CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)

site and possibly network design and configuration details. The team is then able to focus its efforts on attacks and vulnerabilities specific to actual hardware and software in use at the site. A full knowledge team is completely aware of every aspect of the environment, down to patch and upgrades installed and exact security configurations. The normal security administration staff can be considered a full knowledge team. Unfortunately, a full knowledge team is the least preferred type of penetration testing team because its members are often biased and may have blind spots. A full knowledge team knows what has been secured, so it may fail to properly test every possibility.

War Dialing

War dialing is the act of using a modem to search for a system that will accept inbound connection attempts. A war dialer can be a typical computer with a modem attached and a war dialer program running or it can be a stand-alone device. In either case, they are used to systematically dial phone numbers and listen for a computer carrier tone. When a computer carrier tone is detected, the war dialer adds this number to its report that is generated at the end of the search process. A war dialer can be used to search any range of numbers, such as all 10,000 numbers within a specific prefix or all 10,000,000 within a specific area code.

War dialing is often used to locate unauthorized modems that have been installed on client systems within an otherwise secured network and have been inadvertently configured to answer inbound calls. An attacker can guess a relatively small range of phone numbers to scan by learning one or more of the phone numbers used by the organization. In most cases, the prefix is the same for all numbers within the organization if located within the same building or within a small geographic area. Thus, the war dialing search could be limited to 10,000 numbers. If several of the organization’s phone numbers are sequentially close, the attacker may focus the war dialing search on a group of only a few hundred numbers.

War dialing as a penetration test is a useful tool to ensure that no unauthorized answering modems are present within your organization. In most cases, you will have a definitive list of the phone numbers controlled by or assigned to your organization. Such a list provides a focused plan of testing for war dialing.

Countermeasures against malicious war dialing include imposing strong remote access security (primarily in the arena of authentication), ensuring that no unauthorized modems are present, and using callback security, protocol restriction, and call logging.

Sniffing and Eavesdropping

Sniffing is a form of network traffic monitoring. Sniffing often involves the capture or duplication of network traffic for examination, re-creation, and extraction. It can be used both as a penetration test mechanism and as a malicious attack method. Sniffing is often an effective tool in capturing or extracting data from nonencrypted network traffic streams. Passwords, usernames, IP addresses, message contents, and much more can be captured using softwareor hardware-based sniffers.

Sniffers can capture either only the traffic directed to their host system’s IP address or all traffic passing over the local network segment. To capture all traffic on a local network segment, the sniffer’s NIC must be placed into promiscuous mode.

432 Chapter 14 Auditing and Monitoring

There are many commercial, freeware, and hacker-ware sniffers available. These include Etherpeek, WinDump, Ethereal, sniffit, and Snmpsniff.

The primary countermeasure to sniffing attacks is to use encrypted traffic. Sniffing can also be thwarted by preventing unwanted software from being installed, by locking down all unused ports, and by using an IDS or a vulnerability scanner that is able to detect the telltale signs of a sniffer product.

Eavesdropping is just another term for sniffing. However, eavesdropping can include more than just capturing and recording network traffic. Eavesdropping also includes recording or listening to audio communications, faxes, radio signals, and so on. In other words, eavesdropping is listening in on, recording, capturing, or otherwise becoming aware of the contents of any form of communication.

Radiation Monitoring

Radiation monitoring is a specific form of sniffing or eavesdropping that involves the detection, capture, and recording of radio frequency signals and other radiated communication methods, including sound and light. Radiation monitoring can be as simple as using a hidden microphone in a room to record voices or as sophisticated as using a camera to record the light reflections in a room to reconstruct the contents of a visual computer display that is otherwise hidden from direct viewing. Radiation monitoring also includes the tapping of radio frequencies often used by cell phones, wireless network interfaces, two-way radios, radio and television broadcastings, short-wave radios, and CBs. In addition, it includes the tapping of a wide range of electrical signal variations that may not directly offer information but can be used in inference attacks. These include the change in electrical usage by an entire computer system, a hard drive, a modem, a network interface, a switch, and a router. Depending on the device, the electromagnetic signals produced by hardware can be captured and used to re-create the data, or at least metadata about the data, and the communication session.

