CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)
.pdfContents xi
|
|
Spamming Attacks |
44 |
|
|
Crackers |
45 |
|
|
Access Control Compensations |
45 |
|
|
Summary |
45 |
|
|
Exam Essentials |
46 |
|
|
Review Questions |
49 |
|
|
Answers to Review Questions |
53 |
Chapter |
3 |
ISO Model, Network Security, and Protocols |
55 |
|
|
OSI Model |
56 |
|
|
History of the OSI Model |
56 |
|
|
OSI Functionality |
57 |
|
|
Encapsulation/Deencapsulation |
58 |
|
|
OSI Layers |
59 |
|
|
TCP/IP Model |
63 |
|
|
Communications and Network Security |
64 |
|
|
Network Cabling |
65 |
|
|
LAN Technologies |
68 |
|
|
Network Topologies |
71 |
|
|
TCP/IP Overview |
73 |
|
|
Internet/Intranet/Extranet Components |
78 |
|
|
Firewalls |
78 |
|
|
Other Network Devices |
81 |
|
|
Remote Access Security Management |
82 |
|
|
Network and Protocol Security Mechanisms |
83 |
|
|
VPN Protocols |
83 |
|
|
Secure Communications Protocols |
84 |
|
|
E-Mail Security Solutions |
84 |
|
|
Dial-Up Protocols |
85 |
|
|
Authentication Protocols |
85 |
|
|
Centralized Remote Authentication Services |
85 |
|
|
Network and Protocol Services |
86 |
|
|
Frame Relay |
87 |
|
|
Other WAN Technologies |
87 |
|
|
Avoiding Single Points of Failure |
88 |
|
|
Redundant Servers |
88 |
|
|
Failover Solutions |
89 |
|
|
RAID |
89 |
|
|
Summary |
91 |
|
|
Exam Essentials |
91 |
|
|
Review Questions |
93 |
|
|
Answers to Review Questions |
97 |
xii Contents
Chapter |
4 |
Communications Security and Countermeasures |
99 |
|
|
Virtual Private Network (VPN) |
100 |
|
|
Tunneling |
100 |
|
|
How VPNs Work |
101 |
|
|
Implementing VPNs |
102 |
|
|
Network Address Translation |
103 |
|
|
Private IP Addresses |
103 |
|
|
Stateful NAT |
103 |
|
|
Switching Technologies |
104 |
|
|
Circuit Switching |
104 |
|
|
Packet Switching |
104 |
|
|
Virtual Circuits |
105 |
|
|
WAN Technologies |
105 |
|
|
WAN Connection Technologies |
106 |
|
|
Encapsulation Protocols |
108 |
|
|
Miscellaneous Security Control Characteristics |
108 |
|
|
Transparency |
108 |
|
|
Verifying Integrity |
109 |
|
|
Transmission Mechanisms |
109 |
|
|
Managing E-Mail Security |
109 |
|
|
E-Mail Security Goals |
110 |
|
|
Understanding E-Mail Security Issues |
111 |
|
|
E-Mail Security Solutions |
111 |
|
|
Securing Voice Communications |
113 |
|
|
Social Engineering |
113 |
|
|
Fraud and Abuse |
114 |
|
|
Phreaking |
115 |
|
|
Security Boundaries |
115 |
|
|
Network Attacks and Countermeasures |
116 |
|
|
Eavesdropping |
116 |
|
|
Second-Tier Attacks |
117 |
|
|
Address Resolution Protocol (ARP) |
117 |
|
|
Summary |
118 |
|
|
Exam Essentials |
120 |
|
|
Review Questions |
122 |
|
|
Answers to Review Questions |
126 |
Chapter 5 |
Security Management Concepts and Principles |
129 |
|
Security Management Concepts and Principles |
130 |
|
Confidentiality |
130 |
|
Integrity |
131 |
|
Availability |
132 |
|
Other Security Concepts |
133 |
Contents xiii
|
|
Protection Mechanisms |
135 |
|
|
Layering |
136 |
|
|
Abstraction |
136 |
|
|
Data Hiding |
136 |
|
|
Encryption |
137 |
|
|
Change Control/Management |
137 |
|
|
Data Classification |
138 |
|
|
Summary |
140 |
|
|
Exam Essentials |
141 |
|
|
Review Questions |
143 |
|
|
Answers to Review Questions |
147 |
Chapter |
6 |
Asset Value, Policies, and Roles |
149 |
|
|
Employment Policies and Practices |
150 |
|
|
Security Management for Employees |
150 |
|
|
Security Roles |
153 |
|
|
Policies, Standards, Baselines, Guidelines, and Procedures |
154 |
|
|
Security Policies |
155 |
|
|
Security Standards, Baselines, and Guidelines |
