Roberta Bragg The CISSP Prep Guide, Ronald L. Krutz & Russel Dean Vines

Samenvatting door Jos Engelhart MSc CISSP

http://www.enacom.nl

Table of Contents

CISSP i

1

ACCESS CONTROL SYSTEMS AND METHODOLOGY 1

1.1 AUTHENTICATION AND ACCESS CONTROL ..............................................................1 1.2 ACCOUNTABILITY ..........................................................................................1 1.3 ACCESS CONTROL TECHNIQUES .........................................................................1

Discretionary Access Control - DAC..............................................................1 Mandatory Access Control MAC.................................................................1 Lattice-Based Access Control.......................................................................1 Rule-Based Access Control..........................................................................2 Role-based access control...........................................................................2 Access Control Lists ...................................................................................2

1.4 ACCESS CONTROL ADMINISTRATION ...................................................................2 Account administration...............................................................................2

1.5 ACCESS CONTROL MODELS / STRATEGIES .............................................................3 Bell-LaPadula ............................................................................................3 Biba.........................................................................................................3 Liptner s Lattice.........................................................................................4 Non-inference Models.................................................................................4

1.6 IDENTIFICATION AND AUTHENTICATION TECHNIQUES................................................4 Passwords ................................................................................................4 One-Time Passwords..................................................................................4 Challenge Response ...................................................................................4 Biometrics ................................................................................................4 Tickets .....................................................................................................4 Single Sign-On ..........................................................................................5

1.7 ACCESS CONTROL METHODOLOGIES....................................................................5 Centralized/Remote Authentication Access Controls .......................................5 Decentralized Access Control.......................................................................5

1.8 METHODS OF ATTACK .....................................................................................5 Brute force ...............................................................................................5 Denial of service........................................................................................5 Spoofing...................................................................................................6 Sniffing ....................................................................................................6

1.9 MONITORING ...............................................................................................6 Intrusion detection ....................................................................................6 Intrusion prevention ..................................................................................6 How intrusion detection works.....................................................................6

1.10 PENETRATION TESTING ...................................................................................7 Penetration Testing versus Security Assessments ..........................................7 Ethical Issues............................................................................................7 Performing a Penetration Test .....................................................................7

2

TELECOMMUNICATIONS AND NETWORK SECURITY 1

2.1 THE OPEN SYSTEMS INTERCONNECTION MODEL......................................................1 2.2 THE OSI LAYERS ..........................................................................................1

Layer 7 - Application Layer .........................................................................1 Layer 6 - Presentation layer ........................................................................2 Layer 5 - Session Layer ..............................................................................2 Layer 4 - Transport Layer ...........................................................................2 Layer 3 - Network Layer .............................................................................2 Layer 2 - Data Link Layer ...........................................................................3 Layer 1 - Physical Layer .............................................................................3

2.3 NETWORK CHARACTERISTICS AND TOPOLOGIES ......................................................3 Coax ........................................................................................................3 UTP..........................................................................................................4 Fiber Optic................................................................................................4 Multi-Mode Fiber........................................................................................5 Single-Mode Fiber......................................................................................5 Dense Wave Division Multiplexing ................................................................5 Wireless ...................................................................................................5

2.4 NETWORK TOPOLOGIES...................................................................................5 Linear Bus Topology...................................................................................5 Star Topology ...........................................................................................6 Ring Topology ...........................................................................................6 Tree Topology ...........................................................................................6 Mesh Topology ..........................................................................................6 LAN and WAN Technologies.........................................................................6

Table of Contents

CISSP ii

Ethernet ...................................................................................................6 Token-Ring and FDDI .................................................................................6 ARCnet Attached Resource Computer Network............................................7

2.5 LAN DEVICES ..............................................................................................7 Hubs and Repeaters...................................................................................7 Switches and bridges .................................................................................7 VLANs ......................................................................................................7 Routers ....................................................................................................8 Firewalls...................................................................................................8 Gateways and Proxies ..............................................................................10

2.6 WAN TECHNOLOGIES...................................................................................10 WAN Connections ....................................................................................10 WAN Services..........................................................................................10 WAN Devices ..........................................................................................12

2.7 PROVIDING REMOTE ACCESS CAPABILITIES .........................................................12 Client-Based Dial-In Remote Access...........................................................12 Using tunneling as a security method.........................................................12 Virtual Private Networks ...........................................................................12 Remote access Authentication ...................................................................13

2.8 NETWORKING PROTOCOLS .............................................................................13 Application Layer Protocols .......................................................................13 Transport Layer Protocols .........................................................................14 Internet Layer Protocols ...........................................................................14

2.9 PROTECTING THE INTEGRITY, AVAILABILITY AND CONFIDENTIALITY OF NETWORK DATA.....14 The CIA-triad ..........................................................................................14 Security Boundaries and Translating Security Policy to Controls.....................15 Trusted Network Interpretation .................................................................15 Network Layer Security Protocols...............................................................15 Transport Layer Security Protocols.............................................................16 Application Layer Security Protocols ...........................................................16 Network Monitoring and Packet Sniffers......................................................16 Intrusion Detection ..................................................................................16 Intrusion Response ..................................................................................17 Network Address Translation.....................................................................17 Public and Private IP Addresses .................................................................18 Transparency ..........................................................................................18 Hash Totals.............................................................................................18 Email Security .........................................................................................18 Facsimile and Printer Security ...................................................................18 Common Attacks and Countermeasures .....................................................18

2.10 FAULT TOLERANCE AND DATA RESTORATION........................................................19 2.11 ADDENDUM ...............................................................................................20

3

SECURITY MANAGEMENT AND PRACTICES 1

3.1 DEFINING SECURITY PRINCIPLES........................................................................1 CIA: Information Security s Fundamental Principles .......................................1 Privacy .....................................................................................................1 Identification and Authentication .................................................................1 Nonrepudiation..........................................................................................2 Accountability and Auditing.........................................................................2

3.2 SECURITY MANAGEMENT PLANNING.....................................................................2 3.3 RISK MANAGEMENT AND ANALYSIS .....................................................................2

Risk analysis .............................................................................................3 Identifying threats and Vulnerabilities ..........................................................3 Asset Valuation .........................................................................................3 Qualitative Risk Analysis.............................................................................4 Countermeasure Selection and Evaluation ....................................................4

3.4 POLICIES, STANDARDS, GUIDELINES AND PROCEDURES ............................................5 3.5 ROLES AND RESPONSIBILITIES ..........................................................................5 3.6 UNDERSTANDING PROTECTION MECHANISMS .........................................................6 3.7 CLASSIFYING DATA........................................................................................6 3.8 EMPLOYMENT POLICIES AND PRACTICES ...............................................................7 3.9 MANAGING CHANGE CONTROL...........................................................................7

4

APPLICATIONS AND SYSTEM DEVELOPMENT SECURITY 1

4.1 SOFTWARE APPLICATIONS AND ISSUES ................................................................1 Centralized, decentralized and distributed systems ........................................1

Table of Contents

CISSP iii

Malicious software (malware) ......................................................................1 Databases ................................................................................................2 Data warehouses.......................................................................................2 Storage and Storage Systems .....................................................................2 Knowledge-Based Systems .........................................................................3 Web Services and Other Examples of Edge Computing ...................................3

4.2 ATTACKING SOFTWARE ...................................................................................3 4.3 UNDERSTANDING MALICIOUS CODE ....................................................................4 4.4 IMPLEMENTING SYSTEM DEVELOPMENT CONTROLS...................................................4 4.5 USING CODING PRACTICES THAT REDUCE SYSTEM VULNERABILITY ...............................5

5

CRYPTOGRAPHY 1

5.1 USES OF CRYPTOGRAPHY .................................................................................1 5.2 CRYPTOGRAPHIC CONCEPTS, METHODOLOGIES AND PRACTICES ...................................1

Symmetric Algorithms................................................................................1 Asymmetric Algorithms ..............................................................................1 Safety mechanisms....................................................................................1

5.3 PKI AND KEY MANAGEMENT .............................................................................2 5.4 METHODS OF ATTACK .....................................................................................2

6

SECURITY ARCHITECTURE AND MODELS 2

6.1 REQUIREMENTS FOR SECURITY ARCHITECTURE AND MODELS.......................................2 6.2 SECURITY MODELS ........................................................................................2

Clark-Wilson Model ....................................................................................2 Access Control Lists ...................................................................................2

6.3 SECURITY SYSTEM ARCHITECTURE......................................................................2 Security Principles .....................................................................................2 Security Modes..........................................................................................3

6.4 INFORMATION SYSTEM SECURITY STANDARDS........................................................3 TCSEC The Orange Book and the Rainbow Series........................................4 ITSEC Information Technology Security Evaluation Criteria ..........................4 Common Criteria .......................................................................................5

6.5 COMMON CRITERIA........................................................................................5 Introduction and general model...................................................................6 Security Functional Requirements ................................................................6 Security Assurance Requirements ................................................................6 Evaluation Assurance Packages or Levels - EALs............................................7 Areas not Addressed by the Common Criteria................................................7 A Comparison of the Orange Book, ITSEC and Common Criteria ......................7

6.6 IPSEC .......................................................................................................8 Uses for IPSec...........................................................................................8 Architectural Components of IPSec ..............................................................8

7

OPERATIONS SECURITY 1

7.1 EXAMINING THE KEY ROLES OF OPERATIONS SECURITY.............................................1 The OPSEC Process....................................................................................1

7.2 THE ROLES OF AUDITING AND MONITORING ..........................................................2 Using Logs to Audit Activity and Detect Intrusion...........................................2 Detection Intrusion ....................................................................................2 Penetration Testing Techniques ...................................................................2

7.3 DEVELOPING COUNTERMEASURES TO THREATS .......................................................3 Risk analysis .............................................................................................3 Threats ....................................................................................................3 Countermeasures ......................................................................................3

7.4 CONCEPTS AND BEST PRACTICES .......................................................................4 Privileged Operations Functions ...................................................................4 Understanding Antiviral Controls..................................................................4 Protecting Sensitive Information and Media ..................................................4 Change Management Control ......................................................................5

8

BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING 1

Table of Contents

CISSP iv

8.1 WHAT ARE THE DISASTERS THAT INTERRUPT BUSINESS OPERATION?............................1 8.2 QUANTIFYING THE DIFFERENCE BETWEEN DRP AND BCP...........................................1 8.3 EXAMINING THE BCP PROCESS..........................................................................1

Define the scope........................................................................................1 Perform a business impact analysis (BIA) .....................................................1 Develop operational plans for each business process......................................2 Implement plans .......................................................................................3 Test plans.................................................................................................3 Maintain plans...........................................................................................3

8.4 DEFINING DRP ............................................................................................3 Determining the scope of the recovery plan ..................................................4 Creating antidisaster Procedures .................................................................4 Listing necessary resources.........................................................................4 Emergency response procedures .................................................................4

8.5 DEVELOPING A BACKUP STRATEGY......................................................................4 Backup procedures and policies ...................................................................4 Vital records program.................................................................................4 Hardware backups .....................................................................................5

9

LAW, INVESTIGATION AND ETHICS 1

9.1 FUNDAMENTALS OF LAW ..................................................................................1 Intellectual property law.............................................................................1 Privacy law ...............................................................................................1 Governmental regulations...........................................................................1

9.2 CRIMINAL LAW AND COMPUTER CRIME.................................................................2 9.3 COMPUTER SECURITY INCIDENTS .......................................................................2

Advance planning ......................................................................................2 Computer crime investigation......................................................................3

9.4 LEGAL EVIDENCE...........................................................................................3 The fourth amendment...............................................................................3

9.5 COMPUTER FORENSICS ...................................................................................3 9.6 COMPUTER ETHICS ........................................................................................4

10

PHYSICAL SECURITY 1

10.1 CLASSIFYING ASSETS TO SIMPLIFY PHYSICAL SECURITY DISCUSSIONS...........................1 10.2 VULNERABILITIES ..........................................................................................1 10.3 SELECTING, DESIGNING, CONSTRUCTING AND MAINTAINING A SECURE SITE ...................1

Site location and construction .....................................................................1 Physical access controls..............................................................................1 Power issues and controls...........................................................................2 Environmental controls...............................................................................2 Water exposure problems and controls.........................................................2 Fire prevention and protection.....................................................................3

10.4 TAPE AND MEDIA LIBRARY RETENTION POLICIES .....................................................3 10.5 DOCUMENT (HARD-COPY) LIBRARIES...................................................................3 10.6 WASTE DISPOSAL .........................................................................................4 10.7 PHYSICAL INTRUSION DETECTION.......................................................................4 10.8 ADDENDUM .................................................................................................4

ABBREVIATIONS I

CISSP 1-1

1 Access Control Systems and Methodol-

ogy

Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system.

1.1 Authentication and access control

The key part of security is controlling access to critical information. We distinguish between authentication and access control. Authentication identifies a user and verifies that the user is who he says he is. Access control systems control what access he is given on the system. This is called the The principle of least privilege : to give an user the least amount of access he needs to do his job an nothing else.

1.2 Accountability

Accountability is the process of tracking the behavior of people regarding their actions and given access controls. Then, you can make people accountable for their actions so you can properly enforce access controls. A commonly used way is logging.

1.3 Access Control Techniques

Access control techniques are:

Discretionary Access Control

Mandatory Access Control

Lattice-based access control

Rule-based access control

Role-based access control

The use of access control lists

DISCRETIONARY ACCESS CONTROL - DAC This type is control is essentially based on human decisions about whether some-one/something should be allowed access tot a particular resource. Most times guide-lines or policies are rigidly used. They are open to mistakes and can easily be overwrit-ten. The biggest problem is humans (managers) overriding access controls for certain individuals who complain they have too less permissions.

DAC is a low level of access control and very subjective.

MANDATORY ACCESS CONTROL

MAC MAC is based on using classification levels controlled by computer systems. These systems are popular in government-type environments and financial institutes. Each user gets a classification level associated with their account and each piece of data has a classification level.

Most times accounts can include a hierarchy in access rights. We call this multilevel security. This is not always wanted. Another classification is compartimentation, i.e. HR-accounts and Finance-accounts.

LATTICE- BASED ACCESS CONTROL

This type of control is based on a set of security classes that can be assigned to users or objects. For example: confidential, secret, top secret. Bases on these classes a set of flow operations are defined showing how information can flow from one class to another. The requirements for a lattice are:

A security class must be finite and not change

All the flow operations must take a partial order with one of the following prop-erties:

Reflexive An item can always flow back to the security class it came from (two way direction).

DAC

MAC

ACL

Multilevel security

Access Control Systems and Methodology

CISSP 1-2

confidential

secret

confidential

Anti-symmetric An item cannot flow back to the security class it came from (one way direction)

confidential secret

Transitive Information flowing into a certain security class by going through another security class, can also directly flow into that class.

confidential secret top secret

includes the property

confidential top secret

It must have a lower bound (the null class).

It must have an upper bound which represents a combination of all the items in the security class.

RULE- BASED ACCESS CONTROL

This kind of control is based on rule sets for individuals. These are not needed for small companies because everybody knows his role is trusted to some extend. However for larger organizations they provide a fine level of granularity. Disadvantages are:

Time consuming - you have to figure out what everybody is allowed to do

Maintainability - it becomes a complex list

This is why some companies prefer role-based access control.

ROLE- BASED ACCESS CONTROL

Access is provided to roles or positions across a company. Access is then assigned to the role based on the job function of a position. This control is easy to maintain and manage. It is typically implemented by using groups to which permissions are given.

ACCESS CONTROL LISTS

These are similar to rule-based access controls but more formalized. ACLs contain a list of rules usually based on IP addresses of some other piece of information that can easily be discernable in the package that goes across the network. ACLs are often associated with routers.

1.4 Access Control Administration Setting up an administration is easy; the ongoing maintenance is the difficult part. It essentially involves a user ID and a password which has to be set up and maintained for every user of the system. User accounts should be disabled when an employee leaves the company instead of deleting them.

ACCOUNT ADMINISTRATION

With a new account:

Assign an unique initial random temporary password for the account.

Force the person to change it to another password only known to him.

Prevent multiple people to have access to the same password: you loose ac-countability.

Keep track of all access controls through logging (successes and failures).

Always give someone the least amount of access he needs to do his job and nothing else.

Maintain separation of duties for access to sensitive information. This means that multiple people must participate to gain access (i.e. fire a nuke).

The principle of least privilege Separation of duties

{}

{A}

{B}

{A, B}


CISSP 1-3

1.5 Access Control models / strategies

The models in this section serve as a rule for the road when figuring out some general principles that should be followed when implementing access control. With the explana-tion two terms are used: objects which refers to passive items such as hardware, soft-ware and processes that store information and subjects which are active processes that move information (such as persons or devices).

BELL- LAPADULA

Bell-LaPadula (1970s) is a governmental information flow security model and focuses on confidentiality. Access to information is controlled by access lists but the move-ment is controlled by this paradigm: it protects people from accessing information they should not have access to. It is a bottom-up model which says that information can flow from the bottom to the top but not downwards. It is composed of two rules:

The simple security rule deals with reading information or files.

The star property rule deals with writing information or creating new files.

Simple Security Rule

A principal P can read an object O only if the security level of P is higher than or equal to the secur ity level of O . This rule ensures that someone can only read information up to the level he is classified for, but not higher.

Star Property Rule

A principal P can write to an object O only if the security label of O is higher than or equal to the security label of P . Information cannot be written to a lower classification level. This property prevents the leakage of information; for example against write-down Trojan horses who attempt to read secure information and write it down into a general accessible file so an evildoer has access to it. Or to prevent copying classified data from a protected folder to a general folder.

Bell-LaPadula follows the Basic Security Theorem and has the following basic concepts:

Fundamental modes of access Access modes such as read, write, read only and so on are defined to permit access be-tween subject and objects;

Dominance relations A relationship; between the formal security levels of subjects and objects describes the access permitted between them

Simple Security Condition See above.

Discretionary security property A specific subject is authorized for a particu-lar mode of access that is required for state transition. A matrix is used to specify discre-tionary access controls.

Star * property See above.

Strong * property Reading/writing is permitted at a particular level of sensitivity, but not on higher or lower levels.

Trusted subject Access under this option is not constrained by the start property. Where the * property is too rigid, data can be moved using a Trusted Subject.

Untrusted subject Access under this option is constrained by the start property.

BIBA

Biba is like BLP an information-flow model but deals with integrity in computer sys-tems. It is all about modification of data. It has the same two rules (simple security and star property) as BLP but both rules are the opposite of the BLP model. Within Biba information can flow from the top down.

Simple Security Rule

A principal P can read an object O only if the security level of P is lower than or equal to the security level of O . Because Biba deals with integrity, you cannot read down. There is no need to read information that isn t relevant to a certain transaction; for example the withdrawal of money from your bank account.

Star Property Rule

A principal P can write to an object O only if the security label of O is lower than or equal to the security label of P . Because Biba deals with integrity, you cannot write

BLP: confidentiality

You cannot read up

You cannot write down

Biba: integrity

You cannot read down

You cannot write up


CISSP 1-4

up. To withdraw 100 from your account the bank, it is not accepted that you tell the employee that there is enough money on your account (write up). The employee checks the system to see if you have enough money on your account.

LIPTNER S LATTICE

Liptner applied the former models, which apply to government settings, to commercial settings. He changed terms such as confidential and secret to system programmer, production code and so on.

NON- INFERENCE MODELS

Non-inference models deal with examining the input and the output from a system to see if they can infer any information that you should not have access to. An example is two groups using a system. Group A uses commands X; group B uses commands Y. A does not know about the commands of B and X does not interfere with Y.

1.6 Identification and Authentication Techniques Authentication is the process of proving that you are the person you tell you are. For this there are several techniques:

Passwords

One-time passwords

Challenge response

Biometrics

Tickets

Single sign-on

There are three things that can be used to authenticate yourself:

Something you know passwords

Something you have one-time passwords

Something you are biometrics

PASSWORDS

The problem is that users tend to choose easy-to-guess passwords. People tend to write down difficult passwords. This makes it easy for others to find out the password.

ONE- TIME PASSWORDS

These passwords solve the problems of normal passwords. These systems normally use hardware devices that generate passwords (i.e. every minute) but there are also soft-ware tools. The server runs the same software so the password can easily be checked. The problem is that users have to ensure that they have the device with them all the time. Another problem is that the clocks of the device and the server may get out of sync.

CHALLENGE RESPONSE

Challenge response schemes are an alternative to one-time passwords. The user iden-tifies himself to the server with his user ID. The server responds with a code which has to be entered on a device. The device responds with an output which has to be pro-vided to the server.

BIOMETRICS

You don t have to carry devices around which can break or get lost. Biometric devices can be used to authenticate fingerprints and hand, face and retinal scans.

TICKETS

These systems provide you with a ticket which has to be unencrypted. Secret keys have to be exchanged prior to the authentication process. When you connect to the system, you give him your user ID. The server sends you an encrypted ticket. If you are who you tell you are, you can unencrypt the ticket.

An example of a common program is Kerberos. The problem of these systems is that they do not scale very well.

SSO

Kerberos


CISSP 1-5

SINGLE SIGN- ON

Single sign-on is used when you have a large number of applications that needs to authenticate the same user. To prevent logging in many times, the user logs on once to a central server that authenticates the user to the other applications. The disadvan-tage is that an evildoer has access to all the system once he knows the primary user ID and password.

1.7 Access Control Methodologies

There are two primary remote access controls:

RADIUS Remote Authentication Dial-In User Service

TACACS Terminal Access Controller Access Control System

TACACS+ is the same as TACACS but has more advanced features.

CENTRALIZED/REMOTE AUTHENTICATION ACCESS CONTROLS

RADIUS and TACACS+ are used when users are required to authenticate to different applications and you do not want to manage a separate listing of user accounts for each application. All the applications point to the RADIUS or TACACS+ server to au-thenticate the users. This way you only have to administer and manage only one set of accounts and credentials.

RADIUS and TACACS+ are also used with devices and applications that do not have built-in facilities for authentication, such as routers.