TEMPEST is a standard that defines the study and control of electronic signals produced by various types of electronic hardware, such as computers, televisions, and phones. Its primary goal is to prevent electromagnetic interference (EMI) and radio frequency (RF) radiation from leaving a strictly defined area so as to eliminate the possibility of external radiation monitoring, eavesdropping, and signal sniffing. TEMPEST defines control zones, which generally consist of rooms or facilities that are enclosed with copper or some other kind of shielding to prevent EMI/ RF from either leaving or entering the facility. Such facilities are surrounded by radiation capturing, stopping, hiding, and disrupting equipment. TEMPEST may use a form of white noise to broadcast an unintelligible worthless signal to mask the presence of a real signal.

Dumpster Diving

Dumpster diving is the act of digging through the refuse, remains, or leftovers from an organization or operation in order to discover or infer confidential information. Dumpster diving is primarily associated with digging through actual garbage. It can also include searching, investigating, and reverse-engineering an organization’s website, commercial products, and publicly accessible literature (such as financial statements, brochures, product information, shareholder reports, etc.).

Scavenging is a form of dumpster diving performed electronically. Online scavenging is performed to search for useful information in the remnants of data left over after processes or tasks are completed. This could include audit trails, log files, memory dumps, variable settings, port mappings, and cached data.

Dumpster diving and scavenging can be employed as a penetration test to discover how much information about your organization is carelessly discarded into the garbage or left around after closing a facility. Countermeasures to dumpster diving and scavenging include secure disposal of all garbage. This usually means shredding all documentation. Other safeguards include maintaining physical access control.

Social Engineering

A social engineering attack is an attempt by an attacker to convince an employee to perform an unauthorized activity to subvert the security of an organization. Often the goal of social engineering is to gain access to the IT infrastructure or the physical facility.

Social engineering is a skill by which an unknown person gains the trust of someone inside of your organization. Adept individuals can convince employees that they are associated with upper management, technical support, the help desk, and so on. Once this deception is successful, the victim is often encouraged to make a change to their user account on the system, such as reset their password. Other attacks include instructing the victim to open specific e-mail attachments, launch an application, or connect to a specific URL. Whatever the actual activity is, it is usually directed toward opening a back door that the attacker can use to gain access to the network.

Social engineering attacks do not exclusively occur over the phone; they can happen in person as well. Malicious individuals impersonating repair technicians, upper management, or traveling company managers can intimidate some employees into performing activities that violate security. Countermeasures to in-person social engineering attacks include verifying the identity of the intruder/visitor via a secured photograph, contacting their source company, or finding a local manager that recognizes the individual.

Social engineering attacks can be used as penetration tests. These sorts of tests will help determine how vulnerable your frontline employees are to individuals adept at lying. For a detailed discussion of social engineering attacks, see Chapter 4, “Communications Security and Countermeasures.”

Problem Management

Once auditing, monitoring, and penetration testing has occurred, the next step is problem management. Problem management is exactly what it sounds like: a formalized process or structure for resolving problems. For the most part, problem management is a solution developed inhouse to address the various types of issues and problems encountered in your environment. Problem management is typically defined as having three goals or purposes:

To reduce failures to a manageable level

To prevent the occurrence or reoccurrence of a problem

To mitigate the negative impact of problems on computing services and resources

434 Chapter 14 Auditing and Monitoring

Inappropriate Activities

Inappropriate activities are actions that may take place on a computer or over the IT infrastructure and that may not be actual crimes but are often grounds for internal punishments or termination. Some types of inappropriate activities include creating or viewing inappropriate content, sexual and racial harassment, waste, and abuse.

Inappropriate content can be defined as anything that is not related to and supportive of the work tasks of an organization. It includes, but is not limited to, pornography, sexually explicit material, entertainment, political data, and violent content. The definition of inappropriate content can be defined by example (by listing types of information deemed inappropriate) or by exclusion (by listing types of information deemed appropriate). Inappropriate content can be defined to include personal e-mail that is not work related.

Keeping inappropriate content to a minimum requires several steps. First, it must be included as an objective in the security policy. Second, staff must have awareness training in regard to inappropriate content. Third, content filtering tools can be deployed to filter data based on source or word content. It is not possible to programmatically prevent all inappropriate content, but sufficient penalties can be levied against violations, along with regular auditing/monitoring to keep its level to a minimum.