155 |
|
|
Security Procedures |
156 |
|
|
Risk Management |
157 |
|
|
Risk Terminology |
157 |
|
|
Risk Assessment Methodologies |
159 |
|
|
Quantitative Risk Analysis |
161 |
|
|
Qualitative Risk Analysis |
163 |
|
|
Handling Risk |
165 |
|
|
Security Awareness Training |
166 |
|
|
Security Management Planning |
167 |
|
|
Summary |
167 |
|
|
Exam Essentials |
169 |
|
|
Review Questions |
172 |
|
|
Answers to Review Questions |
176 |
Chapter |
7 |
Data and Application Security Issues |
179 |
|
|
Application Issues |
180 |
|
|
Local/Nondistributed Environment |
180 |
|
|
Distributed Environment |
182 |
|
|
Databases and Data Warehousing |
186 |
|
|
Database Management System (DBMS) Architecture |
186 |
|
|
Database Transactions |
188 |
|
|
Multilevel Security |
189 |
|
|
Aggregation |
190 |
|
|
Inference |
190 |
xiv Contents
|
|
Polyinstantiation |
191 |
|
|
Data Mining |
191 |
|
|
Data/Information Storage |
192 |
|
|
Types of Storage |
192 |
|
|
Storage Threats |
193 |
|
|
Knowledge-Based Systems |
193 |
|
|
Expert Systems |
194 |
|
|
Neural Networks |
195 |
|
|
Security Applications |
195 |
|
|
Systems Development Controls |
195 |
|
|
Software Development |
196 |
|
|
Systems Development Life Cycle |
198 |
|
|
Life Cycle Models |
201 |
|
|
Change Control and Configuration Management |
205 |
|
|
Security Control Architecture |
206 |
|
|
Service Level Agreements |
208 |
|
|
Summary |
209 |
|
|
Exam Essentials |
210 |
|
|
Written Lab |
211 |
|
|
Review Questions |
212 |
|
|
Answers to Review Questions |
216 |
|
|
Answers to Written Lab |
218 |
Chapter |
8 |
Malicious Code and Application Attacks |
219 |
|
|
Malicious Code |
220 |
|
|
Sources |
220 |
|
|
Viruses |
221 |
|
|
Logic Bombs |
226 |
|
|
Trojan Horses |
226 |
|
|
Worms |
227 |
|
|
Active Content |
228 |
|
|
Countermeasures |
229 |
|
|
Password Attacks |
230 |
|
|
Password Guessing |
230 |
|
|
Dictionary Attacks |
231 |
|
|
Social Engineering |
231 |
|
|
Countermeasures |
232 |
|
|
Denial of Service Attacks |
232 |
|
|
SYN Flood |
232 |
|
|
Distributed DoS Toolkits |
234 |
|
|
Smurf |
234 |
|
|
Teardrop |
236 |
|
|
Land |
237 |
|
|
DNS Poisoning |
237 |
|
|
Ping of Death |
238 |
Contents xv
|
|
Application Attacks |
238 |
|
|
Buffer Overflows |
238 |
|
|
Time-of-Check-to-Time-of-Use |
239 |
|
|
Trap Doors |
239 |
|
|
Rootkits |
239 |
|
|
Reconnaissance Attacks |
240 |
|
|
IP Probes |
240 |
|
|
Port Scans |
240 |
|
|
Vulnerability Scans |
240 |
|
|
Dumpster Diving |
241 |
|
|
Masquerading Attacks |
241 |
|
|
IP Spoofing |
241 |
|
|
Session Hijacking |
242 |
|
|
Decoy Techniques |
242 |
|
|
Honey Pots |
242 |
|
|
Pseudo-Flaws |
243 |
|
|
Summary |
243 |
|
|
Exam Essentials |
244 |
|
|
Written Lab |
245 |
|
|
Review Questions |
246 |
|
|
Answers to Review Questions |
250 |
|
|
Answers to Written Lab |
252 |
Chapter |
9 |
Cryptography and Private Key Algorithms |
253 |
|
|
History |
254 |
|
|
Caesar Cipher |
254 |
|
|
American Civil War |
255 |
|
|
Ultra vs. Enigma |
255 |
|
|
Cryptographic Basics |
256 |
|
|
Goals of Cryptography |
256 |
|
|
Concepts |
257 |
|
|
Cryptographic Mathematics |
258 |
|
|
Ciphers |
262 |
|
|
Modern Cryptography |
266 |
|
|
Cryptographic Keys |
266 |
|
|
Symmetric Key Algorithms |
267 |
|
|
Asymmetric Key Algorithms |
268 |
|
|
Hashing Algorithms |
270 |
|
|
Symmetric Cryptography |
271 |
|
|
Data Encryption Standard (DES) |
271 |
|
|
Triple DES (3DES) |
272 |
|
|
International Data Encryption Algorithm (IDEA) |
273 |
|
|
Blowfish |
274 |
|
|
Skipjack |
274 |
|
|
Advanced Encryption Standard (AES) |