The (dis)advandage of centralized access control is that it is a SPOF (single point of failure). It works well with small companies but not at bigger ones. You need backup and failover capabilities or decentralized control.

DECENTRALIZED ACCESS CONTROL

With this kind of control each individual or department is responsible for its own access control (i.e. Windows for Workgroups). Most organizations tend to use hybrid systems and setup zones or domains with each a centralized access control for that domain.

A domain is a group of computers under the same administrative authority. From an access control standpoint, a domain is a group of systems that all authenticate to a central system or group of systems.

As each zone has its own controller, the controllers pushes a copy of their databases at regular intervals to the other controllers. They are only allowed to read these data-bases unless a controller goes down. Another controller then takes over the function of the down controller.

If a user wants to get access to another domain, trust comes into play. This is done by setting up trust relationships between domains. You can have a full trust or a one-way-trust. Full trust means that two domains have access to the other s domain. One-way-trust means that one domain does have access to another domain but not the other way around.

1.8 Methods of Attack

Methods of attack are:

Brute force

Denial of service

Spoofing

Sniffing

BRUTE FORCE

Trying all possible combinations; most popular with cracking passwords. A subset of the brute-force attack is the dictionary attack (passwords based on dictionary words).

DENIAL OF SERVICE

Preventing others from gaining access to a server. Ways to launch a DOS-attack against control are:

locking all accounts by entering false passwords (most times the third time a wrong password is provided the account is locked)

SSO

RADIUS

TACACS

Domain

Trust


CISSP 1-6

to flood the pipes (using up all available resources).

SPOOFING

Spoofing is using somebody else s identity pretending that you are that person. To prevent this, you should have multilevel access control so that you need something you know and something you have.

SNIFFING

Using a tool (sniffer) on a wire which reads unencrypted user IDs and passwords.

1.9 Monitoring

I NTRUSION DETECTION

Intrusion detection is the field of study dealing with monitoring networks and hosts and looking for attacks. It is passive, the emphasis is on detection: you monitor a net-work or host looking for signs of an attack. They do not prevent an attack, they alert that a potential problem exists.

Types of intrusions are:

Host versus network

Passive versus active

Known versus unknown

Host versus network

Is the attacker trying to gain access to a single host or the entire network? Entering a company s network through a single host requires physical access to that host or by a stolen computer which has access to that host.

Intrusion Detection Systems (IDS) are broken down into host-based intrusion detection systems (HIDS) and network-based intrusion detection systems (NIDS). HIDSs are passive components (analyze logs) and sit on a single computer and are configured for a special purpose and do not scale very well. NIDSs are active components, sit on a network like a sniffer examining the network traffic real-time, scale very well and look out for general types of attacks.

Passive versus active

An active attack means that an intruder is actively doing something on the network once he has access to it. A passive attack means that once the intruder is in the net-work, the attacker monitors traffic of keystrokes to find information. Active attacks are more easy to detect because the intruder is actually doing something. Passive attacks are very difficult to detect because they are just listening.

Known versus unknown

A known attack is something the vendor has acknowledged to be a security hole in its software. Most times these holes are patched. But, as long as they are not applied by the customer, their network is still vulnerable.

Unknown attacks are known by a small group of people but it is not public knowledge. Because the vendor doesn t know these vulnerabilities, he cannot release a patch.

I NTRUSION PREVENTION

Till 2002 intrusion prevention was about preventing intrusions by strong identification and authentication (one-time passwords, biometrics, ).

From 2002 intrusion prevention describes a new class of systems: IDS. The look for possible attacks on the network (passive) but also act as an active device like firewalls through which traffic must pass. If an attack is sensed, it stops the attack by blocking the traffic of preventing malicious behavior by enforcing rules and policies.

HOW INTRUSION DETECTION WORKS

There are two typical types of IDS: signature matching and anomaly detection.

Signature matching

Signature or pattern matching uses a database of known attack signatures. When a signature is found, it sends an alert.

Passive, detection, no prevention, only alerts

IDS, HIDS, NIDS

HIDS are passive

NIDs are active

IDS


CISSP 1-7

Positive aspects of signature matching:

Easy to update

You can create your own signatures

Negative aspects of signature matching:

They detect only known attacks

They are based on static signatures thus tending to generate a high number of false attacks

Anomaly matching

The concept is to determine what is normal traffic and not. Positive aspects of anomaly matching are:

You don t have to worry about updates

Negative aspects of anomaly matching:

You have to determine what is normal and not

After an IDS determines that an attack has been detected, it sets of some type of alarm. For example to a pager or to a firewall to update its rule sets (which can be tricky because an intruder may want this to happen).

1.10 Penetration testing

Penetration testing is also called ethical hacking. The idea is that you can find weak-nesses in your access control system policy and fix them before a real attacker breaks in.

PENETRATION TESTING VERSUS SECURITY ASSESSMENTS

A penetration test tests the security from the Internet using a domain and an IP ad-dress; nothing else. The goal is to find out as much as possible about the company, including ways to break in. You are proving that you can get in.

Security assessments do include a pen test but are much more thorough. You get ac-cess to all the key systems within a company to evaluate the current level of security. You are trying to paint a picture of the current threats that exist and what can be done to protect against them.

ETHICAL I SSUES

First of all get written permission before starting a pen test. Keep in mind that al-though you do not mean to do harm, the system doesn t belong to you. Therefore you need permission before you can do anything.

PERFORMING A PENETRATION TEST

The steps are: 1. Perform passive reconnaissance 2. Perform active reconnaissance (scanning) 3. Exploit the system by gaining access through the following stacks:

Operating systems attacks

Application-level attacks

Scripts and sample program attacks

Misconfiguration attacks

Elevating of privileges

Denial-of-service attacks 4. Upload programs 5. Download data 6. Maintain access by:

Back doors

Trojan horses 7. Cover your tracks

In most cases the pen test includes just 1-3.

Common tools for pen tests are Nessus and NMAP. Nessus scans for (known) vulner-abilities across various operating systems and reports back. NMAP scans which ports are open, performs OS fingerprinting and has other advanced features like spoofing.

Nessus

NMAP

CISSP 2-1

2 Telecommunications and Network Secu-

rity

2.1 The Open Systems Interconnection Model

The need for network computers came with the desire to share resources like printers. The biggest hindrance was the lack of networking standards. Clients could only be connected to one kind of network, like Novell, Unix or Microsoft, which didn t scale at all. The OSI-model was a scalable open standard facilitating the open communications between all systems. It is a framework of how networking functions.

2.2 The OSI Layers

The benefits of a layered reference model are:

It divides the complex network operation into smaller pieces or layers;

It facilitates the ability to change at one layer without having to change all the layers;

It defines a standard interface for multi-vendor integration.

LAYER 7

APPLICATION

Responsible for interfacing with the user

LAYER 6

PRESENTATION

Responsible for translating the data from something the user expects to something the network expects

LAYER 5

SESSION

Responsible for dialog control between systems and applica-tions

LAYER 4

TRANSPORT

Responsible for handling end-to-end data transport services

SEGMENT

LAYER 3

NETWORK

Responsible for logical addressing

PACKET

LAYER 2

DATALINK

Responsible for physical addressing

FRAME

LAYER 1

PHYSICAL

Responsible for physical delivery and specification

BITS

Note: A protocol may perform multiple functions across multiple layers.

LAYER 7 - APPLICATION LAYER

The Application layer is responsible for providing the user access to network resources via the use of network-aware applications. Note: Not every program is network-aware thus are not defined in the Application layer. Examples of network-aware programs are:

Email gateways - POP3, SMTP, X.400. These programs deliver messages be-tween applications;

Newsgroup and IRC programs using NNTP and IRC providing for communi-cation between hosts by allowing posting messages to a news server or the typ-ing of a live conversation between chat clients;

Database applications providing data storage and warehousing capabilities in central data repositories that can be accessed, managed and updated;

WWW-applications providing access to Web resources; these applications include client Web browsers and Web servers.

Monolithic networking model

Telecommunication and Network Security

CISSP 2-2

LAYER 6 - PRESENTATION LAYER

The Presentation layer is the translator of the network. It translates data which the user understands to data which the network understands. The following protocols re-side at this layer:

Graphic formats such as JPEG, TIFF, GIF and BMP handle the presentation and display of graphic images;

Sound and movie formats such as QuickTime, MPEG, WMF provide for the translation and presentation of sound and video files;

Network redirectors handling the protocol conversions from the network based formats (Server Message Block and Netware Core Protocol) and the end user applications.

LAYER 5 - SESSION LAYER

Network hosts run multiple applications and can connect to several other hosts running multiple applications. The Session layer sets up the logical communications channels between network hosts and applications. Each time a connections is made, it is called a session. It provides a mechanism for setting up, maintaining and tearing down ses-sions, keeping data separate from other applications. Examples of Session layer proto-cols are:

Network File Systems

used with TCP/IP and Unix for remote access to re-sources;

Remote Procedure Calls a client/server redirection mechanism;

Structured Query Language

a mechanism to access and define a user s in-formation requirements connecting to a database;

LAYER 4 - TRANSPORT LAYER

The Transport layer I responsible for handling the end-to-end communications between host systems. I.e. via a process knows as segmentation and reassembly. Data from the upper layer is broken up into segments with a certain maximum size and passed to the Network layer. Segments are labeled so that the receiving system knows how to reas-semble them. The logical communication between hosts is referred at as virtual cir-cuits.

Protocols that reside on this layer are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

LAYER 3 - NETWORK LAYER

The Network layer is responsible for the logical addressing of packets end the routing of data between networks. There are local and remote hosts. Local hosts can receive the physical signal that the source host transmits. Remote hosts are hosts in physical different locations and/or networks; they cannot receive the physical signal. Therefore the network layer uses logical addresses to logically define hosts. The process of transmitting data regardless of physical location is known as routing.

Protocols that reside on this layer are IP (Internet Protocol) and IPX (Internet Packet Exchange). Routers and Layer-3 switches are considered Network layer devices be-cause of their special capabilities. They know the difference between networks, thus they can be used to separate broadcast domains; they will not forward broadcasts1

from one network to another by default.

Broadcasts and collisions can greatly degrade the network performance. Forwarding broadcasts prevents the host from doing other tasks. You can improve performance by using routers to separate broadcast domains, thus reducing the number of systems that have to deal with broadcasts. Collisions occur when multiple devices share the same single segment of a cable. A cable can only carry one signal at a time. Collisions cause devices to retransmit data thus decreasing the performance of the network.

IP handles the logical addressing of hosts and the routing of data via a hierarchal ad-dressing scheme. The benefits are scalability (it can handle more addresses than a flat scheme) and it is much easier to enable routing because networks can be grouped together and treated as single entries in the routing table making routing much more efficient. IP is defined in RFC 791.

1 A broadcast is data addressed for all the hosts regardless as to whether the destination can do anything with the data.

NFS

RPC

SQL

Segmentation and reas-sembly

Virtual circuits

TCP, UPD

Local hosts Remote hosts

Routing

Broadcasts and collisions

Internet protocol - IP


CISSP 2-3

IPX is used primarily on Novell-based networks and provides for the logical addressing of hosts via network and host addresses.

LAYER 2 - DATA LINK LAYER

This layer is responsible for the physical addressing of frames and the translations of packets from the Network layer into bits for the Physical layer to transmit. Packets from the Network Layer are encapsulated with datalink header and footer information to become frames. CRC (Cyclic Redundancy Check) is used to ensure error-free deliv-ery. The Data Link layer uses the hardware address to identify the source and destina-tion devices. The following protocols are used at this layer:

The LLC sublayer it defines the interface between the Network layer and the underlying network architecture.

The MAC sublayer it defines how the packets are transmitted on the data.

LAYER 1 - PHYSICAL LAYER

This layer is responsible for sending and receiving data. It also handles the specifica-tions for the electrical, mechanical and procedural components of the communications media. It also identifies DTE (Data Terminal Equipment) and DCE (Data Circuit-Termination Equipment) used in physical signaling and transmitting and receiving of data. Hubs and repeaters are considered physical-layer devices because the simply receive, re-amplify and forward the signal without actually looking at the data that is being transmitted.

2.3 Network Characteristics and Topologies

Types of networks and connection types

Network Connections

Ethernet Coax, UTP, fiber optic, wireless transmission

Thin coax / 10BASE-2 RG58/U

10BASE-T Category 3, 4, 5, 5E or better cabling

Fiber 62.5 / 125 micron multimode fiber (short haul) or 9 mi-cron single mode (long haul)

Wireless Radio or microwave transmission methods

COAX

Thin coax networks (thin-net or 10BASE-2) use coaxial cabling with T-connectors to connect to NICs. Thick-net or 10BASE-5 uses coaxial cabling with vampire tabs and AUI transceivers to connect to the NICs. Existing cable specifications for coax cable are RG-58 /U, RG-58 A/U, RG-58 C/U, RG-59, RG-6, RG-62 and RG-8.

Internet Packet Exchange IPX

IEEE 802.2

IEEE 802.3

Upper Layer Data

Upper Layer Data

TCP/UDP Header

Data

IP Header

Data

LLC Header

Data MAC Header

FCS

FCS

01001101010101

Session Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

Segment

Package

Frame

Bits


CISSP 2-4

Coax is a bus network. There is a 50 resistor (terminator) at the end of a bus system to stop the signal from bouncing back the wire (the resistance of the network is 50 at three feet or more). Because coax has a single point of failure for the entire segment which is difficult to troubleshoot, these networks are less commonly used. A TDR (Time Domain Reflectometer) can be used to give an approximate distance to the break in a wire.

10BASE-2 stands for 10Mbps for a maximum length of 200 meters (actually 185). It adheres the 5-4-3 rule meaning that you can have a maximum of 5 segments via 4 repeaters but only 3 segments can have hosts on them. The other 2 segments are called IRLs (Inter-repeater Links). The maximum number of nodes per segment is 30.

10BASE-2 uses BNC (British Naval Connector) type connections: a BNC cable connector at the end of each cable and a BNC barrel connector or BNC T connector to establish connections between cables.

10BASE-5 uses a Vampire tap and a transceiver tot connect to devices. 10BASE-5 supports a maximum of 100 taps. The transceiver provides for the connectivity to devices via AUI (Attachment Unit Interface) connections. Per segment 10BASE-5 sup-ports a maximum of 1024 hosts and the maximum length of a segment is 500 m.

10BASE-5 adheres to the 5-4-3 rule and uses barrels and terminators. It also uses N-Type connections: plugs, jacks, barrels and terminators.

UTP UTP comes in 10BASE-T and 100BASE-TX media type (10 Mbs / 100 Mbs). The cate-gory indicates the quality of the signal carrying, the number of used wires and the number of twists in the wires. These factors contribute to the potential speed.

Category Speed Rating

Category 3 Voice and data up to 10 Mbps / 16 MHz



Category 5e Voice and data up to 1.000 Mbps / 100 MHz

Category 6 Voice and data up to 1.000 Mbps / 250 MHz

Category 7 Voice and data up to 10.000 Mbps / 600 MHz

CAT5 and CAT5e are mostly used. These categories use RJ-45 connectors, modular jacks, punch-down blocks or switches.

The four pairs of conductors twist around each other inside the cable jacket. UPT has no shielding and is very susceptible to EMI (electromagnetic interference) and should not be placed nearby EMI sources. It is also very easy to capture the data being transmitted without placing a tap into the cable.

UPT has a maximum length of 100 meters and a maximum of 4 repeaters between end stations (hubs act as repeaters). There can be a maximum of 1024 stations per net-work.

UTP supports only two devices on a cable: a computer and a hub. Therefore, failures are easy to pinpoint. Generally, if you have a link light with UTP the problem is else-where.

FIBER OPTIC

Fiber-optic cable is used for backbone and device interconnectivity. Because of its costs and fragility it is not used for end-user connectivity. It has now replaced 10BASE-5 for the backbone device interconnectivity method due to speed and distance.

A fiber consists of a core (silica glass or plastic, 8-1000 microns) and a cladding which reflects the light that tries to escape the core. The cladding is surrounded by a coating (buffer). In a loose buffer construction, there is a layer of gel between the buffer and the fiber, in a tight buffer construction there is not.

Fibers are typically bundled in (multiple) pairs (strands) because fiber can only send a signal in a single direction. The strands are reinforced by a plastic coating and then wrapped in Kevlar to provide both strength and flexibility.

10BASE-2

10BASE-5


CISSP 2-5

One pair cables are used in patch cord implementations. These are called simplex or zipcord. Multiple fiber cable that is double buffered is referred to as distribution cable. To terminate such a cable, one needs a breakout box. A breakout cable is made of several simplex/zipcord cables.

MULTI- MODE FIBER

Multi-mode fiber is mainly used for short or medium distances and for low bandwidth applications. It is called multi-fiber because it is designed to carry multiple light rays (modes) each using a slightly different reflection angle within the core. For 100 Mbps Ethernet the max. distance 2 km; for 1 Gbps Ethernet the max. distance is 550 m.

SINGLE- MODE FIBER

Because single-mode fiber carries only a single ray it can be used for longer distances and a smaller core can be used. For 100 Mbps Ethernet the max. distance 20 km; for 1 Gbps Ethernet the max. distance is about 3 km up to 100 km.

The mostly used connectors are the Stick and Turn (ST), Stick and Click (SC) and SC Duplex connectors. Fibers are connected via splicing (fusion or mechanical). Fusion uses welding while mechanical uses an alignment fixture to mate the fibers.

DENSE W AVE DIVISION MULTIPLEXING

Dense Wave Division Multiplexing (DWDM) is one of the newest forms of fiber-optic transmission and works by the principle that different color light resides at different frequencies and the light at one frequency des not interfere with light in a different frequency. The advantage is that you have multiple channels of data (4 to 32 and even more as times goes by). OC-48 transmits at 2.5 Gbps per channel. The more channels the more bandwidth you have.

W IRELESS

A big push for wireless has been with the small office/home office (SOHO) users be-cause houses are not designed for network cabling. Another deployment has been with the PoS (Point of Sales) systems.

Drawbacks are:

The lack of standardization. Think of 802.11 Wi-Fi to 802.11a to 802.11b to 802.11g to 802.15 Bluetooth. The signal can easily be picked up from the air.

Security. One can easily connect to such a system using the appropriate equipment.

Interference. Interference can severely limit distances that wireless networks cover.

2.4 Network Topologies

LINEAR BUS TOPOLOGY

Within a linear bus all systems are connected in a row to a single cable. All computers share the same single piece of wire. This piece of cable is known as a segment.

Linear bus uses three core concepts:

How the signal is transmitted

Signal bounce

Signal termination

Transmission The signal is sent to all devices connected to the linear bus segment (this is not a broadcast!). All devices connected to the segment get the signal but not all do process this signal.

Signal bounce Only one signal can exist on the segment at a time. This means that only one device can transmit at a time. The more devices you have, the worse the performance will get (contention). It is also a passive technology because the devices do not move the data from one device to another it is generated at the source and all devices passively receive the signal.

To prevent the signal bouncing from the end may cause problems to other systems to communicate. To prevent this, a linear bus uses terminators at the end of a bus to absorb the signal.

Segment

Contention, Passive technology


CISSP 2-6

Signal termination If any part of the bus is not properly terminated, the entire bus will cease to function properly. Someone can take out all of the devices on the bys by removing the termina-tion (by cutting the cable). Linear bus is very susceptible to cable faults.

STAR TOPOLOGY

All devices are connected to an active hub or switch. The benefit is that in case of a cable fault only one device is affected. Logically this network operates as a bus due to the hub/switch.

Star topologies are used to implement a collapsed back-bone. The backbone exists between hubs/switches and requires less cabling. If an individual cable fault occurs, the hub/switch short the port on which the cable fault occurs and allows the other devices to continue function-ing. However, the hub/switch is a SPOF.

RING TOPOLOGY

A loop of cable is used to interconnect devices. The signal is transmitted in a single direction with each de-vice retransmitting the signal. Therefore, it is an active topology.

A drawback is that if any system stops passing the sig-nal or starts generating bad signals, it can take the en-tire ring out.

TREE TOPOLOGY

The tree topology is based on the bus and star topology. There are multiple nodes supported on each potential branch.

MESH TOPOLOGY

In a mesh topology each node is connected to every other node. These networks are typically deployed to create backbone and WAN-networks.

LAN AND WAN TECHNOLOGIES

Data is transmitted on LANs using one of three transmission techniques:

Unicast 1 specific destination host (physically and logically)

Broadcast To all hosts within a subnet or network. A directed broadcast is a broadcast on Layer 2 but the destination address is a unicast ad-dress on Layer 3.

Multicast To multiple hosts via the use of group membership addresses.

ETHERNET

Ethernet is the most popular topology because it can be implemented to be very toler-ant of network failures. Ethernet is specified in the 802.3-spedifications al a CSMA/CD methodology and is mostly used as a star topology (but functioning like a linear bus). This means that multiple devices share the same bandwidth. CSMA/CD is also known as collision management:

Carrier Sense The hosts checks if it can start a transmission.

Multiple Access Multiple devices access the same network. After sending the data, the host checks if other hosts are trying to send data. If so, it sends a warning signal and tries to resend the data again after a while.

Collision Detection Detect if collisions take place the host will be informed so it can retransmit the data.

Ethernet can function in half-duplex (like a walky-talky) or full-duplex mode. For full-duplex mode you need two pairs of wires.

TOKEN- RING AND FDDI Within a ring topology the most predominant method of transmitting data is token passing. In a token-ring architecture the data is appended to a packet the token. The

Collapsed backbone

Active topology


CISSP 2-7

sending host must get the token first before it can append the data to it and transmit the token. The token is sent through the ring until it reaches it designation or passes the active monitor twice (in which case it is deleted).

Token ring uses a logical ring but is mostly cabled as a star. It is an active technology which uses the following ports:

Station ports These exist on token ring NICs and connect to the

network

Lobe ports These exist on the token ring hub or MAU and connect

to station ports

Ring in / Ring out ports Connect one ring to another ring.

