CISSP Study Notes from CISSP Prep Guide（Second Edition）.doc

CISSP Study Notes from CISSP Prep Guide（Second Edition） These notes were prepared from the The CISSP Prep Guide 2010（Second Edition）: Mastering the Ten Domains of Computer Security by Ronald L. Krutz, Russell Dean Vines, Edward M. Stroz and are not intended to be a replacement to the book. In addition to the CISSP Prep Guide I used the following resources to prepare for the exam: n The Information Security Management Handbook, Fourth Edition by Micki Krause and Harold F. Tipton n The revised Michael Overly notes n The Boson Questions #2 and #3 n Lots of misc. websites n And of course www.cccure.org Good Luck! JWG, CISSP CISSP STUDY NOTES FROM CISSP PREP GUIDE 1 DOMAIN 1 – SECURITY MANAGEMENT PRACTICES 2 DOMAIN 2 – ACCESS CONTROL SYSTEMS 7 DOMAIN 3 – TELECOM AND NETWORK SECURITY 13 DOMAIN 4 – CRYPTOGRAPHY 34 DOMAIN 5 – SECURITY ARCHITECTURE AND MODELS 46 DOMAIN 6 – OPERATIONS SECURITY 56 DOMAIN 7 – APPLICATIONS AND SYSTEM DEVELOPMENT 63 DOMAIN 8 – BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING 70 DOMAIN 9 – LAW, INVESTIGATION AND ETHICS 78 DOMAIN 10 – PHYSICAL SECURITY 87 Domain 1 – Security Management Practices The Big Three - C. I. A. n Confidentiality – Prevent disclosure of data n Integrity – Prevent modification of data n Availability – Ensure reliable timely access to data Other Important Concepts n Identification – Means in which user claims Identity n Authentication – Establishes the users Identity n Accountability – Systems ability to determine actions of users n Authorization – rights and permissions granted to an individual n Privacy – Level of confidentiality that a user is given Objective of Security is to reduce effects of threats and vulnerabilities to a tolerable level. Risk Analysis Assess the following: n Impact of the threat n Risk of the threat occurring (likelihood) Controls reduce both the impact of the threat and the likelihood of the threat, important in cost benefit of controls. Data Classification n Data classification has high level enterprise wide benefit n Demonstrates organizations commitment to security n Helps identify sensitive and vital information n Supports C.I.A. n May be required for legal regulatory reasons Data owners are responsible for defining the sensitivity level of the data. Government Classification Terms: n Unclassified – Neither sensitive nor classified, public release is acceptable n Sensitive But Unclassified (SBU) – Minor secret, no serious damage if disclosed n Confidential – disclosure could cause damage to National Security n Secret - disclosure could cause serious damage to National Security n Top Secret – Highest Level - disclosure could cause exponentially grave damage to National Security In addition must have a Need to Know – just because you have “secret” clearance does not mean all “secret” data just data with a need to know. Additional Public Classification Terms n Public – similar to unclassified, should not be disclosed but is not a problem if it is n Sensitive – data protected from loss of Confidentiality and integrity n Private – data that is personal in nature and for company use only n Confidential – very sensitive for internal use only - could seriously negatively impact the company Classification Criteria n Value - number one criteria, if it is valuable it should be protected n Age – value of data lowers over time, automatic de-classification n Useful Life – If the information is made obsolete it can often be de-classified n Personal Association – If the data contains personal information it should remain classified Distribution may be required in the event of the following: n Court Order – may be required by court order n Government Contracts – government contractors may need to disclose classified information n Senior Level Approval – senior executives may approve release Information Classification Roles Owner n May be executive or manager n Owner has final corporate responsibility of the data protection n Makes determination of classification level n Reviews classification level regularly for appropriateness n Delegates responsibility of data protection to the Custodian Custodian n Generally IT systems personnel n Running regular backups and testing recovery n Performs restoration when required n Maintains records in accordance with the classification policy User n Anyone the routinely uses the data n Must follow operating procedures n Must take due care to protect n Must use computing resources of the company for company purposes only Policies Standards, Guidelines and Procedures n Policies are the highest level of documentation n Standards, Guidelines and Procedures derived from policies n Should be created first, but are no