275 |
xvi Contents
|
|
Key Distribution |
275 |
|
|
Key Escrow |
277 |
|
|
Summary |
277 |
|
|
Exam Essentials |
278 |
|
|
Written Lab |
279 |
|
|
Review Questions |
280 |
|
|
Answers to Review Questions |
284 |
|
|
Answers to Written Lab |
286 |
Chapter |
10 |
PKI and Cryptographic Applications |
287 |
|
|
Asymmetric Cryptography |
288 |
|
|
Public and Private Keys |
288 |
|
|
RSA |
289 |
|
|
El Gamal |
291 |
|
|
Elliptic Curve |
291 |
|
|
Hash Functions |
292 |
|
|
SHA |
293 |
|
|
MD2 |
293 |
|
|
MD4 |
294 |
|
|
MD5 |
294 |
|
|
Digital Signatures |
294 |
|
|
HMAC |
295 |
|
|
Digital Signature Standard |
296 |
|
|
Public Key Infrastructure |
297 |
|
|
Certificates |
297 |
|
|
Certificate Authorities |
298 |
|
|
Certificate Generation and Destruction |
298 |
|
|
Key Management |
300 |
|
|
Applied Cryptography |
300 |
|
|
Electronic Mail |
301 |
|
|
Web |
303 |
|
|
E-Commerce |
304 |
|
|
Networking |
305 |
|
|
Cryptographic Attacks |
307 |
|
|
Summary |
308 |
|
|
Exam Essentials |
309 |
|
|
Review Questions |
311 |
|
|
Answers to Review Questions |
315 |
Chapter |
11 |
Principles of Computer Design |
317 |
|
|
Computer Architecture |
319 |
|
|
Hardware |
319 |
|
|
Input/Output Structures |
337 |
|
|
Firmware |
338 |
Contents xvii
|
Security Protection Mechanisms |
338 |
|
Technical Mechanisms |
338 |
|
Security Policy and Computer Architecture |
340 |
|
Policy Mechanisms |
341 |
|
Distributed Architecture |
342 |
|
Security Models |
344 |
|
State Machine Model |
344 |
|
Bell-LaPadula Model |
345 |
|
Biba |
346 |
|
Clark-Wilson |
347 |
|
Information Flow Model |
348 |
|
Noninterference Model |
348 |
|
Take-Grant Model |
349 |
|
Access Control Matrix |
349 |
|
Brewer and Nash Model (a.k.a. Chinese Wall) |
350 |
|
Classifying and Comparing Models |
350 |
|
Summary |
351 |
|
Exam Essentials |
352 |
|
Review Questions |
355 |
|
Answers to Review Questions |
359 |
Chapter 12 |
Principles of Security Models |
361 |
|
Common Security Models, Architectures, and |
|
|
Evaluation Criteria |
362 |
|
Trusted Computing Base (TCB) |
363 |
|
Security Models |
364 |
|
Objects and Subjects |
366 |
|
Closed and Open Systems |
367 |
|
Techniques for Ensuring Confidentiality, |
|
|
Integrity, and Availability |
367 |
|
Controls |
368 |
|
IP Security (IPSec) |
369 |
|
Understanding System Security Evaluation |
370 |
|
Rainbow Series |
371 |
|
ITSEC Classes and Required Assurance and Functionality |
375 |
|
Common Criteria |
376 |
|
Certification and Accreditation |
379 |
|
Common Flaws and Security Issues |
380 |
|
Covert Channels |
380 |
|
Attacks Based on Design or Coding Flaws and |
|
|
Security Issues |
381 |
|
Programming |
384 |
|
Timing, State Changes, and Communication Disconnects |
384 |
|
Electromagnetic Radiation |
385 |
xviii Contents
|
|
Summary |
385 |
|
|
Exam Essentials |
386 |
|
|
Review Questions |
388 |
|
|
Answers to Review Questions |
392 |
Chapter |
13 |
Administrative Management |
395 |
|
|
Antivirus Management |
396 |
|
|
Operations Security Concepts |
397 |
|
|
Operational Assurance and Life Cycle Assurance |
397 |
|
|
Backup Maintenance |
398 |
|
|
Changes in Workstation/Location |
398 |
|
|
Need-to-Know and the Principle of Least Privilege |
399 |
|
|
Privileged Operations Functions |
399 |
|
|
Trusted Recovery |
400 |
|
|
Configuration and Change Management Control |
400 |
|
|
Standards of Due Care and Due Diligence |
401 |
|
|
Privacy and Protection |
402 |
|
|
Legal Requirements |
402 |
|
|
Illegal Activities |
402 |
|
|
Record Retention |
403 |
|
|
Sensitive Information and Media |