The first system brought alive in a network is assigned as the active monitor. The ac-tive monitor is responsible for generating the token, removing bad tokens, providing clocking, maintaining ring delay, handling orphaned frames en purging the ring. Mali-cious users can try to take over the role of active monitor and create a DoS.

Token-ring can be designed very fault tolerant but it is very costly. FDDI uses a redun-dant ring to ensure fault tolerance.

ARCNET

ATTACHED RESOURCE COMPUTER NETWORK

This is a dead network topology because it is a bus technology. ARCnet uses CSMA/CA ( Collision Avoidance) using a token to transmit data.

2.5 LAN Devices LAN technologies tend to focus on connecting a large number of systems that are in close proximity to each other to a very fast network.

HUBS AND REPEATERS

Hubs and repeaters do the same thing. As hubs have more ports than repeaters they are also called multi-port repeaters. Hubs just amplify the signal and repeat it out all ports. Therefore they are layer-1 devices.

SWITCHES AND BRIDGES

Switches and bridges are in general the same. Differences are:

Switches are hardware based and use ASICs to make decisions; bridges use software and are therefore slower;

Switches have more ports (they are called multi-port bridge);

Switches can run multiple instances of running tree; bridged can run only one.

Spanning tree is a protocol used to determine redundant paths in a network and block-ing any paths that would create loops (which can result in broadcast storms). Switches are layer-2 devices because they are Data Link layer aware (they know how physical addressing occurs and they use this to optimize network communications). Switches use segmentation. Each port is considered by the switch as a segment. If a signal is received, it tries to determine to which port the destination host of a signal is connected and forwards the message to that specific port (designation port). If it can-not, it falls back to basic Ethernet and forwards the signal to all ports. A switch can provide some security via VLANs and port-based security.

Layer-3 switches are hybrid devices that combine layer-2 and layer-3 functionality allowing the switch to forward frames when possible and route packets when needed. Layer-3 switches are particularly suited for VLAN environments.

VLANS

The goal of VLANs (Virtual Local Area Network) is the separation of broadcast domains and the creation of subnets. They are logically segmented networks within a single switch or within a single switch fabric (group of physically connected switches). A router is needed to communicate between subnets. By restricting the traffic at the router and separating hosts between VLANs you gain a degree of security.

A drawback on security is that it is possible for data to transfer from one VLAN to an-other even though it normally shouldn t due to exploits such as buffer overruns.

Layer-1 device

Layer-2 device

Segmentation


CISSP 2-8

ROUTERS

Routers are network aware: they can differentiate between different networks. They use this information to build routing tables containing:

the networks the router knows about,

the remote router to use to connect to those networks,

the paths (routes) to the networks,

the costs (metrics) of sending data over the paths.

Routers are used to segment networks as well as to reduce broadcasts on a network. They provide better traffic management and security capabilities than switches and hubs can. They are able to examine logical addresses and layer-3 header information to determine what application ports are being used. This information is used for traffic filtering and blocking purposes.

FIREWALLS

Firewalls prevent traffic that is not authorized from entering or leaving the network. They are deployed as a perimeter security mechanism. There are six main types (gen-erations) of firewalls:

1. Packet filtering Traffic is checked against rules set that defines what traffic is allowed and what is not by using IP-addresses and/or port numbers. If there is a match, it can pass. Otherwise the packet is discarded. They operate very fast because they only need to read the layer-3/4 information to make a deci-sion. A packet filtering firewall is also called a screening router. These fire-walls reside on the network/transport layer and use ACLs.

2. Application proxy

These kind of firewalls read the entire packet into the ap-plication layer before making a decision. This allows an application proxy firewall to recognize CodeRed data. They are slower than packet filtering firewalls. An-other drawback is that the provided services are limited; if you need another service, you need an additional proxy. An application proxy firewall is some-times called an ALG (Application Level Gateway). These firewalls reside on the application layer.

3. Circuit proxy

A bit of a hybrid between application proxies and packet filter-ing firewalls. A circuit is created between the source and destination without ac-tually reading and processing the application data. The functionality is close to a packet filter. Circuit proxy firewalls are easier to maintain than an application proxy.

4. Stateful inspection After a host sent a packet to a destination, the destina-tion host processes the data and sends a response. This network connection state is tracked by the firewall and then used in determining what traffic should be allowed to pass back through the firewall. Because these firewalls can exam-ine the state of the conversation, they can monitor and track protocols as well; even UDP which is connectionless. Many Stateful packet inspection firewalls per-form packet reassembly and check for harmful data. If so, the data is dropped. These firewalls reside on the network layer.

5. Dynamic packet filtering A dynamic packet filtering firewall is used for pro-viding limited support of connectionless protocols (UDP). It queues all the UPD packets that crossed the network perimeter and based on that will allow re-sponses to pass back through the firewall.

6. Kernel proxy These firewall are highly customized and specialized to function in kernel mode of the operating system. This provides for modular, kernel-based, multi-layer session evaluation using customized TCP/IP stacks and kernel level proxies.

There are four general types of firewall architectures:

Packet- filtering routers A packet-filtering router sits along the boundary of two networks and is therefore called a boundary or perimeter router. Security is maintained by ACLs (Access Control Lists) that define allowed IP addresses, pro-tocols and port numbers.

Layer-3 device

1st

Generation

2nd

Generation

3rd

Generation

4th

Generation

5th

Generation

Firewall architectures


CISSP 2-9

Plusses:

Excellent first security boundary as a bulk filtering device

Minors:

Maintaining the ACL can be very complex and time-consuming.

Lack of authentication and weak auditing capabilities

Screened-host firewall These firewalls employ both a packet-filtering firewall and a bastion host (a system that is directly exposed to external threats. It is the only host on the internal network that is accessible to external hosts. An intruder hast to pass the external router (packet filtering) and the bastion host (proxy) to get access to internal resources.

When compromised, nothing stops the intruder having full run of the internal network. Therefore is should never be used for high-risk access such as public web server access.

Screened-subnet firewall (with demilitarized zone DMZ)

A screened- subnet firewall system provide additional network security by introducing a pe-rimeter network DMZ that the bastion host resides on. This requires an in-truder to bypass two packet-filtering routers before he gains access to the in-ternal network. This design is one of the most secure methods of providing ex-ternal access to resources but it is costly and complex.

Dual homed host firewall

The bastion host has two interfaces (one con-nected to the external network and one connected to the internal network) but IP-forwarding is disabled. This means that there is no straight connection be-tween hosts on the external and internal network.

Minors:

If the bastion host is compromised the intruder has potentially free access to the internal network;

If you allow the bastion host to route, it doesn t perform well because it isn t designed that way;


CISSP 2-10

Internal routing may accidentally become enabled.

GATEWAYS AND PROXIES

The term gateway has many meanings such as: a router, providing proxy functionality and providing access to a network or service. Proxies are used as an intermediary device between a client and a server providing transparent access to resources on the server. All traffic goes through the proxy. This allows administrators to restrict access, i.e. on outbound internet access. Proxies have caching functionality so they can provide better network performance.

2.6 WAN Technologies

WAN technologies tend to focus on interconnecting LANs and making connection to remote sites and resources.

There are three main categories of WAN networks:

Internet

Intranet

Extranet

WAN CONNECTIONS

Dedicated Connections

Dedicated connections exist between two point-to-point sites and are available all the time. The connection is exclusive and tends to be synchronous serial connections (using precision clocking and control bits). Examples are T1, T3 and E1, E3 (Europe). OC-x is for optical carries. DS-0 thru DS-3 define the framing specifications for transmitting data over Tx and Ex-lines.

Circuit- Switched Connections

Circuit-switched connections dynamically bring up the circuits (connections) between two devices. These circuits are maintained for the duration of the call. They tend to use asynchronous serial connections, dialup modems and ISDN and are thus used for low bandwidth or backup purposes. Because with every connection authentication is required, it is considered to be a fairly secure connection.

Packet- Switched Connections

Packet-switched connections use synchro-nous serial connections (like dedicated connections) but share the network with multiple systems. It is less secure but cheaper. The company simply purchases a guaranteed amount of bandwidth. The classic packet-switched network is frame relay or X.25.

Cell- Switched Connections

These connections are similar to packet-switched connections but are ATM (Asynchronous Transfer Mode) networks. This is a standard that use fixed length cells thus reducing transit delays. ATM is used on high speed media (SONET, T3, E3). It is considered to be a fairly secure technology.

WAN SERVICES

Point- to-point and Serial Line Internet Protocol (PPP and SLIP). These protocols are used for providing data link connectivity over asynchronous (dial-


CISSP 2-11

up) and synchronous (ISDN, dedicated serial line) connections. PPP is the suc-cessor of SLIP. Both provide to authenticate the connection.

PPP primarily exist to transport Network layer protocols across an point-to-point connection. When an attempt is made, three phases of communication occur:

Link Establishment Phase LCP packets are exchanged to configure and test the link;

Authentication Phase CHAP, PAP or manual authentication of the con-necting devices occur;

Network Layer Protocol Phase NCP is used to determine what Network layer protocols need to be encapsulated and are transmitted accordingly.

CHAP and PAP are authentication protocols. PAP (Password Authentication Pro-tocol) is the less secure of the two because passwords are sent in clear text. CHAP (Challenge Handshake Authentication Protocol) performs authentication during the initial handshake phase and periodically revalidates the password for the duration of the connection.

High-Level Data-Link Control

HDLC is an ISO-based standard for delivering data over synchronous lines. This protocol is bit-oriented and uses frame char-acters and checksums as part of the data encapsulation, but uses no authenti-cation. Also it doesn t provide for specifying the network-layer protocol that was encapsulated. Because each vendor developed its own method for doing this, it cannot be used between devices from different vendors.

X.25 X.25 operates on the physical and Data Link layers. It uses virtual cir-cuits for establishing the communication channel between hosts. Now, it has been replaced by the faster Frame Relay.

Link Access Procedure Balanced LAPB is a bit oriented protocol like HDLC and was originally created for use on the X.25 networks. It functions by assur-ing that frames are correctly ordered and error free.

Frame Relay Reliable and supports multiple protocols. It is based on X.25 (uses virtual circuits, operates on the physical and Data Link layers) but is much faster because error checking is left to the higher layers. It provides the com-munication interface between the DTE (Data Terminating Equipment) and the DCE (Data Circuit-Terminating Equipment). Frame Relay uses DLCIs (Data-Link Connection Identifiers) to identify the end points of communication of a circuit. It does not use authentication; you need something like PPP if needed. Frame Relay is one of the most fault tolerant network topologies because network traf-fic can be diverted to another network segment.

Synchronous Data-Link Control SDLC is designed by IBM for use in main-frame connectivity but is also used for point-to-point WAN connections. It is in-corporated into SNA and SAA but now largely replaced by HDLC.

Integrated Services Data Network ISDN was developed to transmit digital signal over a standard telephone wire. The BRI is 128 Kbps; the PRI up to 1.544 Mbps. BRI is intended for small office and home user usage and uses 1 16 Kbps D (Delta) channel and two 64 Kbps B (Bearer) channels. PRI is intended for greater usage and uses one 64 Kbps D channel and 23 Mbps B channels. In conjunction with PPP ISDN allows 128 Kbps by bonding together the two B channels.

Digital Subscriber Line xDSL allows broadband transmission of data up to 53 Mbps over the existing telephone network. There are four primary types of DSL:

Asymmetric Digital Subscriber Line ADSL delivers 1.5-9 Mbps download speed and 16-640 Kbps upload speed up to 18,000 feet from the central office using a single line;

Single- line Digital Subscriber Line SDSL delivers download and upload up to 1.544 Mbps up to 10,000 feet from the central office using a single line;

High- rate Digital Subscriber Line HDSL delivers download and upload up to 1.544 Mbps using two lines thus allowing full duplex mode up to 12,000 feet from the central office. HDSL allows T1-functionality;

Very-high Digital Subscriber Line VDSL delivers 13-52 Mbps download speed and 1.5-2.3 Mbps upload speed up to 1,000-4,500 feet from the cen-tral office using a single line.

Switched Multimegabit Data Service SMDS is a high-speed packet-switching technology for use over public networks. It is for companies that need to send and receive large amounts of data on a bursty basis.

High Speed Serial Interface HSSI provides an extremely fast (53 Mbps) point-to-point connection between devices up to 50 feet. It can be used to con-nect devices at T3 or OC-1 speeds. It is often used for interconnect LAN equip-ment for backup and fault tolerant network uses.


CISSP 2-12

WAN DEVICES

WAN devices are:

Routers

WAN switches to connect private data over public circuits

Multiplexors MUX enable more than one signal to be transmitted simultane-ously over a single circuit;

Access Servers equipment used for dial-in and dial-out access to the net-work.

Modems to convert digital and analog signals;

CSU/DSU Channel Service Unit / Data Service Unit digital devices used to terminate the physical connection on a DTE-device ot the DCE.

2.7 Providing Remote Access Capabilities

Remote access techniques and technologies are used for telecommuting (a user is called a telecommuter).

CLIENT- BASED DIAL- I N REMOTE ACCESS

Also called dial-in access, this connectivity needs a modem to dial in the corporate network. Secure connections can be made via the ISP, using a POTS2 and creating a VPN tunnel to a VPN server on the corporate network.

USING TUNNELING AS A SECURITY METHOD

Tunneling is he process of transmitting one protocol encapsulated within another pro-tocol. This can be used to transmit data that might not be supported on the network or to create a secure channel. Tunnels designate two endpoints of communication and than encapsulate the data within some other packet format.

Tunneling techniques are PPTP (Point-to-point Tunneling Protocol) which provide en-cryption capabilities. Cisco uses GRE (General Routing Encapsulation). IPSec is often used in conjunction with GRE.

VIRTUAL PRIVATE NETWORKS

A VPN is the sue of a tunnel or secure channel across the internet or other public net-work. The data within the tunnel is encrypted. VPNs are client-based or site-to-site.

Client-based VPNs These VPNs provide remote access to users across the Internet. Users have VPN client software on their PC which allow them to con-nect to the network as if they are a (virtual) node on that network.

Site- to-site VPNs This is a (semi-) permanent connection across the Internet between two devices, typically routers or firewalls. Clients do not need to have special software; the secure connection is established by special VPN hardware devices, such as routers. This is known as split tunneling.

VPN devices are IPSec-compatible or not. IPSec compatible devices are installed on a network s perimeter using tunnel mode or transport mode. Non IPSec compatible de-vices include SOCKS-based proxy servers, PPTP compatible devices and SSH-using devices.

There are three protocols that provide remote access VPN capabilities:

PPTP

A Microsoft-developed technology that provides remote access by en-capsulating PPP inside a PPTP packet. It uses the PP authentication mechanism of PAP, CHAP or MS-CHAP and encryption (40 or 128 bit session keys and en-cryption). PPTP supports multi-protocol tunneling. PPTP resides on the Data Link layer.

L2TP

Layer 2 Tunneling Protocol. Simular to PPTP but supports RADIUS and TACACS for authentication and IPSec and IKE for encryption and key exchange. L2TP supports multi-protocol tunneling. L2TP resides on the Data Link layer.

IPSec

This is a network-layer encryption and security mechanism that can be used a standalone VPN solution or as a component of an L2TP VPN solution. It supports DES (hacked) and 3DES (recommended) as well as 128/160 bit en-cryption. IPSec further support the use of AH (Authentication Header) security and ESP (Encapsulation Security Payload). AH secures the IP header; ESP se-cures the entire packet. IPSec resides on the Network layer.

2 Plain old telephone system

Tunneling

Split tunneling


CISSP 2-13

REMOTE ACCESS AUTHENTICATION

There are three technologies for authentication:

RADIUS A UDP based industry standard for authentication via a client/server model. The user is asked for a name and password which is checked against a database. RADIUS simply allows or denies access.

TACACS an older and end-of-life authentication technology.

TACACS+ Like RADIUS it separates the authentication and authorization ca-pabilities but uses TCP for connectivity. Therefore it is regarded to be more reli-able than Radius.

2.8 Networking Protocols

TCP/IP is a suite of protocols developed by the Department of Defense. It was designed following a four layer architectural model:

APPLICATION

PRESENTATION

APPLICATION

SESSION

TRANSPORT

TRANSPORT / HOST TO HOST

NETWORK

INTERNET

DATALINK

PHYSICAL

NETWORK

Application layer It provides for the application, services and processes that run on a network.

Transport layer The host-to-host layer. It is responsible for handling the end-to-end data delivery on a network.

Internet layer Provides logical addressing and routing of IP datagrams on the network.

Network layer Responsible for the physical delivery of data on the network.

APPLICATION LAYER PROTOCOLS

These protocols are services. Some of the common protocols are:

Bootstrap Protocol

BootP provides automatic configuration of diskless work-stations by looking up the MAC-address in the BootP-file. If found, it sends the necessary information tot complete the system boot process.

File Transfer Protocol FTP is used to send and receive files between two systems. It provides authentication using clear-text passwords. It doesn t pro-vide for remote execution of programs.

Line Printer Daemon LPD is used in conjunction with LPR (Line Printer Re-mote) for connecting to network-attached print devices.

Network File Systems NFS is a file-sharing protocol used in UNIX environ-ments.

Post Office Protocol 3 POP3 provides for the connecting to and receipt of email from a mail server to the email client.

Simple Mail Transfer Protocol

SMTP provides for the delivery of email across servers. POP3 is responsible for the receipt of email; SMTP for sending it.

Simple Network Mangement Protocol SNMP supports the transmission and collection of management information and statistics for network devices. It


CISSP 2-14

sends traps whenever a network event occurs. It also allows administrators to make changes on remote systems via set operations. The information that a de-vice can report on is maintained via MIBs (files containing Management Infor-mation Bases).

Telnet A command line functionality (terminal-emulation program) used to execute commands and run applications. Not suitable for file transfers.

Trivial File Transfer Protocol

TFTP is a subset of FTP for file transfer. It

doesn t support authentication and directory browsing and is used for updating the configuration files of routers and switches.

X Windows A protocol that allows remote display of a GUI.

TRANSPORT LAYER PROTOCOLS

The most significant Transport layer protocols are TCP and UDP. Compared with com-municating between two people TCP can be seen as using a telephone; UDP as using a letter. TCP and UDP use port numbers as endpoints of communications.

TCP TCP is responsible for creating connection-oriented, reliable end-to-end communications between host systems. It does this via series of synchroniza-tions (SYNs) and acknowledgements (ACKs) prior to data transfer. This is called the TCP three-way handshake. It also uses windowing to determine how much data can be send before an ACK must be received. TCP also uses sequence numbers for the segments it sends.

UDP

UDP is responsible for connectionless (doesn t check if a designation is up, just sends), unreliable end-to-end communications between systems. It is used when the receipt of data is not important (streaming audio/video) or when the overhead of ensuring the reliable delivery is too high.

TCP UDP Acknowledged data transfer Unacknowledged data transfer Uses sequencing Does not use sequencing Connection-oriented Connectionless Reliable Unreliable Higher overhead Lower overhead

TCP/IP protocols are:

Host-to-host Transport Layer Protocols such as TCP and UPD.

Internet Layer Protocols such as IP, ARP/RARP en ICMP.

TCP/IP provides simplex, half-duplex and full-duplex connections.

I NTERNET LAYER PROTOCOLS

The Internet layer is TCP/IP. Some common Internet-layer protocols are:

IP Responsible for handling the logical addressing of hosts. IP is considered to be unreliable which is fine because TCP can provide reliability if needed.

I nternet Control Message Protocol ICMP is a management and control protocol for IP and is responsible for delivering messages between hosts regard-ing the health of a network. It is used by IP diagnostic tools such as PING and Traceroute.

ARP

IP addresses and their respective MAC addresses. It issues an ARP broad-cast with an IP address and the host that owns the IP address responds with its MAC address.

Reversed ARP RARP is used to discover the IP-adresses if the MAC-address is known. It is used in diskless workstations to get the IP configuration informa-tion from a RARP server.

2.9 Protecting the Integrity, Availability and Confidenti-ality of Network Data

THE CIA- TRIAD

Confidentiality is ensuring that the data transmitted is only able to be read by the in-tended recipient. Confidentiality can be protected by network security protocols, net-work authentication services of data encryption services.

Confidentiality


CISSP 2-15

Integrity is the assurance that the data that was received is the data that was trans-mitted. Techniques are nonrepudiation3, firewall systems, communication security and intrusion detection systems.

Availability is a concept that can be applied to create reliability and stability of network systems and applications. It ensures tat data is available when required. Techniques are fault tolerance of disks, systems and backups, acceptable log-in and process per-formance, reliable and functional security processes and mechanisms.

SECURITY BOUNDARIES AND TRANSLATING SECURITY POLICY TO CONTROLS

There are three major groupings of networks:

External subnets Containing those resources that the administrator has no control over (Internet). Systems connected to the boundary must be hardened (run the bare minimum of services and applications).

Internal subnets

Containing those resources that the administrator has control over. The key to securing internal subnets is the separation of resources, auditing of transactions and the definition of an enforceable security policy.

Screened subnets Also referred at as DMZ, are used to provide limited ac-cess to external users. An example is allowing external access to a server by port 80 but preventing other external access by packet filtering.

Type enforcement is about defining groups of processes into domains and types based on least privilege. You group resources based on how it can be used and by whom. Access is only granted to users who need the data. These groups of resources can further be separated onto different servers and subnets to provide for granular audit and access control.

TRUSTED NETWORK I NTERPRETATION

The DoD develop a series of books the Rainbow Series

of which the Orange Book is well known. The Orange Book defines the TCSEC (Trusted Computer Security Evalua-tion Criteria). The other books expound upon the concepts described in this book. See paragraph TCSEC The Orange Book and the Rainbow Series on page 6-4 for a de-tailed description.

A security policy should:

Clearly define what is and is not permitted by both users and administrators;

Serve as the guideline for defining the types of resources and access that users require to those resources;

Define the procedures that should be followed in the event of a compromise.