more important than the rest Senior Management Statement – general high-level statement n Acknowledgment of importance of computing resources n Statement of Support for information security n Commitment to authorize lower level Standards, Guidelines and Procedures Regulatory Policies – company is required to implement due to legal or regulatory requirements n Usually very detailed and specific to the industry of the organization n Two main purposes n To ensure the company is following industry standard procedures n To give the company confidence they are following industry standard procedures Advisory Polices – not mandated but strongly suggested. n Company wants employees to consider these mandatory. n Advisory Policies can have exclusions for certain employees or job functions Informative Policies n Exist simply to inform the reader n No implied or specified requirements Standards, Guidelines and Procedures n Contain actual detail of the policy n How the policies should be implemented n Should be kept separate from one another n Different Audiences n Security Controls are different for each policy type n Updating the policy is more manageable Standards - Specify use of technology in a uniform way, compulsory Guidelines – similar to standards but not compulsory, more flexible Procedures – Detailed steps, required, sometimes called “practices”, lowest level Baselines – baselines are similar to standards, standards can be developed after the baseline is established Roles and Responsibilities n Senior Management – Has ultimate responsibility for security n Infosec Officer – Has the functional responsibility for security n Owner – Determines the data classification n Custodian - Preserves C.I.A. n User – Performs in accordance with stated policy n Auditor – Examines Security Risk Management Mitigate (reduce) risk to a level acceptable to the organization. Identification of Risk n Actual threat n Possible consequences n Probable frequency n Likely hood of event Risk Analysis n Identification of risks n Benefit - cost justification of counter measures Risk Analysis Terms n Asset – Resource, product, data n Threat – Action with a negative impact n Vulnerability – Absence of control n Safeguard – Control or countermeasure n Exposure Factor % of asset loss caused by threat n Single Loss Expectancy (SLE) – Expected financial loss for single event SLE = Asset Value x Exposure Factor n Annualized Rate of Occurrence (ARO) – represents estimated frequency in which threat will occur within one year n Annualized Loss Expectancy (ALE) – Annually expected financial loss ALE = SLE x ARO Risk Analysis n Risk analysis is more comprehensive than a Business Impact Analysis n Quantitative – assigns objective numerical values (dollars) n Qualitative – more intangible values (data) n Quantitative is a major project that requires a detailed process plan Preliminary Security Examination (PSE) n Often conducted prior to the quantitative analysis. n PSE helps gather elements that will be needed for actual RA Risk Analysis Steps 1) Estimate of potential loss 2) Analyze potential threats 3) Define the Annualized Loss Expectancy (ALE) Categories of Threats n Data Classification – malicious code or logic n Information Warfare – technically oriented terrorism n Personnel – Unauthorized system access n Application / Operational – ineffective security results in data entry errors n Criminal – Physical destruction, or vandalism n Environmental – utility outage, natural disaster n Computer Infrastructure – Hardware failure, program errors n Delayed Processing – reduced productivity, delayed collections processing Annualized Loss Expectancy (ALE) n Risk analysis should contain the following: n Valuation of Critical Assets n Detailed listing of significant threats n Each threats likelihood n Loss potential by threat n Recommended remedial safeguards Remedies n Risk Reduction - implementation of controls to alter risk position n Risk Transference – get insurance, transfer cost of a loss to insurance n Risk Acceptance – Accept the risk, absorb loss Qualitative Scenario Procedure n Scenario Oriented n List the threat and the frequency n Create exposure rating scale for each scenario n Scenario written that address each major threat n Scenario reviewed by business users for reality check n Risk Analysis team evaluates and recommends safeguards n Work through each finalized scenario n Submit findings to management Value Assessment n Asset valuation necessary to perform cost/benefit analysis n Necessary for insurance n Supports safeguard choices Safeguard Selection n Perform cost/benefit analysis n Costs of safeguards need to be considered including n Purchase, development and licensing costs n Installation costs n