《The CISSP Prep Guide Gold Edition》 by Ronald L. Krutz and Russell Dean Vines.pdf

The CISSPPrep Guide:Gold EditionWiley Publishing,Inc.Ronald L.KrutzRussell Dean VinesThe CISSPPrep Guide:Gold EditionThe CISSPPrep Guide:Gold EditionWiley Publishing,Inc.Ronald L.KrutzRussell Dean VinesPublisher:Robert IpsenExecutive Editor:Carol LongManaging Editor:Angela SmithText Design&Composition:D&G Limited,LLCDesignations used by companies to distinguish their products are often claimed as trademarks.In all instances where Wiley Publishing,Inc.,is aware of a claim,the productnames appear in initial capital or ALL CAPITAL LETTERS.Readers,however,should contact the appropriate companies for more complete information regarding trademarks and registration.This book is printed on acid-free paper.Copyright 2003 by Ronald L.Krutz and Russell Dean Vines.All rights reserved.Published by Wiley Publishing,Inc.,Indianapolis,IndianaPublished simultaneously in Canada.No part of this publication may be reproduced,stored in a retrieval system or transmittedin any form or by any means,electronic,mechanical,photocopying,recording,scanning orotherwise,except as permitted under Sections 107 or 108 of the 1976 United States Copy-right Act,without either the prior written permission of the Publisher,or authorizationthrough payment of the appropriate per-copy fee to the Copyright Clearance Center,222Rosewood Drive,Danvers,MA 01923,(978)750-8400,fax(978)750-4744.Requests to thePublisher for permission should be addressed to the Legal Department,Wiley Publishing,Inc.,10475 Crosspointe Blvd.,Indianapolis,IN 46256,(317)572-3447,fax(317)572-4447,E-mail:.Limit of Liability/Disclaimer of Warranty:While the publisher and author have used theirbest efforts in preparing this book,they make no representations or warranties withrespect to the accuracy or completeness of the contents of this book and specifically dis-claim any implied warranties of merchantability or fitness for a particular purpose.Nowarranty may be created or extended by sales representatives or written sales materials.The advice and strategies contained herein may not be suitable for your situation.Youshould consult with a professional where appropriate.Neither the publisher nor authorshall be liable for any loss of profit or any other commercial damages,including but notlimited to special,incidental,consequential,or other damages.For general information on our other products and services please contact our CustomerCare Department within the United States at(800)762-2974,outside the United States at(317)572-3993 or fax(317)572-4002.in print may not be available in electronic versions.Library of Congress Cataloging-in-Publication Data:ISBN 0-471-26802-XPrinted in the United States of America.10 9 8 7 6 5 4 3 2 1Wiley also publishes its books in a variety of electronic formats.Some content that appearsFor more information about Wiley products,visit our Web site at .To my wife,Hilda:I have said before,and after 40 years of marriage will say again,thank you for all the usual reasons.and for so very many more.R.L.K.To the Navajo Nation,thank you for makingme feel at home.R.D.V.AcknowledgmentsxvForewordxviiIntroductionxxiAbout the AuthorsxxviiChapter 1Security Management Practices 1Sample Questions 29Bonus Questions 33Advanced Sample Questions 35Chapter 2Access Control Systems 43Rationale 43Controls 44Identification and Authentication 49Some Access Control Issues 65ContentsixSample Questions 66Bonus Questions 71Advanced Sample Questions 73Chapter 3Telecommunications and Network Security 81Our Goals 82Domain Definition 83Management Concepts 84Sample Questions 159Bonus Questions 165Advanced Sample Questions 167Chapter 4Cryptography 175Introduction 176Cryptographic Technologies 189Secret Key Cryptography(Symmetric Key)194Public(Asymmetric)Key Cryptosystems 203Approaches to Escrowed Encryption 214Internet Security Applications 218Sample Questions 227Bonus Questions 233Advanced Sample Questions 235Chapter 5Security Architecture and Models 249Security Architecture 249Assurance 265Information Security Models 272Sample Questions 281Bonus Questions 287Advanced Sample Questions 290Chapter 6Operations Security 297Our Goals 298Domain Definition 298Controls and Protections 299Monitoring and Auditing 316Threats and Vulnerabilities 321Sample Questions 325xContentsBonus Questions 329Advanced Sample Questions 331Chapter 7Applications and Systems Development 337The Software Life Cycle Development Process 338The Software Capability Maturity Model(CMM)348Object-Oriented Systems 350Artificial Intelligence Systems 353Database Systems 357Application Controls 359Sample Questions 363Bonus Questions 368Advanced Sample Questions 370Chapter 8Business Continuity Planning and Disaster Recovery Planning 377Our Goals 378Domain Definition 378Business Continuity Planning 378Disaster Recovery Planning 387Sample Questions 402Bonus Questions 405Advanced Sample Questions 408Chapter 9Law,Investigation,and Ethics 415Types of Computer Crime 415Law 418Investigation 