NETWORK LAYER SECURITY PROTOCOLS

Though encryption occurs at the Presentation layer, protocols have been designed to provide this functionality at the Network layer:

IPSec IPSec offers two choices of security: AH and ESP. AH (Authentication Header) authenticates the sender but the payload is not encrypted. ESP (Encap-sulated Security Payload) also authenticates the sender but also encrypts the payload. Key management is handled by the ISAKMP/Oakley protocol. IPSec functions in tunnel and transport mode. Tunnel mode is used to encapsu-late the entire original IP datagram in situations where the datagrams are sourced or destined to systems that do not use IPSec (i.e. in the case of a VPN). Transport mode encapsulates the upper layer (Transport layer and above) data of the original packet and is used in cases where the end points of communica-tions both support IPSec.

A drawback of IPSec is that it is largely incompatible with NAT because IPSec requires that data integrity not be compromised and NAT translates data mid-stream between hosts. Because source addresses are changed, the data is dropped. A workaround is encapsulating IPSec traffic in TCP or UDP.

SWIPE SWIPE is the predecessor to IPSec and provides encryption at the Network layer by encapsulation the packet within the SWIPE packet. It does not have policy or key management functionality.

Simple Key Management for Internet Protocol SKIP is a stateless Net-work layer encryption mechanism for primarily SUN Solaris environments.

3 Nonrepudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. See also Nonrepudiation on page 3-2.

Integrity

Availability

Type enforcement

Security policy


CISSP 2-16

(1) According to the DoD these protocols resides within the Application layer.

TRANSPORT LAYER SECURITY PROTOCOLS

A well known security protocol is SSL (Secure Socket Layer) which is supported by firewalls and tunneling. It provides data encryption, server authentication, data integrity and optional client authentication via TCP/IP. It is primarily used for HTTP-traffic and securing the communications between Web browsers and Web servers. SSL uses digital certificates for server authentication, encryption for transmission privacy and end-to-end connections to ensure data integrity.

TLS (Transport Layer Security) is the successor to SSL. Though built on SSL 3.0, it does not support SSL directly.

APPLICATION LAYER SECURITY PROTOCOLS

For securing email the following protocols are widely used:

S/MIME Secure / Multipurpose Internet Mail Extensions. Based on MIME to secure email transmissions and RSA encryption, is provides for cryptographic security through MIME encapsulation of digitally signed and encrypted objects. It ensures that authentication, nonrepudiation, message integrity and confiden-tiality occur.

PEM Privacy Enhanced Mail. PEM provides for message encryption and au-thentication by using symmetric (secret-key) and asymmetric (public-key) en-cryption methods for encryption of data encryption keys. through encapsulation Secure / Multipurpose Internet Mail Extensions. It is rarely used.

For securing financial transactions the SET protocol can be used.

SET Secure Electronic Transmission is a framework for protection against credit card fraud. It uses a PKI (Public Key Infrastructure) to provide for the confidentiality and integrity of the cardholder data, while at the same time pro-viding for the authentication of the card.

NETWORK MONITORING AND PACKET SNIFFERS

Packet sniffing is about capturing the data on a segment. A packet sniffer can be used to observe traffic patterns that the software uses and use that information to configure perimeter security devices (pattern-based application recognition).

I NTRUSION DETECTION

Intrusion detection is the process of monitoring systems for evidence of an intrusion or misuse. Intrusion Detection Systems (IDSs) are responsible for performing the follow-ing tasks:

Monitoring and analyzing user, system and network access

Auditing system configurations and vulnerabilities

Assessing the integrity of system and data files

Recognizing activity patterns that would seem to indicate and incident

Analyzing abnormal use patterns

SSL

TLS


CISSP 2-17

Operating system auditing

Automatic patching of vulnerable systems through recovery actions and script-ing (*)

Installing and monitoring decoy servers to gather information (*)

(*) Only with advanced IDSs.

There are two kinds of IDSs: network-based versus server-based and knowledge-based versus behavior-based IDSs.

Network-based IDSs

These IDSs analyze packets real time against a known

database or pattern attacks and are typically deployed to monitor traffic on a network segment.

Host-based IDSs

These IDSs are often system-centric in their design. Most host-based IDSs are designed to monitor logins and processes, typically through the use of auditing system logs. These IDSs are designed to specifically identify inappropriate activity on the host system only and are agent-based (an agent is required to be running on monitored system. As a result, host-based IDSs can be difficult to deploy and manage.

Knowledge-based IDSs

These IDSs are network- or host-based. It main-tains a database of known attacks and vulnerabilities and detects whether at-tempts to exploit these vulnerabilities are occurring. Knowledge-based IDSs are more sometimes referred to as signature based.

Benefits of knowledge-based IDSs are: - Low degree of false positives; - Alarms are easy to understand.

Drawbacks are: - Resource intensive because it must be constantly updated; - New attacks can go unnoticed because of outdated signature files.

Behavior-based IDSs

These IDSs are more complex than knowledge-based IDSs because they are capable to learn. Sometimes it is referred at as anomaly based IDSs.

Benefits of knowledge-based IDSs are: - Systems can dynamically respond to new, original or unique exploits and at-

tacks; - Not dependent on specific operating systems.

Drawbacks are: - High false alarms are very common; - In environments where the usage patterns of users and network resources

frequently change, the IDS is unable to establish a baseline of normal be-havior upon which to base any deviations.

Active IDSs check real-time for attacks; passive IDSs do log analyzing.

I NTRUSION RESPONSE

Intrusion Response occurs after an event has been detected. It is often defined as a part of the responsibilities of a CIRT. The primary response of a CIRT is to define and execute the company s response to an incident via a process known as Incident Re-sponse Management. The CIRT response consists of the following:

Coordinate how the notification and distribution of incidents should occur. There should be a defined escalation path.

Mitigate the risk of an incident by minimizing disruptions and the costs involveld in remediating the incident.

Assemble teams of people to investigate and resolve potential incidents.

Provide active input in the design and development of the company security pol-icy.

Manage and monitor logs.

Manage the resolution of incidents, including post mortems of incidents.

NETWORK ADDRESS TRANSLATION

Typically NAT translates each internal address to a unique external address (one to one mapping). PAT (Port Address Translation) performs one to many mapping by using unique port numbers.

Inbound NAT is used to provide access to internal resources in conjunction with policy routing. The administrator creates a table in which an entry maps the externally used IP address to the internally used IP address (the system that provides a service). In-bound NAT can also be used with PAT.

Inbound NAT


CISSP 2-18

Because NAT can hide the internal IP addresses, it provides a (light) degree of security. Effectively NAT provides a boundary between networks. It does not protect against spoofing. Therefore NAT is nothing more than a component of a security solution.

Another drawback is the incompatibility of many types of encryption. NAT receives packages, builds a new package and sends it to the host. A response from the host is translated and sent to the original requestor. As many encryption methods do not allow manipulation of data, the package is rejected. Unless the NAT-device is configured not to do so. Another alternative is to encapsulate the encrypted data in TCP or UDP before sending it.

PUBLIC AND PRIVATE IP ADDRESSES

There are five blocks of IP Addresses reserved by the IANA (Internet Assigned Num-bers Authority:

Class Public IP Ranges

A 1.0.0.0 to 9.255.255.255 11.0.0.0 to 126.255.255.255

B 128.0.0.0 to 171.255.255.255 173.0.0.0 to 191.255.255.255

C 192.0.0.0 to 195.255.255.255 197.0.0.0 to 223.255.255.255

D 224.0.0.0 to 239.255.255.255 Multicast IP addresses

E 248.0.0.0 to 255.255.255.255 Experimental use.

3 Blocks of IP addresses are reseverd for private network use:

10.0.0.0 to 10.255.255.255

172.16.0.0 to 172.31.255.255

192.168.0.0 to 192.168.255.255

Available IP addresses are:

127.0.0.0 to 127.255.255.255 (loopback IP-addresses)

224.0.0.0 to 243.255.255.255

240.0.0.0 to 247.255.255.255

TRANSPARENCY

Transparency is the ability of a device to not appear to exist. By not responding to illegal request an attacker doesn t know what kind of device exist at a given IP ad-dress.

Another method of transparency is to configure a device to receive packets but not be able to send (like IDSs).

HASH TOTALS

Hashing is the process of assigning a value to represent some original data string. The value is the hash total. An example of the usage of hash totals is the Windows authen-tication. The client generates a hash total based on the password and sends it to the domain controller for validation against a database with hash totals.

EMAIL SECURITY

SMTP-servers should not permit relaying of mail because spammers look for these servers to send bulk mail. If you don t, you may be added to various black lists of Internet servers. Other email servers will not accept mail from blacklisted servers.

FACSIMILE AND PRINTER SECURITY

One should think carefully about the use of printers and faxes. Often they are used by several employees but maybe it would be better to place them in separate rooms with restricted access. The best way to handle the disposing of documents is to burn them.

COMMON ATTACKS AND COUNTERMEASURES

There are six classifications of network abuse: Class A thru Class F abuses.

IANA


CISSP 2-19

Class A Abuses A class A network abuse is the result of unauthorized network access through the cir-cumvention of security access controls. This is sometimes referred at as logon abuse. Techniques for class A network abuses are:

Social Engineering

Brute force

Class B Abuses A class B network abuse is defined by non-business use of systems. Examples are visiting unauthorized websites or using companies resources for personal benefit. An acceptable user policy (AUP) and enforceable security policy is an effective way to handle class B network abuses. Types of these kind of abuses are:

PBX fraud and abuse

Email and Internet abuse

Class C Abuses Class C network abuses are identified by the use of eavesdropping techniques. Exam-ples are:

Network sniffing

Dumpster diving (going through the trash)

Keystroke recording

Class D Abuses A class D network abuse is identified by denial of service saturation of network devices and resources. Examples are:

SYN flooding -

Buffer overflows -

Teardrop attacks The use of overlapping IP fragments

LAND attacks A packet with the same source and destination IP address

SMURF attacks Using ICMP to spoof ICMP echo requests to a network broadcast address.

DDos attacks Multiple hosts attacking one device and using all its band-width.

Class E Abuses A class E network abuse is defined by network intrusion and prevention. Examples are:

Spoof attacks An attacker appearing to be something other than he is. A common spoof attack is an ARP redirect in a switched envi-ronment.

Trojans -

Viruses and worms -

Back doors The only remedy is a format and complete rebuilding

TCP hijacking Inserting TCP-packets by using the sequence numbers.

Piggy-backing The process of using a legitimate user s connection to gain access to a system (i.e. by using open not correctly closed connections)

Class F Abuses A class F network abuse refers to probing attacks. First information is gathered about the network. Examples are:

Port scans

Banner abuse many services use banners that include information about the type of system the service is running on. Examples are HTTP, FTP and SMTP banners. This information can be used to determine the types of exploits to which a system might be vulnerable.

Sniffing -

2.10 Fault Tolerance and Data Restoration

Reliability of data can be handled through the use of redundant array of inexpensive disks (RAID). There are five levels of RAID:

RAID 0

Creates one large disk by using several disks. Used to improve per-formance by simultaneous reads and writes through striping of data across mul-tiple disks. It provides no fault tolerance.

RAID 1

Mirroring: data on one disk is duplicated on another disk. Fairly ex-pensive because it requires the double amount of storage.

RAID 2

No longer in use. Used multiple disks and parity information. It con-sists of bit-interleaved data on multiple disks. Parity information is created using a hamming code. There are 32 disks used for storage and 7 for parity.

Striping

Mirroring

Hamming Code Parity


CISSP 2-20

RAID 3

Similar to RAID 0 but now uses parity information. Performs byte-

level striping. Parity information is stored on a specific parity drive.

RAID 4

As RAID 3 but it performs block level striping across multiple drives.

RAID 5

Stripes data and parity at the block level across all drives using inter-

leave parity for data re-creation. Reads and writes can be performed simultane-ously, offering a very good performance.

RAID 7 A variation of RAID 5 wherein the array functions as a single virtual disk in the hardware.

Clustering technologies are used to prevent a server entirely fail. There are two types of clustering concepts:

Data clustering

Two data servers are configured exactly the same; one is the mirror of the other. There is a fail-over link between the 2 servers.

Network services clustering or Server clustering

Load balancing. Used to improve system performance by distributing network requests among multiple servers who have the same functionality.

Of course you need data backups. Popular backup methodologies are:

Full backup

All data is saved every time. Can cost a lot of time and tapes.

Incremental backup Backing up only the changed and added files.

Differential backup

All files that have changed since the last full backup are back upped. You only need the full backup tape and the last differential backup tape.

Backup-media:

Digital audio tape (DAT) Cheap and compact; max. 40 Gb

Quarter-inch cartridge (QIC) 50 Gb (most systems 8 Gb)

8mm tape Older system; replaced by DLT

Digital linear tape (DLT) 4 mm tape; up to 320 Gb; very fast

CD/DVD Widely used for desktop backup

Zip For desktop backup; up to 250 Mb

Tape array Cluster of 32-62 tape drives; RAID fashion

Hierarchical storage Methodology for backing up and restoring data management (HSM) in an enterprise.

Identity Management Is a general term and encompasses technologies including password management (synchronization and self reset), user provisioning and access management. Enables and maintains user access to network resources. This includes the creation of the user entity (functionality typically found in a human resource applications), authorization and permissions (SSO and password management functionality), and a single point of administration for de/provisioning accounts (as in provisioning).

2.11 Addendum

Data transmission methods:

Asynchronous Data transmission method using a start bit at the begin-ning of the data value and a stop bit at the end.

Synchronous A message framed transmission method that used clock pulses to match the speed of data transmission.

Isochronous Synchronous data transmission without a clocking source, with the bits sent continuously and no start or stop bits.

Pleisiochronous A transmission method that uses more than one timing source, sometimes running at different speed. It requires master and slave clock devices.

The enforced path refers to the limitations for network access to users. Individuals are authorized access to resources on a network through specific paths. The user is not authorized to access a resource through a different route. VPN is an example of an enforced path.

Byte Level Parity

Block Level Parity

Interleave Parity

Single Virtual Disk

Load balancing

CISSP 3-1

3 Security Management and Practices

3.1 Defining Security Principles

CIA: I NFORMATION SECURITY S FUNDAMENTAL PRINCIPLES

The building blocks, or primitives, based on the question What do we protect , why and how of any security program are:

Confidentiality

Integrity

Availability

Confidentiality describes the secrecy of the information asset. It is about determining the level of access in terms of how and where the data can be accessed. This can be classified by a degree of confidentiality.

Protections however are as good as the security program itself. Therefore you must pay attention to the tools used, install safeguards (such as encryption) and be aware of social engineering techniques (which require a high level of user awareness).

Integrity justifies the cost of collecting and maintaining the data. You should put mechanisms in place to prevent attacks on storage of data (contamination) and on its transmission (interference). Protecting data involves both storage and network mecha-nisms.

There are malicious and non-malicious attacks on the integrity of data. The first kind are viruses, back doors and logic bombs. Non-malicious attacks are caused by users by entering invalid or inaccurate data, by not following the procedures, or using wrong programs to access data. You have to give users awareness trainings and programs should be tested before they are placed on the network. In network environments, data can be encrypted to prevent its alteration.

Availability is the ability of users to access an information asset. The organizational policies should specify various controls and procedures to help maintain availability.

PRIVACY

Privacy relates to all the elements of the CIA-triad. It considers which information can be shared with others (confidentiality), how that information can be accessed safely (integrity), and how it can be accessed (availability).

Several laws and acts, such as the U.S. Federal Privacy Act (1974) and the Health Insurance Portability and Accountability Act (HIPAA) pay attention to this issue. How-ever, laws and regulations have difficulty to keep up with the technology.

Therefore organizations should look at the privacy of their own information assets. They should have a privacy statement which must reflect how the data is handled and available to the users which information is being collected.

I DENTIFICATION AND AUTHENTICATION

Information security is the process of managing the access to resources. If an entity requires access to an information resource, you must identify (identification) it and verify that the entity is who he claims to be (authentication). In most cases this proc-ess is a two-step process.

The first step is identification. Identifiers can be public or private and are tied directly to the entity. Normally a username is used.

The second step is authentication. There are three types of authentication:

What the entity knows A PIN or password

What the entity has An access card, a smart card or token

Who or what the entity is Usually identified through biometrics

If two or more are used, it is called strong authentication.

Passwords and PINs are the most common forms of authentication. They are also the weakest link because users tend to create easily guessed passwords. Password management tries to create a balance between creating password that cannot be

CIA-triad

Contamination Interference

Strong authentication

Password management

Security Management and Practices

CISSP 3-2

guessed an password users don t need to write down. Methods for password manage-ment are:

Password generators Usually third party products which create passwords out of random characters.

Password checkers Tools that check passwords for their probability of being guessed.

Limiting login attempts Setting a threshold for login failures after which an account is locked.

Challenge- Response Cognitive passwords. Using random selected questions which the user has to answer; normally used by voice response systems.

Token devices come in two versions: synchronous an asynchronous. Synchro-nous token devices are time-based and generates a value that is valid for a set period of time. An asynchronous token device uses a challenge-response mechanism to determine whether the user is valid. The server displays a chal-lenge, the users enters that challenge into a token device and generates a token value. This value is entered by the user after which the server verifies the value with an authentication server.

Cryptographic keys combine the concepts of something you have and some-thing you know. The user has a private key that is used to sign a common hash value that is sent to the authentication server. To strengthen the authentication process, the user is asked to enter a PIN or passphrase that is also added to the hash.

NONREPUDIATION

Nonrepudiation is the ability to ensure the authenticity of a message by verifying it using the message s digital signature. You can verify the signature with the public key obtained from a trusted certification authority (CA).

ACCOUNTABILITY AND AUDITING

System events can be tracked by using audit records. Systems and security adminis-trators use these records to:

Produce usage reports;

Detect intrusions or attacks;

Keep a record of system activity for performance tuning;

Create evidence.

Accountability4 is created by logging the system events with the information from the authenticated users, including all necessary information such as date, time and net-work addresses. If you set up auditing, you have to decide how much information you want to gather by defining a threshold or clipping level.

The auditing of systems require active monitoring (such as keystroke monitoring) and passive monitoring (examining audit data).

It is important to protect the integrity of the audit data. Not only for the analysis of this data, but also for law enforcement. For use of this data in legal proceedings you must prove that the integrity of the data has been maintained and there was no possibility for it to be altered. This is called proving the chain of custody.

3.2 Security Management Planning

Before information security policies can be created, the management should plan a risk analysis on the information assets. A risk analysis identifies the assets, determine the risks to them and assign a value to their potential loss. Using this, the management can make decisions to policies that best protect those assets by minimizing or mitigat-ing the risks.

3.3 Risk Management and Analysis

Risk management is the process of assessing risk and applying mechanisms to reduce, mitigate or manage risk to the information assets. Its purpose is not to create a totally

4 The principle that individuals, organizations and the community are responsible for their actions and may be required to explain them to others.

Risk management


CISSP 3-3

secure environment but to define where risks exists, the probability that they occur, the damage that they cause en the costs of securing the environment.

It is not possible or too expensive to reduce all risks to zero. You must look at the likelihood of each risk and either look for other mitigations or accept it as a potential loss.

Assessing risks, you must consider the types of loss (risk category) and how the risk may occur (risk factor).

The risk categories are:

Damage a physical loss of an asset of the inability to access it

Disclosure disclosing critical information

Losses permanent or temporary loss of data.

The risk factors are:

Physical damage

Malfunctions

Attacks

Human errors

Application errors

RISK ANALYSIS

Risk analysis identifies the risks, quantifies the impact and assesses a cost for mitigat-ing the risk. It also assesses the possibility that the risk will occur in order to weigh the cost of mitigation. Risk analysis consist of three steps:

1. Asset identification and Valuation 2. Risk Assessment and Analysis 3. Select and implement countermeasures

On completion of the risk analysis the risk manager performs a cost-benefit analysis (CBA) comparing safeguards or the costs of not adding safeguards. Costs are given as an annualized cost and are weighed against the likelihood of occurrence. As a rule, safeguards are not employed when the costs outweigh the potential loss.

In fact you can do three things: 1. Do nothing and accept the risk 2. Reduce the risk by implementing countermeasures and accept the residual

risk 3. Transfer the risk to an insurance company

I DENTIFYING THREATS AND VULNERABILITIES

The risk analysis should identify the threats and vulnerabilities that could occur. As environments can be very complex, a vulnerability in one area of the business could easily affect another area of the business. This is called a cascading error. These errors may be caused by malicious attacks or by errors in processing (called illogical process-ing).

Identifying the threats to assets is the process of identifying the threat agents. These are what cause the threats by exploiting vulnerabilities and can be human, program-matic or a natural disaster. After the threat agents, vulnerabilities and risks have been identified, the risk concentrates on the loss potential. This is what would be the loss if the threat agent is successful in exploiting a vulnerability. This should include the de-layed loss; the amount of loss that can occur over time. Think of loss in productivity, loss of clients and business et cetera.

ASSET VALUATION

Assets and risk can be valued the quantitative way (money) and the qualitative way (ranking threats and the effectiveness of countermeasures). The steps in a risk as-sessment are:

1. Identify the assets 2. Assign values to the assets 3. Identify the risks and threats corresponding to each asset 4. Estimate the potential loss from that risk or threat 5. Estimate the possible frequency of the threat occurring 6. Calculate the cost of the risk 7. Recommend countermeasures or other remedial activities

Risk categories

Risk factors

Risk analysis

Threat agent

Loss potential Delayed loss


CISSP 3-4

Identify the assets These are the systems, network components and information.

Assign values to the assets To determine the value use the following questions:

How much revenue does this data generate?

How much does it cost to maintain?

How much would it cost if the data were lost?

How much would it cost to recover or re-create?

How much would it be worth to the competition?

Identify the risks and threats corresponding to each asset Use your common sense to determine all risks and threats to each asset.

Estimate the potential loss from that risk or threat Think of replacement costs and loss of productivity. The estimated cost is used to cal-culate the single-loss expectancy (SLE). This is the amount of the potential loss for a specific threat.