Disruption to production n Normal operating costs Cost Benefit Analysis ALE (PreControl) – ALE (PostControl) = Annualized value of the control Level of manual operations n The amount of manual intervention required to operate the safeguard n Should not be too difficult to operate Auditability and Accountability Safeguard must allow for auditability and accountability Recovery Ability n During and after the reset condition n No asset destruction during activation or reset n No covert channel access to or through the control during reset n No security loss after activation or reset n Defaults to a state that does not allow access until control are fully operational Security Awareness Training Benefits of Awareness n Measurable reduction in unauthorized access attempts n Increase effectiveness of control n Help to avoid fraud and abuse Periodic awareness sessions for new employees and refresh other Methods of awareness improvement n Live interactive presentations n CBTs n Publishing of posters and newsletters n Incentives and awards n Reminders, login banners Training & Education n Security training for Operators n Technical training n Infosec training n Manager training Domain 2 – Access Control Systems C - Confidentiality I - Integrity A - Availability Confidentiality n Not disclosed to unauthorized person Integrity n Prevention of modification by unauthorized users n Prevention of unauthorized changes by otherwise authorized users n Internal and External Consistency n Internal Consistency within the system (i.e. within a database the sum of subtotals is equal to the sum of all units) n External Consistency – database with the real world (i.e. database total is equal to the actual inventory in the warehouse) Availability n Timely access Three things to consider n Threats – potential to cause harm n Vulnerabilities – weakness that can be exploited n Risk – potential for harm Controls n Preventative – prevent harmful occurrence n Detective – detect after harmful occurrence n Corrective – restore after harmful occurrence Controls can be: n Administrative – polices and procedures n Logical or Technical - restricted access n Physical – locked doors Three types of access rules: 1. Mandatory access control (MAC): Authorization of subject’s access to an object depends on labels (sensitivity levels), which indicate subject’s clearance, and the classification or sensitivity of the object § Every Object is assigned a sensitivity level/label and only users authorized up to that particular level can access the object § Access depends on rules and not by the identity of the subjects or objects alone § Only administrator (not owners) may change category of a resource — Orange book B-level § Output is labeled as to sensitivity level § Unlike permission bits or ACLs, labels cannot ordinarily be changed § Can’t copy a labeled file into another file with a different label § Rule based AC 2. Discretionary Access Control (DAC): Subject has authority, within certain limits, to specify what objects can be accessible (e.g., use of ACL) § User-directed means a user has discretion § Identity-based means discretionary access control is based on the subjects identity § Very common in commercial context because of flexibility § Orange book C level § Relies on object owner to control access § Identity Based AC 3. NON-DISCRETIONARY ACCESS CONTROL: CENTRAL AUTHORITY DETERMINES WHAT SUBJECTS CAN HAVE ACCESS TO CERTAIN OBJECTS BASED ON ORGANIZATION’S SECURITY POLICY (GOOD FOR HIGH TURNOVER) § May be based on individual’s role in the organization (Role-Based) or the subject’s responsibilities or duties (task-based) Lattice based – provides least access privileges of the access pair n Greatest lower bound n Lowest upper bound Preventative Detective Administrative Policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks. Polices and procedures, job rotation, sharing of responsibilities Technical Logical system controls, smart cards, bio-metrics, menu shell IDS, logging, monitoring, clipping levels Physical Restrict physical access, guards, man trap, gates Motion detectors, cameras, thermal detectors Identification and Authentication Identification establishes accountability Three Factor Authentication n Something you know (password) n Something you have (token) n Something you are (biometrics) Sometimes - something you do Passwords n Static – same each time n Dynamic – changes each time you logon Tokens – Smartcards Static Password (like software with pin) n Owner Authenticates to the token n Token authenticates to the system Synchronous Dynamic Password n Token – generates passcode value n Pin – user knows n Token and Pin entered into PC n Must fit in valid time window Asynchronous n Similar to synchron