Sexual and racial harassment is a form of inappropriate content or activity on company equipment. Sexual harassment can take many forms, including distribution of images, videos, audio clips, or text information (such as jokes). Sexual and racial harassment controls include awareness training and content filtering.

Waste of resources can have a direct effect on the profitability of an organization. If the storage space, computing power, or networking bandwidth capacity is consumed by inappropriate or non-work-related data, the organization is losing money on non-profit-producing activities. Some of the more common examples of resource waste include operating a personal business over company equipment, accessing and distributing inappropriate data (pornography, entertainment, music, videos, etc.), and aimlessly surfing the Internet. Just as with inappropriate material, resource waste can be reduced but not eliminated. Some of the primary means to reduce waste include user awareness training, activity monitoring, and content filtering.

Abuse of rights and privileges is the attempt to perform activities or gain access to resources that are restricted or assigned to a higher classification and access level. When access is gained inappropriately, the confidentiality of data is violated and sensitive information can be disclosed. Countermeasures to abuse include strong implementations of access controls and activity logging.

Indistinct Threats and Countermeasures

Not all problems that an IT infrastructure will face have definitive countermeasures or are even a recognizable threat. There are numerous vulnerabilities against which there are no immediate or distinct threats and against such threats there are few countermeasures. Many of these vulnerabilities lack direct-effect countermeasures, or the deployment of available countermeasures offers little in risk reduction.

436 Chapter 14 Auditing and Monitoring

of transportation, strikes, and national emergencies. It may result in IT downtime and almost always significantly reduces productivity and profitability during the length of the event. It is nearly impossible to predict and protect against events that cause physical and infrastructure support loss. Disaster recovery and business continuity planning can provide restoration methods if the loss event is severe. In most cases, you must simply wait until the emergency or condition expires and things return to normal.

Malicious Hackers or Crackers

Malicious hackers or crackers are individuals who actively seek to infiltrate your IT infrastructure whether for fame, access, or financial gain. These intrusions or attacks are important threats against which your security policy and your entire security infrastructure is designed to repel. Most safeguards and countermeasures protect against one specific threat or another, but it is not possible to protect against all possible threats that a cracker represents. Remaining vigilant about security, tracking activity, and implementing intrusion detection systems can provide a reasonable level of protection.

Espionage

Espionage is the malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization for the express purpose of disclosing and often selling that data to a competitor or other interested organization (such as a foreign government). Espionage is sometimes committed by internal employees who have become dissatisfied with their jobs and have become compromised in some way. It can also be committed by a mole or plant placed into your organization to steal information for their primary secret employer. Countermeasures against espionage are to strictly control access to all non-public data, thoroughly screen new employee candidates, and efficiently track the activities of all employees.

Malicious Code

Malicious code is any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system. Malicious code can take many forms, including viruses, worms, Trojan horses, documents with destructive macros, and logic bombs. Some form of malicious code exists for every type of computer or computing device. Monitoring and filtering the traffic that enters and travels within a secured environment is the only effective countermeasure to malicious code.

Traffic and Trend Analysis

The ongoing activities of a network and even a business environment may produce recognizable patterns. These patterns are known as trends or traffic patterns. A specific type of attack called traffic and trend analysis examines these patterns for what they reveal. What is interesting about these types of examinations or attacks is that they reveal only the patterns of traffic, not the

actual content of the traffic. Patterns and trends can reveal operations that occur on a regular basis or that are somehow considered important. For example, suppose an attacker watches your T1 line and notices that from 3 p.m. to approximately 4:30 p.m. every Friday your organization consumes nearly 80 percent of the capacity of the T1 line. The attacker can infer that the noticeable pattern is a file or data transfer activity that is important because it always occurs at the same time every week. Thus, the attacker can schedule an attack for 2:45 p.m. to take out the T1 or otherwise cause a denial of service to prevent legitimate activity from occurring. Traffic and trend analysis can be used against both encrypted and nonencrypted traffic because patterns of traffic rather than contents are examined. Traffic and trend analysis can be used against physical environments and people as well. For example, a security guard can be watched to discover that it takes 12 minutes for him to walk the perimeter of a building and for 8 of those minutes, he will be unable to see a section of fence where an intruder could easily climb.