Estimate the possible frequency of the threat occurring The frequency of occurrence is used to estimate the percentage of loss on a particular asset because of a threat. This is called the exposure factor (EF). If a fiber-optic cable between two buildings is cut causing 20% of the infrastructure to become inoperable, the EF is 20%.

Next the annualized rate of occurrence (ARO) is calculated. This is the ratio of the estimated possibility that the threat will take place in a one year time frame varying from 0.00 (never) to 1.00 (certain). If a threat takes place once every four years, the ARO is 0.25.

Calculate the cost of the risk Based on the information gathered in the previous steps, the annualized loss expec-tancy (ALE) can be calculated. The ALE tells the analyst the maximum amount that should be spent on the countermeasure to prevent the threat from occurring.

SLE = asset value x EF ALE = SLE x ARO

Asset Threat Value

EF

SLE

ARO

ALE

NOC Fire 500.000 0.45 225.000 0.20 45.000 Web servers Power failure 25.000 0.25 6.250 0.50 3.125

QUALITATIVE RISK ANALYSIS

To do a qualitative risk analyses you first identify the major threats and analyze the scenarios for the possible sources of the threat. The scores show the likelihood of the threat occurring, the potential for the severity and the degree of loss. Additionally potential countermeasures are analyzed by ranking them for their effectiveness.

Finally the scores for the threat are compared to the countermeasures. If the score for the countermeasure is greater than the threat, is means that the countermeasure will be more effective in protecting the asset.

COUNTERMEASURE SELECTION AND EVALUATION

Determining the most cost-effective countermeasure is called a cost/benefit analysis. The calculation is as follows:

Value of countermeasure = ALE (without countermeasure)

Cost (safeguard)

ALE (with countermeasure).

In the example of the Web servers. If a UPS is purchased ( 1.000) it reduces the EF to 0.05. The change that an outage lasts longer than the UPS occurs once in five year (ARO=0.20).

ALE (with UPS) = Cost x EF x ARO = 25.000 x 0.05 x 0.20 = 250

Value of countermeasure = 3.125 1.000 250 = 1.875.

The benefit of this countermeasure = 1.875 1.000 = 875 per year.

SLE

EF

ARO

ALE


CISSP 3-5

3.4 Policies, Standards, Guidelines and Procedures

Information Security Policies are high-level plans that describe the goals of the proce-dures. They describe security in general terms. Information Security Policies are the blueprints, or specifications, for a security program.

The first step in writing policies is to determine the overall goal. Secondly you have to determine for which systems and processes you want to write a policy. There is no need for one document which describes all policies; it is better to write one policy for each topic, such as user and physical policies, access control policies or external access policies.

The third step is to identify what is to be protected. You need to have a complete in-ventory of the information assets supporting the business processes. Including any material that has the organization s name or logo on it.

The fourth step is to identify from whom it is being protected. The focus should be on who can access resources and under what conditions. Some considerations for data access are:

Authorized and unauthorized access to resources and information

Unintended or unauthorized disclosure of information

Enforcement procedures

Bugs and user errors.

Baselines are used to create a minimum level of security necessary to meet policy requirements. Baselines can be configurations, architectures or procedures.

Standards and baselines describe specific products, configurations or other mecha-nisms to secure the systems. In cases in which security cannot be described as a stan-dard or set as a baseline, you need guidance: recommendations are created as guide-lines; i.e. for risk analyses. You do not describe in detail how to perform an audit; a guideline can specify the methodology leaving the team to fill in the details.

Procedures describe how to use the standards and guidelines to implement the coun-termeasures that support the policy. The kinds of procedures differ per organization but the following are quite common:

Auditing what to audit, how to maintain audit logs.

Administrative separation of duties.

Access control how to configure authentication and other access control fea-tures

Configuration firewalls, routers, switches and operating systems

Incident response how to respond to security incidents

Physical and environment air conditioning for server rooms, shielding of Ethernet cables.

Implementation of these procedures is the process of showing due diligence in main-taining the principles of the policy. True diligence is important because it demonstrates commitment to the policies.

3.5 Roles and Responsibilities

The most important role belongs to the management who must set the tone for the entire information security program. They have to become part of the process. This involves showing leadership in the program. Further more the management is respon-sible for doing the risk analysis and conveying this to the technical people responsible for implementing these policies.

Policies

Baselines

Guidelines

Procedures

Management

Policies

Standards

Guidelines

Procedures


CISSP 3-6

One way to ensure that every employee knows that security is part of his job is to make it part of each job description. After it has been made part of the job description, it becomes something that can be considered in performance evaluations. The same goes for outside contractors and vendors. They should include similar lan-guage within their statements of work.

The IT staff is responsible for implementing and maintaining organization-wide infor-mation security policies, standards, guidelines and procedures. They should provide input into security awareness education programs and ensure that everyone knows his role in maintaining security.

Information security must also integrate into the business environment. Jobs that sup-port security through the processes should be defined. One way of doing this is separa-tion of duties and assigning ownership to assets.

Further more you must consider how security is administered throughout the organiza-tion. There should be a central information security management group who is in charge of the monitoring and enforcement of the policy and procedures.

3.6 Understanding Protection Mechanisms

Protection mechanisms are used to enforce layers of trust between security levels of a system. Trust levels are used to provide a structured way to compartmentalize data access and create a hierarchical order. There are four protection mechanisms:

Layering Processes are placed in layers/zones and need to request ac-cess to a protected resource in another layer/zone. Bell-LaPadula is an application of this concept in military systems.

Abstraction

Data Hiding

Encryption Encryption uses cryptography to convert data into an unintelli-gible form.

3.7 Classifying Data

Commercial classification of data consists of five levels:

Sensitive Most limited access; should not be disclosed.

Confidential Less restrictive within the company but might cause dam-age if disclosed

Private Compartmental data which must be kept private.

Proprietary Data that is disclosed outside the company on a limited or restricted manner

Public The least sensitive data which would cause the least harm if disclosed.

Government classification of data is based on laws, policies and executive directives which sometimes conflict which each other. This classification consists of five levels:

Top Secret Disclosure would cause severe damage to national secu-rity.

Secret Disclosure would cause serious damage to national secu-rity.

Confidential Data that is exempt from disclosure under laws such as the Freedom of Information Act but is not classified as national security data.

Sensitive But Data that is not considered vital to national security but its disclosure would do some harm (i.e. data from citizens).

Unclassified (SBU) Data that is disclosed outside the company on a limited or restricted manner

Unclassified Data with has no classification or is not sensitive.

Criteria for setting a classification scheme are:

Who should be able to access or maintain the data?

Which laws, regulations, directives or liability might be required in protecting the data?

For government organizations, what would the effect on national security be if the data were disclosed?

For nongovernmental organizations, what would the level of damage be if the data was disclosed or corrupted?

Where is the data to be stored?

What is the value or usefulness of the data?

Users

IT staff

Commercial classification

Government classification

Object-oriented design and programming.


CISSP 3-7

The steps for creating data classification procedures are: 1. Set the criteria for classifying the data. 2. Determine the security controls that will be associated with the classification. 3. Identify the data owner who will set the classification of the data. 4. Document any exceptions that might be required for the security of this data. 5. Determine how the custody of the data can be transferred. 6. Create criteria for declassifying information. 7. Add this information to the security awareness and training programs so users

can understand their responsibilities in handling data at various classifications.

3.8 Employment Policies and Practices

Employment policies can be used to protect information security assets by setting guidelines for:

Background checks and security clearances

Employment agreements, hiring and terminations

Setting and monitoring of job descriptions

Enforcement of job rotation

Employment agreements are made to protect the organization from the inner threat. By having the employer sign the agreements, the organization has the ability to en-force the policies behind them. You can use an UAP, which summarizes the overall information policy for the users, to make the other aware of the security policies.

When a contract with an employee (or contractor) is terminated, all access rights should be revoked immediately. Also, the former employee or contractor should be escorted out of the building.

Job descriptions define the roles and responsibilities for each employee. Within these roles and responsibilities, procedures are used to set the various access controls.

3.9 Managing Change Control

Change control, configuration management and revision control help to determine the security impact of changes.

CISSP 4-1

4 Applications and System Development Security

4.1 Software Applications and Issues

CENTRALIZED, DECENTRALIZED AND DISTRIBUTED SYSTEMS

Even in the old days, when we had centralized systems, there was a security risk of disrupted data caused by:

Incorrect data entered in error;

Incorrect data entered on purpose;

Someone entering code which extracted, modified, destroyed or disrupted data;

Unauthorized access to data or seeing data on screens;

Unauthorized use of unattended terminals with active sessions.

There is a difference between decentralized and distributed systems:

Centralized

All computing takes place in one place.

Centrally controlled computing

Computers are distributed physically but maintained and controlled by a central authority.

Decentralized

Computing facilities exist throughout the company; they may be linked with each other.

Distributed Computers are everywhere, and so is the process of processing. There is no centralized control. Examples are PDA-applications, internet-applications, fileservers and email.

The internet is an example of a massively distributed system. These are systems that are ubiquitous across time and space and consist of a lot of connected systems.

MALICIOUS SOFTWARE ( MALWARE) Malicious software falls into one of the following categories:

Viruses Programs which run on a computer without the permission of its owner. There are polymorphic viruses, boot sector vi-ruses, multipartite viruses and macro viruses.

Trojans Programs that masquerade as something else.

Logic bombs Program designed to execute because of some event.

Worms Malware that replicates and spreads itself across a net-work. It might use its own communication code (SMTP) of use one of the existing services (FTP, email, telnet);

ActiveX/Java These controls are used by webbased applications but may contain harmful code. Nimda is an example of a harmful applet.

Blended malware Malware using the results of previous malware to attack a system.

Agents / remote control programs Programs that remote control another computer.

The border between normal programs and malware may be thin. A program that rein-stalls the operating systems may be considered to be malware but is also helpful as an administrator tool. The purpose after the software defines it as malware or not.

The threat of malware can be managed by following the next steps: 1. Have a malware policy that specifies the use of antivirus products and pro-

vides for regular maintenance. Ensure its approval and support by top man-agement.

2. Make virus protection software an absolute must for every device. 3. Make updating your virus protections products a priority on all systems. 4. Install and properly configure special mail server virus protection. 5. Configure mail server antivirus programs to block executable attachments. 6. Keep all systems patched. 7. Reduce attack vectors by scanning removable media. 8. Reduce attack vectors by disallowing ActiveX of Java script download where

possible. 9. Keep up-to-date on trends and actual virus threats. 10. Use recommended steps to clean infected systems.

Malware

Applications and System Development Security

CISSP 4-2

DATABASES

A DBMS provides access to the items in a database and maintains the information in the database. Objectives of most database management systems (DBMSs) are:

Data independence

Minimal data redundancy

Data reuse

Data consistency

Persistence

Data sharing

Data recovery

Security controls

Data relationships defined by primary and foreign keys

Data integrity consisting of semantic and referential integrity

Utilities of processes to ensure efficient processing overtime

The following data models are commonly used:

Relational (Oracle, DB2, SQL Server)

Hierarchical (IMS)

Network (IDMS/R)

Object-oriented (ODBMSs)

Distributed

Security issues regarding databases are:

Default administrator passwords;

Misuse of the production database as a test database;

Lack of separation of data administration from application system development (programmers should only have special rights during the development phase);

Distributed databases:

Having multiple access points;

database processing is much harder to get right you need transaction con-trol mechanisms;

Aggregation of data can expose sensitive information use views to access spe-cific data;

Denial-of-service attacks by using improperly formatted queries;

Improperly modifying data;

Access to some data can provide the ability to deduce or infer data that is pro-tected.

The DDL (Data Description Language) provides the means to define a database. A schema is a description of the database.

DATA WAREHOUSES

Data warehouses contain lot of (historical) information which makes it interesting for attackers. You must pay attention to developing proper access controls to ensure that the data is entered correctly and by authorized people.

STORAGE AND STORAGE SYSTEMS

There are a few kinds of storage:

Primary storage (volatile storage) data in RAM;

Secondary storage (nonvolatile storage) data on disk;

Real memory RAM provided in hardware;

Virtual memory swap files, disk pages;

Sequential access tapes;

Random access disks;

Registers high-speed memory locations in the CPU;

Cache CPU memory storage that is quicker than RAM;

Static RAM Level 2 cache memory;

Dynamic RAM FPM DRAM, EDO, SDRAM, RAMBUS DRAM, RIMM;

BIOS provides basic information on hardware devices.

A specific risk is at virtual memory because it uses the disk and creates temporary files which could be copied and then be analyzed by an attacker.

Some storage devices are:

Credit card memory a proprietary DRAM memory;

PCMCIA Card a nonproprietary DRAM memory;

Flash RAM

Real-time clock (RTC) which stores floppy and hard drive configuration informa-tion needed during boot;

Video RAM VRAM, used for video adapters and 3D accelerators.


CISSP 4-3

Storage Area Networks (SANs) are centrally managed networks accessible storage systems. They are accessible from all servers and other storage systems. The benefits of SANs are:

Centralized control, including backup and management;

Access from anywhere at anytime;

Can improve data protection;

Additional storage can be added with little to no disruption;

Better physical security;

Improved availability;

Business flexibility;

Can improve disaster tolerance.

As SANs are moving to IP-based networks, they become vulnerable to attacks. SAN administrators apply the following security principles:

Physical security They are placed in secure data centers;

Confidentiality Using IP-networks IPSec can be used to encrypt data in transit;

Authenticate users SANs must have mechanisms to validate the identity of in-dividuals;

Authorization Access controls should have granular application. File and folder controls are commonly available. Additional some SANs offer the ability to zone or segment. Within a zone only some devices are accessible.

Interoperability Using SANs from different vendors can cause difficulties in communication between them; resulting in security prob-lems due to the lack of security controls in another SAN.

KNOWLEDGE- BASED SYSTEMS

To develop an expert system you use an expert system shell which consists of an in-ference engine and a user interface. The process of taking of expert knowledge and coding it in a database is called knowledge engineering.

Rule-based expert systems use forward chaining or backward chaining for reasoning. Forward chaining starts with a question and a set of known facts and fires rules to evaluate. The process ends when no new facts are found or the result for the question is found. Backward chaining starts with a hypothesis that can determine the answer and then works backward through the rules attempting to determine whether the an-swer is correct.

W EB SERVICES AND OTHER EXAMPLES OF EDGE COMPUTING

Grid computing allows the gathering in of the excess processing capability from the proliferation of computers in the organization. Clustering is the combining of multiple computers for the sharing of processing power and storage.

Web services dissect the program processing into its smallest chunks and spread these pieces across the Internet. These pieces can be recombined in many different ways. Web services are small reusable programs that can be accessed from otherwise uncon-nected sources. Web services work in many scenarios, such as:

Client-to-client sharing data between clients

Client-to-server the same in a master-slave setting

Server-to-server Processing takes place across multiple servers

Service-to-services Services working together

4.2 Attacking Software

See also paragraph Common Attacks and Countermeasures (page 18) for more in-formation. There are several kinds of attacks and countermeasures:

Brute force and dictionary attacks Add additional authentication factors such as smart cards or biometrics

DoS (smurf attack) Use modern TCP/IP stacks which prevent these problems

DDoS Apply all current patches and service packs; make sure your programs cannot create a buffer overflow;


CISSP 4-4

Spoofing (such as SMBRelay attack) SMB signing, a process that authenticates

each packet in the file sharing session.

Miscellaneous attacks are:

Hidden code Code inserted in approved software. Examine application

development teams and audit their work, scan code for the use of file streams and viruses;

Logic bombs Audit activities involving code maintenance, code produc-

tion and access to servers.

Trap door Insist on code review and look for removal of break points

and other programmer-debugging techniques.

TOC/TOU Time of Check to Time of Use. Compromising a system be-tween two steps (IBM 360).

NAK attacks Software interrupts. The normal response to an action is the ACK or a NAK (negative acknowledgement). A system must be able to handle these events.

Pseudoflaw A technique used on the Internet to get your userid and password by presenting a familiar login-screen.

Some software seems to be legitimate administrative software but are in fact a hacker tool. Examples are Netbus, Back Orifice and Netcat. Also common network software can make you network vulnerable:

In Windows you can access drives of other machines by clicking in your browser. You have to set the proper permissions.

You can use network sniffers to find passwords and valuable data. Encrypt in-formation; send fake but plentiful messages at all times to all stations.

Protocols may have vulnerabilities. TCP/IP has some flaws.

4.3 Understanding Malicious Code Hackers originally tried to learn how things work; today it has a negative connotation. Crackers are guys who intentional break in whether for profit or bragging rights. Phreakers are guys who used to hack phone systems (PBXes and Telcos).

Malicious code, such as worms, try to accomplish one of the following:

Modifying computer programs

Crashing programs or systems

Stealing of or modifying data

Inserting or adding code for later damage.

Hoaxes are threats that do not exist but can cause a lot of harm because a lot of unso-licited mail is sent by users across the organization. To prevent this you can:

Check Internet hoax busting sites

Check well-known alert sites

Report the warming to the security department

You can use antivirus software on your edge servers. These are servers that accept input from untrusted networks and make it available to the trusted network. An exam-ple of an edge server is a firewall. It checks incoming data for viruses and removes all untrusted attachments.

4.4 Implementing System Development Controls

There are two methods of system development: the waterfall and the spiral system development lifecycle.

The waterfall system development lifecycle consist of:

Conceptual Definition / Feasibility Study

System Analysis / Functional Requirements Determination

Design / Specifications Development

Design Review

Construction

Code Review / Walk-through

System Test Review

Certification / Accreditation

Implementation

Maintenance

Disposal


CISSP 4-5

The spiral system development lifecycle uses the following steps:

1. Develop a preliminary design 2. Develop a prototype from the design 3. Develop the next prototype 4. Evaluate 5. Define further requirements 6. Plan and design another prototype 7. Construct and test this prototype 8. Repeat steps 3-7 until the customer is satisfied 9. Construct the system 10. Thoroughly test the final system

Barry Boehm added the element of risk analysis to the model in which four steps are repeated over and over again until the right design is created. These steps are:

1. Planning/review Determine the objectives of the system 2. Risk analysis, prototype First identify all alternative solutions and perform

a risk analysis. Resolve the risks and create the prototype; 3. Engineering Develop and verify the product requirements. Validate the de-

sign. Do a detailed design and validate it. Code a test product. 4. Plan the next phase Review for customer satisfaction. Perform require-

ments planning, development planning and integration planning and create a test plan.

RAD seeks the 20/80 rule meaning that 80 percent of the desired goals are established in 20% of the time. The RAD process includes the following time-boxed stages:

High-level end users and designers convene a Joint Application Development meeting (a brainstorm session);

Developers build a prototype;

Designers review the prototype;

Customers try out the prototype;

A focus-group meeting takes place in which customers and developers refine its requirements;

A new prototype is developed and the process begins again.

A security control architecture is the sum of the controls built into the system and might be enforced by the hardware or the software. The security architecture can in-clude features as:

Process isolation

Hardware segmentation

Memory protection

Least privilege

Separation of duties by assigning privileges to special functions

Layering of system functions

Security kernel

Modes of operation

Accountability

The highest security level supported by a system is called system high; the lowest level system low. A system can be tested to ensure it conforms to the appropriate level for use. This is called accreditation if it is an official authorization and approval. As this is a management process, it cannot be done before a certification (technical evaluation) has been done.

The best practices of system development are:

Partition development from production.

Promote documentation of code and code changes.

Backup development and production code.

Continuous train the staff.

Adopt coding standards.

4.5 Using Coding Practices That Reduce System Vulner-ability

The following development methods are used today:

Structured programming

OO-programming

CASE

Prototyping

Security control architec-ture


CISSP 4-6

Software has security flaws because of the following reasons:

The time to market is short and software is feature rich which means that there is little time to test;

Software must run on multiple platforms which require drivers from other com-panies;

Software must be backward compatible;

The software is not complete; missing functionality is added via patches and upgrades;

Consumers have accepted the flaws as normal;

The complexity of software makes it difficult to eliminate errors and vulnerabili-ties in a short timeframe;

More connectivity means more exposure to danger;

An ethical poor attitude and the availability of prewritten attack code.

Techniques for writing safe software are:

Eliminating buffer overflows. Buffer overflows can cause a program to crash or give an attacker the opportunity toe execute further attack code.

Prevent array indexing errors.

Utilizing good access control.

Principle of least privilege.

Defense in depth.

Hiding secrets (such as user passwords).

Remember the weakest link.

CISSP 5-1

5 Cryptography

5.1 Uses of Cryptography

Cryptography (crypto) has four main goals:

Confidentiality Preventing, detecting or deterring unauthorized access to

information. Make sure no one else can read it. Note: not all encryption provides confidentiality!

Integrity Preventing, verifying and detecting the alteration of data

you sent. Make sure that no one can modify your data.

Authentication Identifying an individual or find out that he belongs to a certain group. Authentication is based on the three attrib-utes: something the person knows, has or is. All these au-thentication methods use encryption.

Nonrepudiation Critical when it comes to digital signatures. It deals with proving in a court of law that someone was the originator. It is a asymmetric encryption that allows you to prove that someone actually sent a message.

5.2 Cryptographic Concepts, Methodologies and Prac-tices

Plain text is a message in its original form. Ciphertext is a message after it has been encrypted. Encryption is the process of taking a plain text message and convert it into ciphertext; decryption is the process of taking ciphertext and convert it back to plain text.

SYMMETRIC ALGORITHMS

Symmetric encryption is also called single-key or secret-key encryption. It uses one key to encrypt en decrypt messages. Therefore the sender and receiver must know the key. Because you only use encryption when you use a not secure channel, the problem arises how to sent the key to the receiver: you need a secure channel to do that. An-other problem with symmetric encryption is nonrepudiation.

The most used symmetric key encryption schemes are DES (56-bit) and triple DES. DES is considered unsafe because a brute force attack nowadays take a little while to break the code. Triple DES is preferred. AES (Advanced Encryption Standard) is now being developed by the NIST (National Institute of Standards and Technology) which uses the Rijndael-algorithm. This will be the future standard for symmetric encryption. It uses a block size of 128 bits and the key can be 128, 192 or 256 bits.