431Liability 437Ethics 439Sample Questions 444Bonus Questions 449Advanced Sample Questions 451Chapter 10 Physical Security 459Our Goals 460Domain Definition 460ContentsxiThreats to Physical Security 460Controls for Physical Security 462Sample Questions 486Bonus Questions 490Advanced Sample Questions 492Appendix A A Process Approach to HIPAA Compliance through a HIPAA-CMM 497Background 499HIPAASecurity Requirements Mappings to PAs 507HPAs 508Defining and Using the HIPAA-CMM 510Conclusion 512References 513Appendix A:HIPAA-CMM PAOverview 514Appendix B:Glossary(SSE-CMM v2.0)524Appendix C:The Ideal Approach to Process Improvement 527Appendix D:SSE-CMM MAPPINGS and General Considerations 530Appendix B The NSA InfoSec Assessment Methodology 532History of the NIPC 533About the ISSO 533The InfoSec Assessment Methodology 534PDD#63 536Appendix C The Case for Ethical Hacking 543Rationale 544Roles and Responsibilities 544Implementation 546Summary 548Appendix D The Common Criteria 549Common Criteria:Launching the International Standard 549Glossary 558For More Information 559Appendix E BS7799 561xiiContentsAppendix F HIPAA Updates 563Scope 563Title II Administrative Simplification 564Conclusion 570Appendix G References for Further Study 571Web Sites 573Appendix H Answers to Sample and Bonus Questions 575Chapter 1Security Management Practices 575Chapter 2Access Control Systems and Methodology 583Chapter 3Telecommunications and Network Security 594Chapter 4Cryptography 605Chapter 5Security Architecture and Models 617Chapter 6:Operations Security 629Chapter 7Applications and Systems Development 638Chapter 8Business Continuity PlanningDisaster Recovery Planning 647Chapter 9Law,Investigation,and Ethics 655Chapter 10Physical Security 664Appendix IAnswers to Advanced Sample Questions 673Chapter 1Security Management Practices 673Chapter 2Access Control Systems and Methodology 694Chapter 3Telecommunications and Network Security 713Chapter 4Cryptography 736Chapter 5Security Architecture and Models 767Chapter 6Operations Security 786Chapter 7Applications and Systems Development 809Chapter 8Business Continuity PlanningDisaster Recovery Planning 826Chapter 9Law,Investigation,and Ethics 845Chapter 10Physical Security 864Notes 877Appendix JWhats on the CD-ROM 878Glossary of Terms and Acronyms 881Index929ContentsxiiixvAcknowledgmentsI would like to express my appreciation to my soul mate,Hilda,for herpatience and support during the writing of this guide.RLKI would especially like to thank my best friend and wife,Elzy Kolb,for hercontinual support and guidance.RDVThe authors would especially like to thank those who contributed changes,updates,corrections,and ideas for this Gold Edition,and the help andsupport of the excellent Wiley team.xviiForewordOne day last year,the chief executive officer(CEO)of a large media companyreceived an alarming e-mail.The sender said that he had gained access to thecomputer system of the CEOs company.If the CEO were willing to pay alarge sum of money,the sender would reveal the weaknesses that he hadfound in the companys computer system.Just to ensure that they took himseriously,he attached to the e-mail several sensitive files(includingphotographs)that could only have come from the companys network.Thisoccurrence was not a drillit was reality.As you might expect,this kind of problem went straight to the top of theto-do list for the victimized company.The CEO needed many immediateanswers and solutions:the true source of the e-mail,the accuracy of thesenders claims,the possible weaknesses that he might have used to breakinto the system,why the intrusion detection system did not trigger,the stepsthat they could take to further tighten security,the legal actions that might bepossible,and the best way to deal with an adversary living halfway aroundthe world.For several months,many peopleincluding computer securityprofessionalsworked to gather information and evidence,to secure thesystem,and to track down the source of the attack.Ultimately,undercoverofficers from New Scotland Yard and the Federal Bureau of Investigation(FBI)metthe unsuspecting“cyberextortionists”at a designated location in London,where they arrested them.They are currently in jail,awaiting extradition to theUnited States.For anyone who has information security experience,this case bringsmany thoughts to mind about some of the tools of the trade:logging,packetsniffers,firewalls and their rule sets,and legal access rights to e-mailcommunications.We cover these concepts in this book.Also,this incidentraises questions about how an adversary in a remote location can gain accessto a computer network without detection.As those of us who have been involved in this field for years know,youachieve information systems security through intelligent risk managementrather than risk elimination.Computer information security professionalsfind themselves at the core of a collaborative decision-making process.Theymust be able to provide answers and explanations anchored in