Countermeasures to traffic and trend analysis include performing traffic and trend analysis on your own environment to see what types of information you are inadvertently revealing if anyone happens to be watching. You can alter your common and mission-critical activities so as not to produce easily recognizable patterns. Other countermeasures to traffic and trend analysis are traffic padding, noise, and use of covert channels. You can pad your communication channels through traffic generation tools or broadcasting noise whenever legitimate traffic is not occurring.

Initial Program Load Vulnerabilities

There is a period of time between the moments when a device is off and when it is fully booted and operational that the system is not fully protected by its security mechanisms. This time period is known as the initial program load (IPL) and it has numerous vulnerabilities. Without physical security, there are no countermeasures for IPL vulnerabilities. Anyone with physical access to a device can easily exploit its weaknesses during its bootup process. Some IPL vulnerabilities are accessing alternate boot menus, booting to a mobile operating system off of a CD or floppy,

and accessing CMOS to alter configuration settings, such as enabling or disabling devices.

Unix Details

For the most part, the CISSP exam is productand vendor-independent. However, there are a handful of issues specific to Unix that you should aware of. If you have worked with Unix or even Linux, most of these items will be simple review. If you have never touched a Unix system, then read the following items carefully.

On Unix systems, passwords are stored in a password file. The password file is stored as a shadow file so that it does not appear by default in a directory listing. The shadow setting is similar to the file setting of hidden Windows system files. Although this is an improvement, it is not a real security mechanism because everyone knows that the password file is set not to display in a directory listing by default but a simple modification of the directory command parameters reveals all hidden or shadowed files.

438 Chapter 14 Auditing and Monitoring

The most privileged account on a Unix system is known as the root. Other powerful accounts with similar levels of access are known as superusers. It is important to restrict access to these types of user accounts to only those people who absolutely need that level of access to perform their work tasks. The root or superuser accounts on Unix are similar to the administrator account(s) on Windows systems. Whenever possible, root and superuser access should be restricted to the local console so that they cannot be used over a network connection.

The two utilities, setuid and setgid, should be closely monitored and their uses logged. These two tools are used to manipulate access to resources. Thus, if they are employed by a nonadministrator, or when employed by an administrator in an unapproved fashion, it can indicate security policy violations.

Another important command to monitor is the mount command, which is used to map a local drive letter to a shared network drive. This activity may seem like an efficient method to access network resources. However, it also makes malicious code and intruder attacks easier to implement. When the mount command is used when it is not authorized for use, it could indicate an intrusion or an attempt to create a security loophole.

Finally, Unix systems can be configured to boot into a fixed dedicated security mode where authentication is not required. When this is done, anyone accessing the system has complete access to everything at the security level at which the system is currently operating. You can easily determine if a system has been configured to perform this operation if there is a /etc/host.equiv file present. Removing this file disables this feature.

Summary

Maintaining operations security requires directed efforts in auditing and monitoring. These efforts give rise to detecting attacks and intrusions. This in turn guides the selection of countermeasures, encourages penetration testing, and helps to limit, restrict, and prevent inappropriate activities, crimes, and other threats.

Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing serves as the primary type of detective control used by a secure environment.

Audit trails are the records created by recording information about events and occurrences into a database or log file, and they can be used to, for example, reconstruct an event, extract information about an incident, and prove or disprove culpability. Audit trails provide a passive form of detective security control and serve as a deterrent in the same manner as CCTV or security guards do. In addition, they can be essential as evidence in the prosecution of criminals.

Record retention is the organizational policy that defines what information is maintained and for how long. In most cases, the records in question are audit trails of user activity, including file and resource access, logon patterns, e-mail, and the use of privileges.

Exam Essentials 439

Monitoring is a form of auditing that focuses more on the active review of the audited information or the audited asset. It is most often used in conjunction with performance, but it can be used in a security context as well. The actual tools and techniques used to perform monitoring vary greatly between environments and system platforms, but there are several common forms found in most environments: warning banners, keystroke monitoring, traffic analysis and trend analysis, and other monitoring tools.

Penetration testing is a vigorous attempt to break into your protected network using any means necessary, and it is a common method for testing the strength of your security measures. Organizations often hire external consultants to perform the penetration testing so the testers are not privy to confidential elements of the security’s configuration, network design, and other internal secrets. Penetration testing methods can include war dialing, sniffing, eavesdropping, radiation monitoring, dumpster diving, and social engineering.