ASYMMETRIC ALGORITHMS

Asymmetric encryption uses two keys: a private key and a public key. Only the owner Bob has the private key; everybody else can get the public key through a trusted (not necessarily secure) channel. The public key is used by people who want to send an encrypted message to Bob. This public key cannot decrypt which makes it impossible to intercept and decrypt a message for Bob. Only Bob can decrypt the message with his private key.

Because of this, asymmetric encryption supports nonrepudiation. If you get a message from Bob, you know it is from Bob because he encrypted it using his private key.

Confidentiality and nonrepudiation is assured. If Alice sends a message to Bob, she uses her private key to encrypt the message and next, she uses Bobs public key to encrypt the output. Only Bob can decrypt the message using his private key and then decrypt it again with Alice s public key.

Asymmetric encryption is powerful. The reason for still using symmetric encryption is that asymmetric encryption is very slow. The algorithm widely used is RSA.

SAFETY MECHANISMS

There are some mechanisms you can you for encryption:

Crypto

Cryptography

CISSP 5-2

Message authentication codes (MACs) which are used to make sure that the massage has not changed in transit. You can use a simple parity check or more complex methods;

Hash functions can be used and are very popular with digital signatures: you reduce the amount of information that has to be encrypted. A common imple-mentation of hash functions is MD5.

Digital signatures are used to ensure nonrepudiation. The message is proc-essed by a hash function which produces a fixed length output. Thus the length of the message is reduced after which is can be encrypted with the private key of the sender.

The key length determines the time before a code is broken. Long encryption keys ensure that a computer needs a lot of time to break the code with a brute force attack. However, computers become faster every year.

One- time Ciphers are considered to be unbreakable because with every mes-sage you create a new key. So, if the encryption of one message is broken, the key is of no use for other messages sent by you.

5.3 PKI and Key Management

With asymmetric encryption the public key is sent trough a trusted channel. If you have a lot of friends (or employees) this becomes a hell of a job. You need a trusted third party who distributes your public key. This centralized authority that manages keys is the public key infrastructure server (PKI-server).

You cannot offer your keys that simple to a PKI-server. You achieve trust with KPI through digital certificates. There are authorities (Verisign) who validate persons and companies. After the approve, this authority will sign the certificate.

A digital certificate requires at least the following information: name, expiration date and the digital signature of the certifier.

5.4 Methods of Attack

Encryption schemes are considered to be not secure until it has been proven to be secure. People who are testing these schemes are called cryptanalysts. Only if a crypt-analyst has been unsuccessful for three to five years in an attempt to break a method, it is considered to be safe.

With a safe algorithm, it doesn t matter if you know how it looks like. Therefore these methods are published freely.

There are four general attacks that can be performed against encrypted information:

Ciphertext only attack (COA). You have an encrypted message that can be decrypted by using brute force attack.

Known plaintext attack (KPA). You have the encrypted message and its plain-text equivalent. You use these to find the key so you can use it to decrypt other messages. The longer the message is, the more accurate you can determine the key.

Chosen plaintext attack. You have access to the encryption device and you can enter anything you want. In this way you can build up your knowledge about the encryption method.

Chosen ciphertext attack. This is a theoretical attack. You feed a system with ciphertext and receive plaintext.

Specific attacks are:

Brute force attack.

Replay attack. Used to gain access to a system with an encrypted password. An attacker can replay the password. You can prevent this by adding a time-stamp.

Man- in- the- middle attacks. An evildoer (Eve) intercepts the exchange of public keys between Bob and Alice and sends fake keys to Bob and Alice. Eve can now control the keys and encrypt and decrypt messages.

Meet- in- the- middle attacks. Given a message M1 which has to be encrypted with key K1; you get ciphertext C1: E(M1,K1)=C1. If can now encrypt this re-sult with key K2 to get ciphertext C2. If you try to decrypt C2 to get C1 using brute-force, with DES you have 2^56 possibilities. From C1 to M1 you also need 2^56 possibilities thus totally needing 2^57 possible keys. This is why double-DES never made it.

Cryptography

CISSP 5-3

Birthday. This refers to the change that two people in a group have the same birthday. In reality this change is greater than statistically expected. The same is for two people having the same key and so on.

A block cipher is a symmetric key algorithm that operates on a fixed-length block of plaintext and transforms it into a fixed-length block of ciphertext.

Using a modulo of 26 substitution cipher where the letters A-Z of the alphabet are given the value of 0-25 the message OVERLORD BEGINS is encrypted with a key K=NEW and D=3 where D is the number of repeating letters representing the key. The encrypted message is BFAEPKEH XRKEAW:

OVERLORD = 14 21 04 17 11 14 17 03 BEGINS = 01 04 06 08 13 18 NEW = 13 04 22

Text = O V E R L O R D B E G I N S Code = 14 21 04 17 11 14 17 03 01 04 06 08 13 18 Key = 13 04 22 13 04 22 13 04 22 13 04 22 13 04

Translation = 27 25 26 30 15 36 30 07 23 17 10 30 26 22 Modulo 26 = 01 25 00 04 15 10 04 07 23 17 10 04 00 22

= B Z A E P K E H X R K E A W

The National Computer Security Center (NCSC) is a branch of the National Security Agency (NSA) that initiates research and develops and publishes standards and criteria for trusted information systems.

Security Architecture and Models

CISSP Visit http://www.enacom.nl

6-2

6 Security Architecture and Models

6.1 Requirements for Security Architecture and Models

There are a few differences between government security issues and business security issues:

Governmental security is centered on confidentiality where business security is centered on integrity and consistency.

Governmental information tends to be more confidential than business informa-tion.

Few companies can afford such measures as the government takes to protect its information.

Because of the several classes of confidentiality, the increasing power of computers and the easiness to use computers and even build viruses, there is a need for security models and architecture.

6.2 Security Models

Some better known security models are:

Bell-Lapula (see page 1-3)

Biba (see page (1-3)

Clark-Wilson

Access control lists

CLARK- W ILSON MODEL

The Clark-Wilson model is a government model and emphasizes data integrity for com-mercial activities and uses software engineering concepts such as abstract data types, separation of privilege, allocation of least privilege and non-discretionary access con-trol. The three integrity goals are:

Prevent unauthorized users from making modifications;

Prevent authorized users from making improper modifications;

Maintain internal and external consistency.

ACCESS CONTROL LISTS

See also page 1-2 where ACL is discussed with rules. It is not a governmental model. In this model the objects (resources) are assigned lists of approved subjects (users and groups). Each entry consist of a user identification and the approved access level. These lists are used by network administrators in Unix and Windows systems.

6.3 Security System Architecture

A security architecture is the sum of the components used and the way they are put together to build security functionality into a computer operating system or device.

Windows NT has the security subsystem SRM (Security Reference Monitor) which ex-amines the credentials of the requestor for access to resources. Windows NT uses a Security ID (SID) to identify subjects and Access Control Lists for objects.

SECURITY PRINCIPLES

Open systems provide a user with total systems access. A closed or secure system is totally secure. Many open systems nowadays offer features that make them more secure. A good security system architecture however is designed to maximize the use of recognized security principles. Among these are:

Trusted Computing Base The sum of the security functions of the sys-tem

Execution Domain The OS is run in a secured area which is protected from tampering. Application pro-

Governmental model Primary directive Biba Yes Integrity Bell-LaPadula Yes Confidentiality Clark-Wilson Yes Integrity Access Control Lists No Confidentiality / Integrity




6-3

grams are run in the user area.

Layering Processes are layered with each layer having

a specific job.

Abstraction Acceptable operations are characterized but

not spelled out in detail.

Process isolation Processes running without interfering each

other (own memory space).

Least privilege A process has only the rights and access it

needs to run.

Resource Access Control Access to resources is limited.

Security perimeter The boundary of the TCB. A security kernel and other related functions are running within this perimeter. A security kernel is the im-plementation of the reference monitor con-cept.

Security policy enforcement The policy set is operational and is always followed.

Domain separation The subject has only access to the objects it needs.

Resource isolation Subjects and objects are kept separate for control purposes.

SECURITY MODES

A security subsystem can run in a particular mode. The modes are:

Dedicated There are no restrictions. Users have a valid need to know for all information.

System high Users have access approval and clearance for all information. They have a need to know and signed nondisclosure agreements.

Compartmented Users have valid clearance for most restricted information, formal access and non disclosure for that information on a need to know basis. Data is partitioned and each area of data has different requirements for access.

Multilevel secure (MLS) Users have different levels of clearance (Bell-LaPadula). Some do not have valid personnel clearance for all information but all have a valid need to know for the information they have access to.

Controlled mode Multilevel in which more limited amount of trust is placed in the hardware or software. This results in more restriction on classifica-tion level and clearance levels.

Limited access mode Minimum user clearance is not cleared and maximum data sensitivity is not classified by sensitivity.

There is no clear answer whether labeling systems (Biba, Bell LaPadula, Clark-Wilson) are better than ACL or reverse. Labels are more rigid; cannot be changed and there-fore it is more predictable what a user will be able to access. Labeling sysems can in this way be more secure but are very expensive to administer and difficult to use in a world with shifting requirements.

Covert channels are flaws, unexpected vulnerabilities in a secure system. There are covert storage channels and covert timing channels.

A covert storage area allows writing by one process to a storage area that allows read-ing by another process which has less clearance than the first process. A covert timing channel exists when a signal of information is modified due to some other system func-tion. The modified signal may allow other individuals to determine the systems function through observation of the other.

6.4 Information System Security Standards

Before a system is taken into production it must have a technical evaluation and it must be certified that it has the required security features. Secondly, the management

Covert channels




6-4

must decide to accept the risk of using the system and approve its operation and envi-ronment (accreditation) or reject it. If this must be done for every system, a backlog can be created. To resolve this issue efforts resulted in the Trusted Computer System Evaluation Criteria (TCSEC). This standard is also known as the Orange Book and con-sists of a rating system against which systems can be formally evaluated. In Europe the ITSEC was created. Both standards were later merged with other standards into the Common Criteria.

TCSEC

THE ORANGE BOOK AND THE RAINBOW SERIES

The emphasis of TCSec is confidentiality. It divides operating systems into four primary divisions around three different concepts:

Ability to separate users and data

Granularity of access control

Trust or overall assurance of the system

The four primary divisions are:

D

Minimal protection

C Discretionary protection

C1 Discretionary security protection

C2 Controlled access protection

B Mandatory protection

B1 Labeled Security Protection

B2 Structured protection

B3 Security domains

A Verified protection

A1 Verified design

TCSEC defines four broad classifications for system security: Division A thru D.

Division D Minimal protection is available or the system has failed to meet all other classifications.

Division C Need to know protection, accountability of subjects, accountability of actions, and audit. Through the use of auditing, discretionary protection and accountability of subjects and the actions they initiate are covered.

C1 Systems satisfy discretionary security by providing for the separation of users and data.

C2 Systems provide more granular degree of access through the use of login procedures, auditing of security events and resource isolation.

Division B Mandatory access control rules are required.

B1 Like a C2 system added with an informal statement of the security policy model, data labeling and mandatory access control over named subjects and objects.

B2 B2-systems require a formal, structured security policy model that requires the discretionary and mandatory access control be extended to all subjects and objects in the system.

B3 B3-systems require the use of security domains to mediate all ac-cesses of subjects to objects to ensure tamperproof function.

Division A These systems use formal security verification to assure that all of the security controls employed can effectively protect classified or other sensi-tive information via a stringent design verification.

A1 Like a B3-system but also a formal design specification and verifica-tion techniques are used, resulting in a high degree of security.

Criticisms of the Orange Book say:

It primarily addresses confidentiality; you don t have to worry about the cor-rectness of data;

It emphasizes controlling users but doesn t say much about what they might do with the information they get;

It doesn t fully address procedural, physical and personnel safeguards or how they might impact system security;

It doesn t address networked computers.

The Orange Book is an older standard however and additional guides covered many of these criticisms. Totally there are about 30 security guides.

ITSEC

I NFORMATION TECHNOLOGY SECURITY EVALUATION CRITERIA

This European standard is founded in 1991 and embedded in the Common Criteria in 1998. Differences between TCSEC and ITSEC are:




6-5

ITSEC addresses the CIA

In the specifications the Target of Evaluation (TOE) is the product or system to be evaluated. The TOE s functionality and assurance* are evaluated separately.

ITSEC does not require the security components of a system to be isolated into a TCB;

ITSEC provides for the maintenance of TOE evaluation.

(*) The separation of functionality and assurance is accomplished by recognizing three objectives of evaluation:

Security functions What is done.

Security mechanisms How it is done.

Certification The TOE meets the security target on the claimed assurance level.

As with TCSEC there are ITSEC-levels of certification. Certification is done by the CLEFs (Commercial Evaluation Facilities). The certification levels are:

E0 Inadequate

E1 Definition of security target and informal architecture design exists, User/Admin documentation on TOE security. TOE is uniquely identified and documentation exists which includes delivery, configuration, start-up and operations. The evaluator tests the security functions. Secure distribution methods are utilized.

E2 Informal detailed design and test documentation are produced. Separation of TOE into security enforcing and other components. Audit trail of start up and output required. Assessment includes configuration control, devel-oper s security and penetration testing for errors.

E3 Source code or hardware drawing must accompany the product and a cor-respondence between design and source code must be shown. Standard, recognized implementation languages are used. Retesting is required after correction for errors.

E4 Formal security model. Semi-formal specification for security enforcing functions, architecture, detailed design. Sufficient testing. TOE and tools under configuration control. Changes are audited, compiler options docu-mented. TOE retains security after a restart from failure.

E5 Relationships between security enforcing components are defined in archi-tectural design. Integration processes and runtime libraries are provided. Configuration control is possible independently of developer. Configured, security enforcing or relevant items can be identified. There is support for variable relationships between them.

E6 Formal description of architecture and security enforcing functions with correspondence between formal specification through source code and tests. All TOE configurations defined in terms of the architecture design and all tools can be controlled.

COMMON CRITERIA

The Common Criteria has the following objectives:

Ensure IT product evaluations are performed to high and consistent standards;

Guarantee that evaluations contribute to the confidence in the security of the products;

Increase the availability of evaluated, security-enhanced IT products;

Eliminate duplicate evaluation;

Continuously improve efficiency and cost-effectiveness of security evaluations and certification/validation process for IT products and protection profiles.

6.5 Common Criteria

A CC evaluated product does not guarantee that it is free from exploitable vulnerabili-ties. You need to ask yourself the following questions:

Which version was certified?

Is the environment in which it was evaluated the same as the one I have?

Are things this product was tested for important to my needs? And do they match all my criteria.

The founders of CC5 have the following objectives:

Ensure IT product evaluations are performed to high and consistent standards;

5 United States, Canada, France, Germany and the United Kingdom.




6-6

Guarantee that evaluations contribute to the confidence in the security of the products;

Increase the availability of evaluated, security-enhanced IT products;

Eliminate duplicate evaluation;

Continuously improve efficiency and cost-effectiveness of security evaluations and certification/validation process for IT products and protection profiles.

Products which are tested in one country of the partners does not have to be tested in the other countries. The CC is divided into three parts:

1. Introduction and general model 2. Security Functional Requirements 3. Security Assurance Requirements

I NTRODUCTION AND GENERAL MODEL

This part provides definitions and thoughts how the CC can be used. Two important parts of any CC submission are the definition of a Security Target (ST) and the Protec-tion Profile (PP).

The security requirements are described in the PP and indicate the security problem that the TOE will solve. Within the PP the functional and assurance requirements are stated along with its rationale for its components. An EAL (evaluation) may be part of the PP. A PP evaluation indicates that the PP can be used as a statement of require-ments for an available TOE.

A ST is the basis against which the evaluation is done. It contains the TOE security threats, objectives, requirements and a summary specification of security functions, assurance functions and assurance measures. Also, consumers can see whether the product meets its requirements in which environment.

SECURITY FUNCTIONAL REQUIREMENTS

The components of the CC are represented by eleven functional classes which are each divided into families.

FAU Audit. Security events are recognized, recorded and analyzed to produce audit records.

FCS Cryptographic Support. Consists of a family for operational use and a family for management of cryptographic keys.

FCO Communication. The way that identity of parties is assured in data ex-change. One family is concerned with non-repudiation.

FDP User Data Protection. These families show how user data is protected during import, export and storage. Security attributes of data are detailed.

FIA Identification and Authentication. Families determine and verify user identity, their authority to interact with the target and correct association of security attributes with users.

FMT Security Management. Specifies management of security attributes, data and function. Management roles are defined.

FPR Privacy. Protection of the user preventing discovery and misuse of iden-tity by other users.

FPT Protection of the TSF. Protection of the TOE Security Functions data. Integrity and management, CIA, trusted recovery, replay detection, do-main separation, time stamps,

FRU Resource Utilization. Availability of resources. Details for fault tolerance, service priority, resource allocation.

FTA TOE Access. Controlling establishment of user s session, limit number and scope of session, displaying access history, modification of access parame-ters.

FTP Trusted Path. Trusted communication paths between users, TSF and in between.

SECURITY ASSURANCE REQUIREMENTS

Assurance is defined for PPs, STs and TOEs.

APE Protection Profile Evaluation. Demonstrates that the PP is complete, consistent and technically sound and states the requirements for an evalu-able TOE.

ASE Security Target Evaluation. Demonstrates that the ST is complete, con-sistent and technically sound. It is suitable for TOE evaluation.




6-7

ACM Configuration Management. Integrity of TOE is preserved, TOE and documentation used for the evaluation that is distributed.

ADO Delivery and Operation. Security protection of TOE is not compromised during delivery, installation and operations use.

ADV Development. A mapping from security requirements to a low-level repre-sentation.

AGD Guidance Documents. Secure operations use of TOE by admins and us-ers.

ALC Life Cycle Support. The lifecycle definition, tools, techniques, security of development environment and the correction of flaws found by consumers.

ATE Tests. TOE meets the functional requirements in the class.

AVA Vulnerability Assessment. Identification of exploitable vulnerabilities introduced by construction, operation, misuse of incorrect configuration. Uses covert channel analysis, analysis of configuration, strength of mecha-nisms of security function, identifies flaws.

AMA Maintenance of Assurance. Requirements the product should meet after certification as measured against the CC.

EVALUATION ASSURANCE PACKAGES OR LEVELS - EALS

EALs are combinations of assurance components. There are seven levels:

EAL1 Functionally tested

Confidence in correct operation is required but threats are not serious.

EAL2 Structurally tested Delivery of design information and test results are consistent with good commercial practice. Low to moderate level of inde-pendently assured security.

EAL3 Methodically tested and checked Security engineering at design states, requires minimal alteration of existing sound development practices to meet.

EAL4 Methodically designed, tested and reviewed Use of positive security engi-neering, good commercial development practices, rigorous, but does not require substantial specialist knowledge, skills or testing.

EAL5 Semi-formally designed and tested

Using rigorous commercial develop-ment practices, application of specialized security engineering techniques. High level independently assured in planned development, rigorous devel-opmental approach.

EAL6 Semi-formally verified, designed and tested

Specialized security engi-neering techniques in rigorous development environment. Protection of high value assets against significant risks. Modular, layered approach to design, structured presentation of the implementation. Independent search for vulnerabilities ensures resistance to penetration, systematic search for covert channels, development environments and configuration manage-ment controls.

EAL7 Formally verified, designed and tested Used for extremely high risk situa-tions. White box testing is used.

AREAS NOT ADDRESSED BY THE COMMON CRITERIA

CC does not test secure usage. There is no evaluation of organizational, personnel, physical or procedural controls. Areas that are not covered are:

Electromagnetic control

Procedures for accreditation

Criteria for assessment of cryptographic algorithms.

A COMPARISON OF THE ORANGE BOOK, ITSEC AND COMMON CRITERIA

Orange

book

TCSEC

ITSEC Assurance level

D Minimal protection E0 EAL0 EAL1

C1 Discretionary Security Protection F1 + E1 EAL2 C2 Controlled Access F2 + E2 EAL3 B1 Labeled Security Protection F3 + E3 EAL4 B2 Structured Protection F4 + E4 EAL5 B3 Security Domains F5 + E5 EAL6 A Verified Design F6 + E6 EAL7




6-8

6.6 IPSec

IPSec is an IETF standard that describes an communications protocol. This because TCP/IP was not designed with security in mind. IPSec was developed for IPv6 but works on IPv4 as well.

USES FOR IPSEC

The use of IPSec involves the implementation of a VPN, the protection of communica-tion between two computers or a computer and a security device on the same LAN. It can also be used to block specific computers or communication protocols from entering or leaving a computer. An additional use can be authentication only.

When used for communication between computers either tunnel mode (VPN) or trans-port mode, IPSec provides the following:

Access Control restricting access by identifying the IP address of the com-puters;

Connectionless integrity using a checksum and a hash across the payload and is also encrypted;

Mutual computer authentication each computer must authenticate to the other. The standard allows a multiple authentication technique. Implemented products use certificates, shared keys and Kerberos;

Confidentiality during transit the information is protected.

Data-origin authentication each packet can be attributed to the sending computer;

Protection against replay attacks

packages are provided with the following tripled of information: - a Security Parameters Index (SPI) which identifies the appropriate Security

Association (connection) - a sequence number - the authenticated computer s IP address IPSec checks this information and drops packages which have the same infor-mation because this might be an attack.

IPSec can be configured in allow mode or block mode. In allow mode all data ad-dressed to the computer is accepted by the network card and passed up the TCP/IP stack.

IPSec configured in block modes blocks certain protocols such as FTP, HTTP and SMTP.

ARCHITECTURAL COMPONENTS OF IPSEC

IPSec uses Internet Key Exchange (IKE) for master key creation. This key is used to create session keys (used for encryption).

It is composed of two subprotocols:

AH IP Authentication Header

ESP Encapsulation Security Payload

Both subprotocols provide integrity, data origination authentication, mutual computer authentication and anti-replay. ESP can also provide confidentiality.