403 |
|
|
Security Control Types |
405 |
|
|
Operations Controls |
406 |
|
|
Personnel Controls |
408 |
|
|
Summary |
409 |
|
|
Exam Essentials |
411 |
|
|
Review Questions |
414 |
|
|
Answers to Review Questions |
418 |
Chapter |
14 |
Auditing and Monitoring |
421 |
|
|
Auditing |
422 |
|
|
Auditing Basics |
422 |
|
|
Audit Trails |
424 |
|
|
Reporting Concepts |
425 |
|
|
Sampling |
426 |
|
|
Record Retention |
426 |
|
|
External Auditors |
427 |
|
|
Monitoring |
428 |
|
|
Monitoring Tools and Techniques |
428 |
|
|
Penetration Testing Techniques |
430 |
|
|
War Dialing |
431 |
|
|
Sniffing and Eavesdropping |
431 |
|
|
Radiation Monitoring |
432 |
|
|
Dumpster Diving |
432 |
Contents xix
|
Social Engineering |
433 |
|
Problem Management |
433 |
|
Inappropriate Activities |
434 |
|
Indistinct Threats and Countermeasures |
434 |
|
Errors and Omissions |
435 |
|
Fraud and Theft |
435 |
|
Collusion |
435 |
|
Sabotage |
435 |
|
Loss of Physical and Infrastructure Support |
435 |
|
Malicious Hackers or Crackers |
436 |
|
Espionage |
436 |
|
Malicious Code |
436 |
|
Traffic and Trend Analysis |
436 |
|
Initial Program Load Vulnerabilities |
437 |
|
Summary |
438 |
|
Exam Essentials |
439 |
|
Review Questions |
443 |
|
Answers to Review Questions |
447 |
Chapter 15 |
Business Continuity Planning |
449 |
|
Business Continuity Planning |
450 |
|
Project Scope and Planning |
450 |
|
Business Organization Analysis |
451 |
|
BCP Team Selection |
451 |
|
Resource Requirements |
452 |
|
Legal and Regulatory Requirements |
453 |
|
Business Impact Assessment |
455 |
|
Identify Priorities |
456 |
|
Risk Identification |
456 |
|
Likelihood Assessment |
457 |
|
Impact Assessment |
457 |
|
Resource Prioritization |
458 |
|
Continuity Strategy |
459 |
|
Strategy Development |
459 |
|
Provisions and Processes |
460 |
|
Plan Approval |
461 |
|
Plan Implementation |
462 |
|
Training and Education |
462 |
|
BCP Documentation |
462 |
|
Continuity Planning Goals |
463 |
|
Statement of Importance |
463 |
|
Statement of Priorities |
463 |
|
Statement of Organizational Responsibility |
463 |
|
Statement of Urgency and Timing |
464 |
|
Risk Assessment |
464 |
xx Contents
|
Risk Acceptance/Mitigation |
464 |
|
Vital Records Program |
464 |
|
Emergency Response Guidelines |
465 |
|
Maintenance |
465 |
|
Testing |
465 |
|
Summary |
465 |
|
Exam Essentials |
466 |
|
Review Questions |
468 |
|
Answers to Review Questions |
472 |
Chapter 16 |
Disaster Recovery Planning |
475 |
|
Disaster Recovery Planning |
476 |
|
Natural Disasters |
477 |
|
Man-Made Disasters |
481 |
|
Recovery Strategy |
485 |
|
Business Unit Priorities |
485 |
|
Crisis Management |
485 |
|
Emergency Communications |
486 |
|
Work Group Recovery |
486 |
|
Alternate Processing Sites |
486 |
|
Mutual Assistance Agreements |
489 |
|
Database Recovery |
489 |
|
Recovery Plan Development |
491 |
|
Emergency Response |
491 |
|
Personnel Notification |
492 |
|
Backups and Offsite Storage |
493 |
|
Software Escrow Arrangements |
494 |
|
External Communications |
495 |
|
Utilities |
495 |
|
Logistics and Supplies |
495 |
|
Recovery vs. Restoration |
495 |
|
Training and Documentation |
496 |
|
Testing and Maintenance |
496 |
|
Checklist Test |
497 |
|
Structured Walk-Through |
497 |
|
Simulation Test |
497 |
|
Parallel Test |
497 |
|
Full-Interruption Test |
498 |
|
Maintenance |
498 |
|
Summary |
498 |
|
Exam Essentials |
498 |
|
Written Lab |
499 |
|
Review Questions |
500 |
|
Answers to Review Questions |
504 |
|
Answers to Written Lab |
506 |