Inappropriate activities may take place on a computer or over the IT infrastructure, and may not be actual crimes, but they are often grounds for internal punishments or termination. Inappropriate activities include creating or viewing inappropriate content, sexual and racial harassment, waste, and abuse.

An IT infrastructure can include numerous vulnerabilities against which there is no immediate or distinct threat and against such threats there are few countermeasures. These types of threats include errors, omissions, fraud, theft, collusion, sabotage, loss of physical and infrastructure support, crackers, espionage, and malicious code. There are, however, steps you can take to lessen the impact of most of these.

Exam Essentials

Understand auditing. Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing serves as the primary type of detective control used by a secure environment.

Know the types or forms of auditing. Auditing encompasses a wide variety of different activities, including the recording of event/occurrence data, examination of data, data reduction, the use of event/occurrence alarm triggers, log analysis, and response (some other names for these activities are logging, monitoring, examining alerts, analysis, and even intrusion detection). Be able to explain what each type of auditing activity involves.

Understand compliance checking. Compliance checking (or compliance testing) ensures that all of the necessary and required elements of a security solution are properly deployed and functioning as expected. Compliance checks can take many forms, such as vulnerability scans and penetration testing. They can also involve auditing and be performed using log analysis tools to determine if any vulnerabilities for which countermeasures have been deployed have been realized on the system.

Understand the need for frequent security audits. The frequency of an IT infrastructure security audit or security review is based on risk. You must determine whether sufficient risk exists to warrant the expense and interruption of a security audit on a more or less frequent basis. The frequency of audit reviews should be clearly defined and adhered to.

440 Chapter 14 Auditing and Monitoring

Understand that auditing is an aspect of due care. Security audits and effectiveness reviews are key elements in displaying due care. Senior management must enforce compliance with regular periodic security reviews or they will be held accountable and liable for any asset losses that occur as a result.

Understand audit trails. Audit trails are the records created by recording information about events and occurrences into a database or log file. They are used to reconstruct an event, to extract information about an incident, and to prove or disprove culpability. Using audit trails is a passive form of detective security control, and audit trails are essential evidence in the prosecution of criminals.

Understand how accountability is maintained. Accountability is maintained for individual subjects through the use of audit trails. Activities of users and events caused by the actions of users while online can be recorded so users can be held accountable for their actions. This directly promotes good user behavior and compliance with the organization’s security policy.

Know the basic elements of an audit report. Audit reports should all address a few basic or central concepts: the purpose of the audit, the scope of the audit, and the results discovered or revealed by the audit. They often include many other details specific to the environment, such as time, date, and specific systems. Audit reports can include a wide range of content that focuses on problems/ events/conditions, standards/criteria/baselines, causes/reasons, impact/effect, or solutions/recommendations/safeguards.

Understand the need to control access to audit reports. Audit reports include sensitive information and should be assigned a classification label and handled appropriately. Only people with sufficient privilege should have access to them. An audit report should also be prepared in various versions according to the hierarchy of the organization, providing only the details relevant to the position of the staff members they are prepared for.

Understand sampling. Sampling, or data extraction, is the process of extracting elements of data from a large body of data in order to construct a meaningful representation or summary of the whole. There are two forms of sampling: statistical and nonstatistical. An auditing tool using precise mathematical functions to extract meaningful information from a large volume of data performs statistical sampling. Statistical sampling is used to measure the risk associated with the sampling process.

Understand record retention. Record retention is the act of retaining and maintaining important information. There should be an organizational policy that defines what information is maintained and for how long. The records in question are usually audit trails of user activity, including file and resource access, logon patterns, e-mail, and the use of privileges. Depending upon your industry and your relationship with the government, you may need to retain records for three years, seven years, or indefinitely.

Understand monitoring and the uses of monitoring tools. Monitoring is a form of auditing that focuses more on the active review of the audited information or the audited asset. It’s most often used in conjunction with performance, but it can be used in a security context as well. Monitoring can focus on events, subsystems, users, hardware, software, or any other object within the IT environment. Although the actual tools and techniques used to perform monitoring vary greatly between