To set up IPSec sessions between two computers, two phases are used. In phase I, after machine authentication, a security association (SA) is created and used for the exchange of keying material, using IKE. This key is used in phase II and can be recal-culated periodically.

In phase II session keys are created and two SA s are established: one for outgoing data and one for incoming data. Session keys can be set to be renewed at periodic intervals; thus reducing the risk of compromise.



7-1

7 Operations Security

7.1 Examining the Key Roles of Operations Security

Operations Security starts by identifying the resources to protect, privileges to be re-stricted and controls necessary to do so.

The resources are many: computers, routers, switches, printers, databases, security software and appliances, media, phones, wireless devices, modems, software, source code, documentation and people.

For each asset you have to think about the way it is used and how it can be protected. Then, you have to define permission sets (read, write, execute, ) for the different types of objects within the infrastructure. The privileges (access rights) for each object can differ. For example, the kernel or ring 0 of an OS can only be used by privileged instructions. Another example are data center operations with a load of privileges which have to be managed.

Controls are the means to prevent misuse or abuse of privileges while allowing author-ized individuals or processes to do their jobs. There are three classification schemas.

Schema 1:

Operational controls Day to day procedures, change control management, hardware controls, I/O-controls;

Audit and variance detection controls

using audit logs and variance detec-tion tools, such as IDSs;

Application software maintenance tools controls that monitor installation and updates to applications. They keep a record of changes;

Technical controls

controls that audit and journal integrity validations such as checksums, authentication and file system permission;

Administrative or management controls controls such as personnel screening, separation of duties, rotation of duties and least privilege.

Schema 2:

Deterrent controls

Controls that reduce the likelihood of attack;

Preventative controls

Controls that protect vulnerabilities; reduce the im-pact of attacks;

Detective controls

Controls that detect an attack and may activate correc-tive controls or preventative controls;

Corrective controls

Controls that reduce the impact of an attack.

Schema 3 (controls applicable to equipment or functions):

Disk locks to prevent the use of portable media;

Required passwords for access;

Acceptable user policies and rules;

Requiring virus checking on all disks before use;

The use of antivirus software;

All these controls can be classified as technical, operational, management, preventa-tive, corrective, detective, I/O and so on.

THE OPSEC PROCESS

The OPSEC (Operations Security) process is the process of understanding your day-to-day operations from a competitor s/hacker s viewpoint and then developing and apply-ing countermeasures. OPSEC applies five principles to for effective defenses:

1. Identify critical information 2. Analyze threats 3. Assess vulnerabilities 4. Assess risks 5. Apply countermeasures

The need of analyzing threats is a repeating step. If you think your system is hard-ened, new vulnerabilities are found. This is why OPSEC focuses on indicators: informa-tion that can be heard or found on the Web, documents and tapes. Such as observing people entering and leaving the building, emblems used can provide attackers valuable information.

Permission sets Privileges Kernel Privileged instructions


Operations Security

CISSP 7-2

Tip-off indicators provide focus for the attacker by telling him where to concentrate his efforts. This might be an increased number of visitors, arrival of important staff and so on.

Countermeasures for making indicators are document shredding, not replying to unso-licited mail and so on.

7.2 The Roles of Audit ing and Monitoring Auditing is the process of checking current activity against policy. An audit of an infor-mation system implies that the security configuration is checked against the norm and that audit logs can be inspected for deviation. Audit logs can be used by programs which can be trained to detect anomalies which may indicate intrusion. Such as intru-sion detection programs.

USING LOGS TO AUDIT ACTIVITY AND DETECT I NTRUSION

Audit logs cannot be used real-time but they can provide evidence of attack. Audit logs can be provided by OSs such as malfunctioning, changes in security policies, failures of application services, successful logon and so on.

DETECTION I NTRUSION

Detection Intrusion is a technique used to identify intrusion attempts at and successful intrusions into a network or host machine.

Packet analyzers, monitors and sniffers can be used for troubleshooting network prob-lems and revealing attacks. This process is called intrusion detection. By using the raw captured data, trained individuals can deduce what is happening.

IDSs are either host-based or network-based. Host-based IDSs is software loaded on a host machine. It listens to traffic coming and going from this host machine and uses its logs. To be effective, the host IDS software should be loaded on every computer. It is considered to be more effective in detecting insider-based attacks.

Network-based IDSs analyzes all traffic on the network. A central management station manages the information gathered by the host and network-IDSs.

Both types of IDSs are based on attack signature recognition and must be tuned and updated. One tuning mechanism is setting the clipping level. This is the number of errors or unusual activity causing an alarm.

PENETRATION TESTING TECHNIQUES

Penetration testing can be useful to detect vulnerabilities. This kind of ethical hacking is performed in seven steps:

1. Determine the target Select the company to penetrate;

2. Footprint or profile Use social engineering techniques or doing desk research about any informa-tion published by or about the company;

3. Enumerate the network This is about mapping out machine names, IP addresses and services by using tools such as Tracert. You can use WhoIs and the domain names registered with the company to find out further information such as the name of the website administrator and the registrars and the IP address of the DNS serv-ers. These are important as it may lead to the IP addresses of other com-puters in the network.

4. Scan and enumerate services Knowing the IP addresses from step 3 you can use tools to check the exis-tence (PING) and TCP- and UDP-ports (NMAP). With a port scan, the service be-hind the port issues a banner (string of information).

5. OS enumeration With the banner information and tools as NETCAT you can determine the OS and exploit its vulnerabilities. The banner information can be used to identify and attack the services behind the ports.

6. Penetration test Based on the knowledge gained, an attack against a particular machine is per-formed.

Auditing

Detection Intrusion

Operations Security

CISSP 7-3

7.3 Developing Countermeasures to Threats

The way to eliminate or to mitigate risks is to develop and follow countermeasures for each identified threat. The problem is that threats change by day.

RISK ANALYSIS

Risk analysis determine which threats require development and implementation of countermeasures. You can use either quantitative or qualitative risk analysis (see page 3-3).

THREATS

The common information system threats are:

Errors

Omission

Fraud

Misuse of information

Employee sabotage

Ignoring policy

Physical accidents

Software malfunction

Loss of resources

Loss of infrastructure

Hackers and crackers

Espionage

Malicious code

Within the mainframe world, several operations personnel were required and for each the job was carefully defined:

Computer operator

Operations analyst

Job control analyst

Production scheduler

Production control analyst

Tape librarian

John Kindervag developed a new taxonomy of threats for the modern world:

Strategic attack your company is picked as the target;

Collateral attack The attack is on another company but affects you as well

Nuke attack You suffer because you re connected to the internet (worms, viruses);

Random attack Automated tools scan huge numbers of IP addresses looking for vulnerabilities. You may be attacked;

Jump-point attack Your computer is compromised and used to attack others.

COUNTERMEASURES

Countermeasures can include general system and hardware hardening steps. Many threats however can be classified as employee related. Some risk mitigating proce-dures you can apply are:

Provide clear definition of authority

Structure along functional lines

Ensure that any type of fraudulent behavior requires collaboration of two or more individuals;

Separate job functions when combining them provides too much control;

Rotate people within their own areas;

Prevent family members from holding jobs in areas which you would not com-bine into one person s responsibilities;

Provide clean, accurate, detailed job description;

Include as part of every employee performance review, evaluation and consid-eration for raise and promotion the employee s observance of security practice;

Provide annual training for all employees

Encourage IT security to work with other security specialists, such as plant and physical security;

Maintain a standards manual and enforce the standard;

Require vacations be taken and require that they be taken contiguously;

Operations Security

CISSP 7-4

Require sophisticated access controls at the entrances to sensitive areas and systems.

Countermeasures for hiring and firing:

Require business and personal references;

Make employment contingent upon receiving a reference from the candidate s current employer;

Check public records including court records, marital record, education record, military record, law enforcement records, public documents and credit bureaus;

Require drug testing;

Consider insurance and bonding;

Look for conflict of interest.

Countermeasures for disgruntled employees:

Respect employees and consider individual situations;

Consider morale-building programs;

Provide security training on an annual basis;

Provide professional development opportunities;

Provide rewards for good behavior, such as bonuses and other recognition of accomplishments;

Increase communications through staff meetings, group meetings and discus-sions in which employees can air gripes and grievances.

Countermeasures for common internet-based threats. These are the same steps as in the penetration test but now performed on your own network to detect and mitigate vulnerabilities:

Footprinting / enumerating the network (contact information in the domain reg-istration is not an individual s name);

Scanning / enumerating services;

OS enumeration;

Penetration test.

Countermeasures for physical threats. Just think of one .

7.4 Concepts and Best Practices

PRIVILEGED OPERATIONS FUNCTIONS

Privileged operations are system commands and parameters and the configuration commands and activities for any device that handles information or controls the trans-mission of data on the network.

As this knowledge is widely spread, you must:

Make sure that system commands and utilities are reserved for administrative use;

Provide training and guidance for all administrators

Ensure that job interviews also stress these aspect.

UNDERSTANDING ANTIVIRAL CONTROLS

With a proper use of antiviral products five areas must be addressed:

Antiviral products must be installed on servers and desktops;

Automatic, regular updating of both engine and patterns is a must at the server and desktop levels;

Server side products should be configured to use additional features;

Attention should be paid to new viral/worm vectors;

All users should be trained to not accept defaults, to be proactive and to resist social engineering techniques.

PROTECTING SENSITIVE I NFORMATION AND MEDIA

Information has a life cycle, as all things do. It is created, handled, stored and de-stroyed.

Creation. Newly created information should immediately be classified and la-beled. The label must indicate when it was obtained, its source and an indication of its sensitivity level.

Handling. All data within the data center must be properly handled to assure viability and confidentiality.

Storage. Provide environmental controls such as the ideal temperature and humidity level.

Cleaning. Wax and cleaning agents should not be used in a computer room or storage area floors.

Operations Security

CISSP 7-5

Destruction. If it is no longer necessary to maintain data, it should be properly destroyed. Methods of destroying data on magnetic media are multiple over-write of data, encryption, media destruction and degaussing.

CHANGE MANAGEMENT CONTROL

Computer operations should institute a change management control system for IT infrastructure. There must be developed detailed information about:

Network configuration

Computer configuration

System parameters and settings

Application configuration

Device configuration

Locations for all the computers, devices, media storage and other parts of the infrastructure

Job titles and description of duties

Test environment specifications

Disaster and continuity plans

Other aspects of computer operations

There must be policy that require that changes to these items should be properly documented and approved. The policy should detail the change management process: request, review, approval, documentation, testing, implementation and reporting.

CISSP 8-1

8 Business Continuity Planning and Disas-ter Recovery Planning

8.1 What Are the Disasters That Interrupt Business Op-eration?

Reasons for having a Business Continuity Plan (BCP) are:

50 percent of the companies that lose data in a disaster never reopen; 90% of them are out of business within two years;

In the USA the Foreign Corrupt Practices Act (1977) and the IRS 91-59 mandate protection of business records respectively make management responsible.

Some types of businesses might be required to have a plan; such as financial institutions;

Employees and shareholders suing companies for not having a plan;

Insurance companies requiring such a plan;

Business partners.

The first step is to list catastrophic events in the following categories:

Natural events, including weather earthquake, hurricane, flood

Terrorism, sabotage and acts of war bombing, kidnapping

Accidents, including environmental spills explosion, fire, broken pipes

Miscellaneous events HW/SW failure, human error, riot

Every possible disaster should be mentioned; there must be no filtering in advance. The next step is to determine the possible damage.

8.2 Quantifying the Difference Between DRP and BCP

Disaster recovery planning is the process of bringing back into production a critical business process that has been crippled or destroyed by some catastrophic event.

Disaster recovery planning is the process of developing a plan to do so. Its focus is an immediate or short-term fix for affected business processes. Business continuity plan-ning seeks to minimize the impact of catastrophic events on critical business proc-esses, get the processes up and operational should some event occur and bring the company back to full recovery after the immediate crisis has passed. It represents the big picture. A DRP cannot exist without a BCP and vice versa.

8.3 Examining the BCP Process

The steps in developing a BCP are: 1. Define the scope 2. Perform a business impact analysis (BIA) 3. Develop operational plans for each business process 4. Test plans 5. Implement plans 6. Maintain plans

DEFINE THE SCOPE

Focus on the recovery some part of the organization from some type of event if there isn t any BRP. Later you can create a master plan for the entire organization. Take into consideration that regulations or law may require continuity (such as HIPAA). These are probably the first processes to put into scope.

PERFORM A BUSINESS IMPACT ANALYSIS (BIA) Keep in mind that resources are not unlimited. The goal of recovery is to get critical services up and running. You have to define the maximum tolerable downtime (MTD). Others call this the recovery time objective (RTO).

The steps in a BIA are:

Identify the time-critical business processes

Identify supporting resources for the critical processes

Determine the MTDs

Return to business units for validation

Provide the final report to senior management

MTD RTO

Business Continuity Planning and Disaster Recovery Planning

CISSP 8-2

What may help is to define the cost of processes being not available. What will happen if a process isn t available for some weeks? What are relations with other processes? A lot of interviews must be held to define the possible loss. Think of losses as revenue loss, sales loss, interest lost, penalties for late payments, contractual fines and can-celled orders. Besides financial loss other kinds of losses should be taken into account.

Next the business unit responsible for the process should validate the MTD derived from all this information. The correctness of the MTD is essential for further develop-ment of the plan. Finally the final report is created including an assessment of all the threats and vulnerabilities to time-critical business functions and suggested recover approaches.

DEVELOP OPERATIONAL PLANS FOR EACH BUSINESS PROCESS

The planning process is divided into four phases. Each phase must have its own plan:

Preventative measures Take preventive actions before an emergency takes place such as inspections, backups and reviews;

Emergency response Actions to be taken immediately after an event has occurred such as alert authorities and no-tify management;

Recovery Putting critical operations back into operation;

Return to normal operations Activities that turn the business into normal operations such as facility repair, establish-ment of new data and recall of employees.

The business owners are key players in the development of the plans. They define what is necessary. They must also be trained in the process of evaluating alternatives for recovery, documentation of the strategies and selection of personnel to carry out the plans.

There should be a plan for getting help addressing:

Telephone numbers of restoration companies;

Phone numbers for insurance vendors;

Instructions on proper notification.

The planning process should include a review of insurance coverage. Items that should be questioned are:

The type of risk covered

The type of property policy valuation

The need for specific additional assurance.

Other considerations:

Assurance policies can be based on named perils or all risks. Named perils specifies that the cause of the loss must be enumerated. If the cause is not listed, there is no coverage for the risk. If all risks is specified then all causes of loss that are not explicitly excluded are covered.

The value of the lost properties can be calculated on basis of actual cash value (ACV) or replacement cost.

Some losses may not be covered, such as additional costs of business interrup-tion. Special coverage may be required. Think of: - Business interruption insurance - Boiler and machinery - Valuable papers - Accounts receivable

Most insurance plans require business to take appropriate steps during and after busi-ness interruption. Each company should review its insurance plans with the insurance company. Generic steps in obtaining insurance claims are:

Notify insurance company of claim immediately

Secure the area

Restore fire protection

Prevent further damage / take action to minimize loss

Provide security

Take pictures and video of the site and (un)damaged property

Determine the cost of these and other temporary measures deemed necessary to resume operations and maintain security

Obtain property replacement and repair costs from several sources

Require all recovery personnel, including contractors, to log all activities


CISSP 8-3

Some steps are considered emergency response and simply must be done im-mediately

Partial payment might allow you to proceed with certain efforts

You might need to negotiate the final claim settlement

After the claim settlement is received, implement planning, acquisition and in-stallation of facility and resources.

Quick action immediately after an event has taken place can help to reduce damage. Think of quickly putting out a fire, pumping out water, conserving disks and tapes.

I MPLEMENT PLANS

The implementation consist of two phases: 1. The acquisition of alternative equipment and locations, the acquisition of con-

tractual arrangement with restoration specialists, training of employees in their responsibilities and action.

2. The actual operation of the plan when an event occurs.

TEST PLANS

Ways to test a plan are:

Desk checking

Reviewing the plan for currency

Performing full parallel system tests

Running through scenarios and mock emergencies

Testing calls to contractors

Remote operations testing

Switching to the mirror system or site

Reviewing insurance

Testing by departments or business process groups.

A plan is considered valid and effective if it passes the following test:

Response is within the allowed time frame

Operations at alternative systems and locations are adequate

Backups can be successfully restored

Emergency personnel, service personnel and contractors can be reached any time of day or night

Team members are aware of specifics of the current plan

Team members are able to perform associated duties

The plan is up-to-date.

MAINTAIN PLANS

The BCP must be reviewed at least once a year or every time the business makes a change in its processes. Change Management should therefore include a review of the BCP as part of its checklist. The review should include:

Is the insurance plan up-to-date?

Have new processes and equipment been added and are they covered in the plan?

Has team membership been adjusted to include or exclude changes in person-nel?

Is testing being done?

Are there new types of events or changes in the likelihood of them occurring?

Have mergers, acquisitions or divestitures occurred and has the plan been ad-justed?

8.4 Defining DRP

Before going into defining a DRP the following assumptions are made to prevent over-lap:

The scope of BCP encompasses DRP and a BIA has been made

The testing and maintenance portion of the DRP can use the same instructions.

The planning process for disaster recovery includes seven things:

The scope of the plan

Procedures that help to prevent disasters

A list of resources that need to be available

The backup strategy

A to-do list for the emergency response process

Step-by-step instructions for implementing the plan

Phone numbers or restoration and alternative sites


CISSP 8-4

DETERMINING THE SCOPE OF THE RECOVERY PLAN

The plan must identify which processes and equipment will be covered. The BIA identi-fies critical data processing operations; DRP determines which equipment, software, environment, facilities and personnel will be necessary. Special consideration should be made with distributed environments: who is responsible?

CREATING ANTIDISASTER PROCEDURES

An organization need to implement standard procedures and directives, such as:

Close safes (don t leave them open);

Don t leave network equipment in open places;

Limit access to data centers and other private spaces;

Use fire-retardant materials in the construction of data centers;

Provide fire-extinguishing equipment and sprinkler systems;

Perform background screening of personnel;

Use antivirus products and screening firewalls, routers and so on.

LISTING NECESSARY RESOURCES

For the relocation of critical business procedures and so on you must have a complete listing of necessary resources. Also there must be plans for the movement of personnel and the required work space.

EMERGENCY RESPONSE PROCEDURES

During a crisis, people who are trained in handling emergency response procedures perform better than untrained people. There must be list with instructions how to han-dle in case of an emergency and people must be empowered to act. To goal is to pre-vent people to respond blindly. An example of a list is:

Shut down running programs;

Remove critical data files;

Shut down equipment in a proper sequence and shut off power;

Establish damage control;

Evacuate buildings;

Reconvene at alternative sites.

8.5 Developing a Backup Strategy

A backup strategy includes the capability to move processing to alternative locations if necessary; it is not just about placing copies of data in safe places. The backup process needs to be validated, monitored, controlled and tested.

A backup plan should provide for:

Data backup

Alternative sites

Data vaulting

Co-location (hosting a backup site at an ISP)

Hardware backup

Hardware- or software based RAID

Fail-over clustering

BACKUP PROCEDURES AND POLICIES

Kind of backups:

Full backup All data is copied

Partial backup Changed data is back upped

Incremental backup Partial backup of files changed since the previ-ous incremental backup (backup flag is set)

Differential backup Partial backup since the last full backup (backup flag is not set)

At a point of total restore you need the full backup and either a) all incremental back-ups or b) the latest differential backup.

VITAL RECORDS PROGRAM

In addition to the critical business processes and the supporting data systems, plan-ners need to assure the integrity and availability of vital records (records that have


CISSP 8-5

critical importance to the organization). Vital records may be archived electronically or on microfiche, paper and so on.

HARDWARE BACKUPS

As with data also hardware may need to be back upped. This can be at an alternative site or in the same building.

Alternative sites are classified as:

Hot completely configured with equipment. You only need to provide person-nel, programs and data for recovery;

Warm partially configured; may need days to make it operational;

Cold only the basic environment (wiring, power, airco) is available;

Redundant Set up exactly as the primary site;

Mobile a site configured in a trailer or van;

Hybrid A combination of the sites above.

Special attention must be paid for keeping the alternative sites up-to-date. In addition to data the following should also be back upped: operating system software, program-ming languages, utilities, database management software, input and output docu-ments, transaction logs and system and audit logs. Of course all backups need to be stored nearby the alternative sites. Locations for backups include the following:

A fire-resistant safe close to the computer room;

A fire-resistant vault in another building within half a mile radius (for daily and weekly backups);

A fire-resistant vault at least five miles from the primary site;

Underground fire-resistant and earthquake-resistant storage for at least 50 miles away (for long term storage)

Good backup plans include instruction and information on:

Where backups are kept;

Labeling schematics for backup tapes;

Frequency of backup cycles and retention time;

Instructions on restoration which include making a copy before trying to use it in a restore;

How to recover from a failure during any step in the cycle;

Steps for special processing of special types of files such as database agents;

Documentation on backup files that create sets such as transaction action logs and database files;

Locations of real-time or duplicate logs for transactions;

Information on ensuring the integrity of backup media;

The systems that require all files to be closed in order to be backed up and those that have available special agents that can be used in online backup.

Backup recommendations include:

Use a different tape for every day of the week;

Create a weekly backup an use a separate tape for each week of the month;

Verify each tape after creation;

Check tapes for errors;

If unattended backups are made, make sure errors are logged to a file;

Clean the tapes;

Use high-quality media;

Change out tapes frequently, retire old tapes and use new media;

Use a paper-based log to record when backups were made, what was backed up and the location of the tapes;

Test backups by doing a restore.

Log backup errors, exceptions and anomalies.

CISSP 9-1

9 Law, Investigation and Ethics

9.1 Fundamentals of Law

In the US there are federal laws and state laws; they can overlap. Criminals may therefore be prosecuted and convicted by both federal and state law.