soundmethodology.Not all security issues that arise in the daily course of business are asintense as the case study cited here,and many will be quite subtle.As manyof the finest minds in technology focus more on the topic of security,there isa growing consensus that security is ensured through a process,rather than ablind reliance on software or hardware products.No one in this fielddisputes that a computer security professional must be armed with trainingand experience to be effective.As you read this book,keep in mind that those people who are closest tothe business operations of an organization are in a great position to helpnotice anomalies.I often point out to clients that a violation of computersecurity might only be apparent to someone who is intimately familiar withthe features of a given network and its file structure.It is not just what yousee but what you know.For example,if you went home tonight and found that someone hadswitched around your family photographs on your bedroom nightstand,yeteverything else in the house was still in its place,you would immediatelyknow that someone had been in your home.Would a security guard whodoes not intimately know your home be able to notice this kind of difference,even if he or she took the time to look at your nightstand?The answer isprobably not.Similarly,an intruder could disturb many computer networkfeatures that no one would notice except for an expert who is familiar withyour system.It is sometimes necessary to point out to clients that the most serious threatto information systems security comes from people,not machines.A personwho is an insider and has a user account on a computer system has anenormous advantage in targeting an attack on that system.Computer crimexviiiForewordstatistics consistently show that insiders do greater damage to systems asopposed to outside hackers.As brilliant as they might be,computer criminalsare a poor choice as computer security professionals.Think of it this way:While the fictional criminal Dr.Hannibal Lechter inthe movie“Silence of the Lambs”was brilliant in many ways,I would nottrust him with my family.I respect the knowledge that smart people possess,but when you bring one onto the team you get their knowledge and theirethicsa package deal.As you study the depth of material provided in this book,keep in mind thatthe information systems security professional of today is just that:aprofessional.Professionals must abide by rigorous standards yet providesomething that computers cannot:human judgment.For this reason(andothers),the(ISC)2requires strict adherence to its Code of Ethics before grantingCertified Information System Security Professional(CISSP)certifications.If you are beginning your CISSP certification,this book provides theframework to help you become a Certified Information System SecurityProfessional.If you are a harried information technology(IT)manager forwhom security is an increasingly daily concern,this book gives you thefundamental concepts and a solid foundation to implement effective securitycontrols.If you are already a CISSP or an active security practitioner,the“CISSP Prep Guide”will help you succeed in a field that has become crucialto the success of business and the security of a nations economy.Edward M.StrozEd Stroz is president of Stroz Associates,LLC,a consulting firm specializing inhelping clients detect and respond to incidents of computer crime.He was an agentwith the FBI,where he formed and supervised the computer crime squad in its NewYork office.You can reach him at .ForewordxixxxiIntroductionYou hold in your hand a keya key unlocking the secrets of the world ofinformation systems security.This world presents you with many new chal-lenges and rewards,because information systems security is the latest frontierin mans continuing search for communication.This communication hastaken many forms over the centuries;the Internet and electronic communica-tions being only our most recent attempt.But for this communication to sur-vive and prosper,it needs reliability,confidence,and security.It needssecurity professionals who can provide the secure foundation for the growthof this new communication.It needs professionals like you.With the increasing use of the World Wide Web for e-business,we must pro-tect transaction information from compromise.Threats to networks and infor-mation systems in general come from sources that are internal and external tothe organization.These threats materialize in the form of stolen intellectualproprietary,denial of service(DoS)to customers,an unauthorized use of criticalresources,and malicious code that destroys or alters valuable data.The need to protect information resources has produced a demand forinformation systems security professionals.Along with this demand came axxiiIntroductionneed to ensure that these professionals possess the knowledge to perform therequired job functions.To address this need,the Certified Information SystemsSecurity Professional(CISSP)certification emerged.This certific