Criminal law authorize the government to punish wrongdoers. Criminal prosecution requires a higher standard of proof beyond a reasonable doubt that the suspect intentionally did something wrong.

Civil laws, on the other hand, enables private parties to enforce their rights. To win relief under a civil lawsuit, a plaintiff must satisfy a lower standard of proof proof by a preponderance of the evidence that he is entitled to relief.

Administrative law allows governmental agencies to interpret the laws the administer through official statements or regulations and to enforce those laws through investiga-tions, fines and other sanctions.

I NTELLECTUAL PROPERTY LAW

These are: patents, copyrights and trade secrets. To obtain a patent an investor must apply to the USPTO (US Patent and Trademark Office) and wait 2-3 years before a decision is made.

Copyrights must be registered at the US Copyright Office. A copyright covers only the expressions of ideas, not the ideas themselves. The DMCA (Digital Millennium Copy-right Act) makes it a crime to circumvent encryption or other copyright protecting techniques.

Trade secrets are secrets which are kept to prevent others using or exploiting them, such as customer lists or algorithms. Companies protect these secrets by applying security methods such as encryption.

A license allows the customer to use the software (including patents, copyrights and trade secrets) under restricted terms but does not allow remarketing of the product.

PRIVACY LAW

There is not a federal law on privacy; the US laws tend to apply on a sector-by-sector basis:

The healthcare have HIPAA (Healthcare Insurance Portability and Accountability Act) which deals with confidentiality of patient information.

The financial sector have the Gramm-Leach-Bliley Financial Modernization Act that requires financial institutes to give customers notice about how their pri-vate information will be protected or shared with third parties.

Further more there is the Privacy Act which limits the ability of federal govern-ment agencies to disclosure information about individual citizens.

In the US employees have no right to privacy when they communicate through corpo-rate information resources if the employees are informed in advance that they have no privacy.

The European Community have more comprehensive rules on privacy. It is forbidden to transfer individually identifiable information to countries outside of the European Union unless the receiving country grants individuals adequate privacy protection. The EU and the US have negotiated a safe harbour for granting EU citizens the rights to the following:

Notice about which data will be collected and how it will be used;

Choice about whether the data will be collected;

Access to collected data;

Reasonable protections for accuracy, integrity and security of collected data;

Rights to seek redress for abuse of data.

Some companies have privacy offices who monitor the use of private information and make recommendations to management.

GOVERNMENTAL REGULATIONS

The government have issued several laws to enterprises to mandate information secu-rity controls.

Law, Investigations and Ethics

CISSP 9-2

The federal FCPA (Foreign Corrupt Practices Act) requires publicly owned com-panies to maintain adequate books and records and an adequate system of in-ternal controls;

The federal Gramm-Leach-Bliley Financial Modernization Act require financial in-stitutions to implement a security program to safeguard private customer in-formation.

The US Export Administration Regulations prohibit the transfer of military capa-bilities to undesirable countries; the US Commerce Department s Bureau of Ex-port Administration (BXA) administers and enforce these export controls.

9.2 Criminal Law and Computer Crime

A person can only be convicted if he breaks a law. To convict computer fraud laws have been created such as the federal Computer Fraud and Abuse Act that punishes people who intentionally cause harm by accessing computers without authority. This law is known as 18 US Code Section 1030 and prohibits the use of computers if that leads to:

Classified or national security-related information;

Records of a financial institution;

Government records;

Information on a computer involved in interstate commerce;

Fraud;

Damage;

Trafficking in passwords;

Extortion.

To help provide proof that a hacker intentionally committed a crime, you should pro-vide your computer system with a banner that warns that unauthorized access to a network is forbidden. If he continues, he intentionally does something wrong and can therefore be proscecuted.

Other laws are:

The federal Wiretap Act, 18 US Code Section 2511. Punishes unauthorized inter-ception of electronic communications in transit;

The Wiretap Act. Covers the interception of email while being transmitted;

The federal Electronic Communications Privacy Act, 19 US code Section 2701. Forbids unauthorized people from accessing or damaging electronic messages in storage.

9.3 Computer Security Incidents

There a lot of security incidents in different areas such as military and intelligence, business, financial, terrorist, grudge, consumer fraud and fun. But how does an enter-prise respond to security breaches?

ADVANCE PLANNING

Establish an incident plan in advance. This plan contains the following steps:

Centralize management of the attacks so all of the response can be coordi-nated;

Designate a single person to receive and analyze reports of suspicious or ab-normal activities;

Make a list of whom to notify;

Set procedures for identifying, analyzing and responding to the attack;

Decide how an when to escalate the response to an attack if it grows worse;

Designate who has responsibility for which tasks and who within the organiza-tion is to be kept informed and mobilized;

Specify how to log records of the event and preserve evidence;

Establish priorities if there is a tradeoff between preserving evidence and keep-ing systems in production;

Become familiar with the relevant law enforcement authorities and information sharing organizations in advance and determine which ones to notify at which time;

Recognize that a security incident could be more than a technical matter and might warrant coordination with public relation people, corporate attorneys, human resources and upper management;

Reevaluate security, personnel and the incident response plan afterwards.


CISSP 9-3

COMPUTER CRIME INVESTIGATION

The objective of computer crime investigation is to minimize risk while gathering and securing reliable evidence that could be used in a criminal trial. The steps taken in such a process are:

1. Detect the intrusion (events, audit trail review, abnormal activity). 2. Try to avoid further damage. 3. Report the incident to the management. 4. Start the preliminary investigation by assign damage, witnesses and deter-

mine what is needed to proceed. 5. Decide whether disclosure to media or government is necessary. 6. Decide on a course of action; what to do next. 7. Assign responsibility for conduct of the investigation. Decide whether it will be

done by internal staff or external experts. 8. Pinpoint potential suspects and witnesses; designate who should investigate

witnesses; 9. Plan and prepare for seizure of target systems. 10. Designate a search and seizure team. 11. Evaluate the risk tot the target system before seizing it. 12. Execute the seizure plan. Secure and search the location, preserve evidence,

record each action, videotape the process, photograph the system configura-tion and monitor display and move the system to a secure location.

13. Prepare a detailed report documenting facts and conclusions.

9.4 Legal Evidence An objective of incident response is to gather evidence. Evidence is anything that dem-onstrates a point to a court of persuades the court that a fact is true. Strong evidence is called direct evidence, weaker evidence is called circumstantial evidence. Evidence must proven to be what it is to be considered authentic.

The hearsay rule is a statement made outside the court which is repeated for the course of showing the statement is true. The best evidence rule says that an original writing must be produced in court because the original is more reliable.

Controls are measures that reduce the change records are changed or corrupted. Ex-amples of controls are audit trails and segregation of duties. Another form of control is a chain of evidence also known as chain of custody. It is a series of records showing where the evidence came from, who was responsible for it, what happened to it, how it was protected, whether it was changed and so on.

THE FOURTH AMENDMENT

The Fourth Amendment to the US Constitution protect US citizens from unreasonable searches and seizures by government. They need a court-issued warrant except when evidence is in plain view.

9.5 Computer Forensics Forensics is the use of science and technology to investigate and establish facts that can be used in court. Techniques for seizing and preserving electronic evidence are:

Restrict physical and remote access to the computer.

If the computer is off, do not turn it on.

If the computer is on, photograph the screen and then unplug the computer.

Do not touch the keyboard.

Do all forensic analysis of the electronic evidence form a mirror copy of the disk.

Don t trust the subject computer s OS; conduct analysis on a copy using the OS of a trusted computer.

Step by step examination of a PC: 1. Before starting the examination get authority from corporate management. 2. Turn the machine of by pulling its plug. First photograph the screen image. 3. Before moving the computer, document the hardware configuration with pho-

tographs and tags on cables. Do the same with removable media. 4. Transport the computer to a safe area. 5. Boot the computer (but not from the hard disk). Examine the computer. 6. Use forensic software to make a bit-stream image of the hard disk, run a hash

of the hard disk and the image and confirm that both are the same.


CISSP 9-4

The steps a computer forensic expert takes are: 1. Make a bit-level image of the disk. 2. Make a cryptographic hash of digest the disk. 3. Perform analysis in a secure environment. 4. Use forensics software to find hidden, deleted or encrypted files. 5. Boot the suspect system with a trusted OS. Run a complete system analysis. 6. Reboot the system to discover any background or malicious programs and

learn from system interrupts. 7. Examine backup media. 8. Investigate protected files.

9.6 Computer Ethics

The Request for Comments (RFC) 1087 titled Ethics and the Internet declares activi-ties unethical and unacceptable if these:

Seek to gain unauthorized access to the resources of the Internet.

Disrupt the intended use of the internet.

Waste resources through such actions.

Destroy the integrity of computer-based-information.

Compromise the privacy of users.

The (ISC)2 Code of Ethics requires CISSPs to:

Code of Ethics Canons:

Protect society, the commonwealth, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Advance and protect the profession.

Seel also https://www.isc2.org/cgi/content.cgi?page=31 for detailed information.

https://www.isc2.org/cgi/content.cgi?page=31

CISSP 10-1

10 Physical Security

Physical security refers to the provision of a safe environment for information process-ing activities and the use of the environment to control the behavior of personnel.

The (ISC2) groups physical security issues into the following categories: 1. Facility requirements 2. Technical controls 3. Environmental/life and safety 4. Physical security threats 5. Elements of physical security

10.1 Classifying assets to Simplify Physical Security Dis-cussions

The principles of physical security are the same as information security: identification, assessment of vulnerabilities and threats and selection of countermeasures. The same as with information assets, rings of protection are a good strategy.

There are four kinds of physical assets:

Facility buildings, rooms

Support airco, communication, water, fuel supplies

Physical an components hardware, printers, storage

Supplies and materials disks, removable media

10.2 Vulnerabilities

A common list of types of vulnerabilities is: destruction, disclosure, removal and inter-ruption. These vulnerabilities can be held against the four classes. Of course not every vulnerability applies to each class. For example:

Facility

Destruction

Accidental (fire, flood, earthquake, wind, snow, construction faults)

Deliberate (vandalism, sabotage, arson, terrorism)

Theft is probably the most likely physical security issue. It is controlled by the follow-ing:

Authorizing or hiring trustworthy people

Maintaining a corporate culture in which honesty is expected and normal

Motivating people by good work environment and competitive remuneration

Minimizing opportunities that would allow the easy theft of assets.

10.3 Selecting, Designing, Constructing and Maintaining a Secure Site

The controls to mitigate risk of sites are:

Site location and construction

Physical access controls

Power issues and controls

Environmental controls

Water exposure problems and controls

SITE LOCATION AND CONSTRUCTION

With the selection of a site the following should be considered:

Vulnerability to crime, riots and demonstrations

Adjacent buildings and businesses

Emergency support response

Vulnerability to natural disasters

General building construction (hurricanes, earthquakes)

Computer room considerations (location within the building)

PHYSICAL ACCESS CONTROLS

This is usually a perimeter control. Areas, such as computer rooms, should have re-stricted access and need to be identified and marked. Think of doors, key card systems and mantraps. Both active and passive access controls should be considered.

Physical Security

CISSP 10-2

Active physical access controls

Physical access controls are people (guards, receptionists), computer-controlled card-access systems in combination with badges and ID-cards. Guards and receptionists should maintain access logs. Everybody should log in and out. The use of closed circuit TV (CCTV) may detect unwanted inhabitants.

Besides preventative controls, reactive controls must be included. Such as procedures defining what receptionists should do if unauthorized persons are discovered.

Passive controls

Passive measures of access controls include doors and locks. Doors must be fireproof and solid. In addition to locks, alarms can be added to indicate that doors are opened.

Combination locks have the disadvantage of being more difficult to open than key locks but they can more easily be changed (re-keyed). Another kind of locks are remote control magnetic locks in combination with (smart) cards or other tokens. Dumb cards have a magnetic stripe with 80 bytes of information; smart cards contain processors and kilobytes of information enough for biometric information and authorizations. The processor is powerful enough to encrypt information.

Which kind of token to use depend on the cost and required safety. Regarding safety you have to consider:

Fail-open

If power outage or a computer crash occurs, it defeats the lock system. You need a UPS (Uninterruptible Power Supply) to prevent this;

Fail- closed Means that in case of a fail the lock remains closed.

Price of cards can vary from cheap ($2-7) for dumb cards to very expensive for smart cards. Systems involving biometrics have issues such as reliability and errors. False positives and false negatives vary in the range from 0.01%-1.0%. Face recognition is even worse: up to 5%.

POWER ISSUES AND CONTROLS

Most computers are sensitive for dirty power (significant voltage variations and inter-ference). Other electrical equipment on the same power line can create such disrup-tions. The first rule of computer power is isolation there should be no other equip-ment on the same power line. Surge protectors and filters can protect computers from most dirty power problems.

The most common power risks are:

Brownouts or total power loss

Spikes and surges - spikes occur with lightning; surges when electric motors stops;

Static i.e. generated by people in cold climates. This risk can be reduces by controlling humidity and using antistatic mats.

A UPS supports the power system for a time when it needs to start up backup genera-tors. Self contained power supplies detect a power failure due to battery exhaustion and shut down the computer automatically in a soft way.

Computers must be approved by Underwriter s Laboratory (US) or Canadian Standards Association (CSA). UL or CSA relates to safety features.

ENVIRONMENTAL CONTROLS

This section is about air conditioning, humidity and temperature. Most large computers require special dedicated air conditioning. Airco s extract water from the air and must be removed. Leakage of pipes can destroy the hardware. Also the airco needs its own power because it uses a lot of energy. A second cooling can be considered in case the first one fails.

Automatic humidity and temperature monitoring devices should be installed in climate controlled rooms; records should be examined regularly.

W ATER EXPOSURE PROBLEMS AND CONTROLS

Examples of water exposure problems are:

Flood

Basements

Roofs

Snow load problems

Physical Security

CISSP 10-3

Hurricane and other weather phenomena

Sprinklers

Air conditioning

FIRE PREVENTION AND PROTECTION

Fire protection refers to detecting fire and minimizing damage to people and equip-ment. Prevention is avoiding the problem in the first place which is less costly en more effective in minimizing danger.

Four elements of prevention are outlined in the following list:

Construction Materials in a computer room must be fireproof as possi-

ble. False ceilings and ventilation shafts can become chim-neys. Rugs do not belong in a computer room.

Training Fire regulations should and known.

Testing Fire procedures should be tested periodically.

No smoking policy

Fire detection systems are inexpensive. There are ionization-type smoke detectors and photoelectric detectors. The first rule after a fire is detected is to evacuate people. Fire spreads quickly and fire produces smoke, heat and toxic gasses. After people are safe you can start to attempt to put out the fire.

Combustibles are rated as follows, based on their material composition:

Class A Wood, cloth, paper, rubber, most plastics, ordinary combustibles

Class B Flammable liquids and gases, oils, greases, tars, oil-based paints and lacquers

Class C Energized electrical equipment

Class D Flammable chemicals such as magnesium and sodium.

Portable fire extinguishers should be available near any electrical equipment. They must be examined periodically. For computers, type ABC extinguishers exist. Extin-guishers are labeled as follows:

Class A extinguishers are for combustible solids

Class B extinguishers are for combustible liquids

Class C extinguishers are for electricity.

Fixed systems include carbon dioxide extinguishers. A problem with CO2 is that it leaves a corrosive residue on electrical parts. Safer for people is the use of Halon 1301. The problem is that Halon contains CfC s.

Sprinkler systems use a separate water supply to become independent from the elec-tricity network. A reservoir can be put on top of the building and filled with distilled water; distilled water doesn t conduct electricity; polluted water does. Sprinkler sys-tems use wet pipes or dry pipes. Dry pipes are filled with air to prevent breakage due to frozen pipes. When there is a fire, first the air flows out before the water comes.

10.4 Tape and Media Library Retention Policies Media storage issues are:

Access should be restricted;

Access should be controlled;

The room should be locked;

The room should be protected from fire.

A basic rule is that any sensitive data should have at least two backups and at least one should be stored in a different building separate from the others.

10.5 Document (hard-copy) Libraries

Physical storage for paper documents needs to be:

Larger in volume than for magnetic disks;

Protected from water damage more carefully;

Treated as a fuel repository and kept separate from other sensitive media.

A checklist for paper storage is:

Keep passages unobstructed;

Do not store records on the floor;

Do not leave original documents on desks overnight;

Physical Security

CISSP 10-4

Store cellulose-based nitrate films separately and treat them as flammable and hazardous goods;

Set material back slightly from shelf edges to lessen vertical fire propagation;

Avoid basement storage;

Check areas where condensation can be a problem;

Install shelving at least 12 from outside walls and 2 from inside walls and place bottom shelves at least 4 above the floor;

Store more valuable material on upper shelves and upper floors;

Avoid carpeting in storage areas.

10.6 Waste Disposal

Dumpster diving is going through company s waste bins. It can reveal valuable infor-mation. Therefore classified wastes should be in place and:

Stored in separate containers;

Collected frequently by security-cleared personnel;

Retained in a secure area;

Destroyed by cleared personnel using a approved and effective method.

To keep in mind:

Computers do not erase data; they just flag files as erased;

Databases do not erase records until they are packed;

Degaussing is a way to destroy magnetically stored data;

Optical media must be shredded;

Core dumps from computer memory can reveal valuable data;

Some computer memories stay live for a serious long period even after power shutdown.

10.7 Physical Intrusion Detection

Physical intrusion detection can be implemented by:

Motion detectors;

Heat detectors;

Vibration sensors;

Capacitance detectors;

Magnetic sensors;

Sniffers;

X-rays and other see-through devices;

Cameras.

10.8 Addendum The salami fraud is an automated fraud technique in which a programmer moves small amounts of money into his own bank account (e.g. rounding up amounts).

CISSP I

Abbreviations

Abbr. Meaning ACL Access Control List ADSL Asymmetric Digital Subscriber Line AES Advanced Encryption Standard AH Authentication Header ALE Annualized loss expectancy ALG Application Level Gateway ARO Annualized rate of occurrence ARP Address Resolution Protocol ATM Asynchronous Transfer Mode AUI Attachment Unit Interface AUP Acceptable User Policy BCP Business Continuity Planning BIA Business Impact Analysis BMP Bitmap BNC British Naval Connector BootP Bootstrap Protocol BRI Basic Rate Interface CBA Cost-benefit Analysis CC Common Criteria CHAP Challenge Handshake Authentication Protocol CIRT Computer Incident Response Team COA Ciphertext Only Attack CRC Cyclic Redundancy Check DAC Discretionary Access Control DCE Data Circuit-Terminating Equipment DDoS Distributed Denial of Service DES Data Encryption Standard DIVX Digital Video Express DLCI Data-Link Connection Identifier DoD Department of Defense DoS Denial of Service DRP Disaster Recovery Planning DSL Digital Subscriber Line DTE Data Terminal Equipment DWDM Dense Wave Division Multiplexing EAL Evaluation EF Exposure factor EMI Electromagnetic Interference ESP Encapsulated Security Payload FTP File Transfer Protocol GIF Graphic Interchange Format GRE Generic Routing Encapsulation HDLC High-Level Data-Link Control HDSL High-rate Digital Subscriber Line ICMP Internet Control Message Protocol IDS Intrusion Detection System IEEE Institute of Electrical and Electronics Engineers IKE Internet Key Exchange IKE Internet Key Exchange IP Internet Protocol IPSec IP Security IPX Internet Packet Exchange IRC Internet Relay Chat IRL Inter-repeater Link ISAKMP Internet Security Association & Key Manage-

ment Protocol ISDN Integrated Services Data Network JPEG Joint Photograpic Experts Group KPA Known-Plaintext Attack L2TP Layer 2 Tunneling Protocol

Abbr. Meaning LAPB Link Access Procedure Balanced LPD Line Printer Daemon MAC Media Access Control MAC Mandatory Access Control MAC Message Authentication Code MAU Multi-Access Unit MIDI Musical Instrument Digital Interface MLS Multi Level Secure MP3 Moving Pictures Experts Group Layer-3 Audio MPEG Moving Picture Experts Group NAT Network Address Translation NCP Netware Core Protocol NFS Network File System NIC Network Interface Card NNTP Network News Transfer Protocol OPSEC Operations Security PAP Password Authentication Protocol PAT Port Address Translation PEM Privacy Enhanced Mail PING Packet Inter-Network Groper PKI Public Key Infrastructure POP3 Post Office Protocol 3 PP Protection Profile PPTP Point-to-Point Tunneling Protocol PRI Primary Rate Interface RAID Redundant Array of Inexpensive Disks RARP Reverse ARP RBAC Role Based Access Control RPC Remote Procedure Call RTC Real-time Clock S/MIME Secure/Multipurpose Internet Mail Extensions SA Security Association SAA Service Application Architecture SAN Storage Area Network SDLC Synchronous Data-Link Control SDSL Single-line Digital Subscriber Line SET Secure Electronic Transmission SKIP Simple Key Management for Internet Protocol SLE Single-loss expectancy SMB Server Message Block SMDS Switched Multimegabit Data Service SMTP Simple Mail Transfer Protocol SNA System Network Architecture SNMP Simple Network Management Protocol SOHO Small office/home office SPOF Singe Point Of Failure SQL Structured Query Language SSL Secure Socket Layer ST Security Target TACACS Terminal Access Controller Access Control

System TCB Trusted Computing Base TCP Transmission Control Protocol TCP/IP TCP and IP TCSEC Trusted Computer Security Evaluation Criteria TCSEC Trusted Computer System Evaluation Criteria TDR Time Domain Reflectometer TFTP A subset of FTP TIFF Tag Image File Format TLS Transport Layer Security

CISSP II

Abbr. Meaning TOE Target of Evaluation TSF TOE Security Functions UCE Unsolicited Commercial Email (SPAM) UDP User Datagram Protocol UPS Uninterruptible Power Supply

Abbr. Meaning UTP Unshielded Twisted Pair VDSL Very-high Digital Subscriber Line VPN Virtual Private Network WAV Windows Audio Volume WMF Windows Media File