CISSP Cram Sheet: Compiled by: Jason Robinett, Ascend Solutions Last Updated 4/10/02 NOTE: This guide does not replace in any way the outstanding value of the ISC2 CISSP CBK Seminar, nor the fact that you must have been directly involved in the security field or one of the 10 domains of expertise for at least 3 years if you intend to take the CISSP exam. This booklet simply intends to make your life easier and to provide you with a centralized and compiled list of resources for this particular domain of expertise. Instead of a list of headings, we will attempt to give you the headings along with the information to supplement the headings. As with any security related topic, this is a living document that will and must evolve as other people read it and technology evolves. Please feel free to send comments and input to be added to this document. Any comments, typo correction, etc… are most welcome and can be sent directly to jasonr@ascendsolutions.com. Thanks. Domain 1: Access Control Systems & Methodology Domain Definition: Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. It permits management to specify what users can do, which resources they can access, and what operations they can perform on a system. The CISSP students should fully understand access control concepts, methodologies, and implementation within centralized and decentralized environments across the entire Enterprise. Access control techniques, detection and corrective measures should be studied to understand the potential risks, vulnerabilities, and exposures. Accountability - The means of linking individuals to their interactions with an IT product, thereby supporting identification of and recovery from unexpected or unavoidable failures of the control objectives. Access Control Categories – Each control should be equal or else an imbalance will be created. Physical Access Control Administrative Access Control Logical Access Control Data Access Control Types of Access Controls: Preventative (in order to avoid occurrence) Detective (in order to detect or identify occurrence) Deterrent/Preventative (in order to discourage occurrences) Corrective (in order to correct or restore controls) Recovery (in order to restore resources, capabilities, or losses) Examples: Physical Preventive Controls include; Backups, Fences, Security Guards, Locks and keys, Badge Systems. Administrative Preventive Controls include; Security awareness training, separation of duties, hiring procedures, security policies and procedures, and disaster recovery. Technical Preventive Controls include; Access Control software, Antivirus software, Library control systems, IDS, Smart cards, and Callback systems. Physical Detective Controls include; Motion detectors, smoke alarms, closed circuit TV, and alarms. Administrative Detective Controls include; Security reviews and audits, rotation of duties, required vacations, and performance evaluations. Technical Detective Controls include; audit trails and Intrusion detection expert systems. Access Control Techniques: Mandatory Access Control – Defines an imposed access control level. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of an object (file) through the use of labeling. For example, the military classifies a document at secret. An user can be granted the secret privilege and have access to objects with this classification or lower as long as they have a “need to know”. Rule-based Access Control – a type of MAC because this access is determined by rules (use of classification labels) and not by the identity of the subjects and objects alone. Usually based on a specific profile for each user, allowing information to be easily changed for only one user. Discretionary Access Control – Access controls that are not policy based. In this method, the subject has authority, within certain limitations, to specify what object can be accessible, often through the use of ACL’s. Non-Discretionary Access Controls – A central authority determines what subjects can have access to certain objects based on the organizational security policy. These controls may be based on the individual’s role (role-based) or the subject’s responsibilities (task-based). Often useful in organizations where there are frequent personnel changes. Lattice Based Access Control – Pairs of elements that have the least upper bound of values and greatest lower bound of values. To apply this concept to access controls, the pair of elements is the subject and the object, and the subject has the greatest lower bound and the least upper bound of access rights to an object. This allows one to combine objects from different security classes an d determine the appropriate classification for the result by showing that any combination of security objects must maintain the lattice rule between objects. Example: A <= A, If A <= B and B <= C, then A <= C. Role-Based Access Control – Access decisions are based on the roles that individual users have as part of an organization. Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. Allows security to be managed at a level that corresponds closely to the organizations structure. Users with similar jobs are pooled into logical groups for the purposes of controlling access and access is provided according to business requirements. Access Control Lists – A method of coordinating access to resources based on the listing of permitted (or denied) users, network addresses or groups for each resource. Access Control Administration: Account Administration – Accounts should be monitored regularly. It is also advisable to have procedures in place to verify password strength. Account, Log, and Journal Monitoring – Log files are usually a good way to find an indication of abnormal activities. Logging – Logging should be done 24/7 on all necessary systems. In order to provide dependable and secure logging, make sure that: all computers have their clocks synchronized Logs are encrypted when traveling on the network if possible Logs are stored on a protected machine Logs should not be modified without record of the modification Storage - All logs should be kept on archive for a period of time determined by company policy and must be secured under storage. Access Rights and Permissions Establishment (Authorization) – Determines whether a particular principal, who has been authenticated as the source of a request to do something, it trusted for that operation. Authorization may also include controls on the time at which this action can take place or which IP address may request it. File and Data Owners, Custodians, and Users – All information generated, or used must have a designated owner. The owner must determine the appropriate classification and access controls. The owner is also responsible for ensuring appropriate controls for the storage, handling and distribution of the data. Custodians are charged by the owners for the everyday care of the data (backups, etc.). Users are the subject that require their data to perform their jobs. Principle of Least Privilege – Requires that a user be given no more privilege than necessary to perform a job. Ensuring least privilege requires identifying what the user’s job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. Segregation of Duties and Responsibilities – Requires that for particular sets of transactions, no single individual be allowed to execute transactions within the set. Can either be static or dynamic. Access Control Models: Bell-LaPadula (BLP) - The BLP model is built on the state machine concepts. Focuses on Confidentiality. This concept defines a set of allowable states in a system. The transition from one state to another upon receipt of an input is defined by transition functions. The objective of this model is to ensure that initial state is secure and that the transitions always result in a secure state. BLP defines a secure state through 3 multilevel properties. Simple Security Property (SS) – States that reading of information by a subject at a lower level from an object at a higher level is not permitted (no read up). * Security Property (Star) – States that writing of information by a subject at a higher level to an object at a lower level is not permitted (no write down). Discretionary Security Property (DS) – Uses an access matrix to specify discretionary access controls. The model prevents users and processes from reading above their security level. In addition, it prevents processes with any given classification from writing data associated with a lower classification. The “no write down” prevents placing data that is not sensitive, but contained in a sensitive document into less sensitive files. Biba – The Biba model is latticed-based and uses the less than or equal to relation. Focuses on Integrity. Biba specifies the three following integrity axioms. Simple Integrity Axiom – States that a subject at one level of integrity is not permitted to observe (read) an object of a lower integrity (no read down). * Integrity Axiom (Star) – States that an object at one level of integrity is no permitted to modify (write to) an object of a higher level of integrity (no write up). For example, if a process can write above its security level, trustworthy data could be contaminated by the addition of less trustworthy data. A subject at one level of integrity cannot invoke a subject at a higher level of integrity. Clark-Wilson – This model has emphasis on integrity, both internal and external consistency. Clark-Wilson uses well-formed transactions, separation of duties, and the labeling of subjects and objects with programs to maintain integrity. BLP is more a general purpose operating system and Clark-Wilson is an application oriented IT system. Security properties are partly defined through five certification rules, suggesting the check that should be conducted so that the security policy is consistent with the application requirements. CDI (Constrained Data Item) – A data item whose integrity must be preserved. IVPs (Initial Verification Procedures) – Confirm that all CDIs are in a valid integrity state when the IVP is run. TP (Transformation Procedure) – Manipulates the CDIs through a wellformed transaction, which transforms a CDI from one valid integrity state to another. UDI (Unconstrained Data Item) – Data items outside of the control area such as input information. Any TP that takes an UDI as input must either convert the UDI into a CDI or reject the UDI and perform no transformation at all. The model consists of subject/program/object triples and rules about data, application programs, and triples. The model incorporates mechanisms to enforce internal and external consistency, a separation of duty, and a mandatory integrity policy. Non-Interference Model – This model is related to the information flow model with restrictions on the information flow. The basic principle of this model is that a group of users (A), who are using the commands (C), do not interfere with the user group (B), who are using the commands (D). State Machine Model – This model captures the state of a systems. A state can change only at discrete points in time, ie; triggered by a clock or input event. How to use state machine models? Define the state set so that it captures “security” Check that all state transitions starting in a “secure” state yield a “secure state” Check that the initial state of the system is ‘secure” A stat transition is secure if it goes from secure state to a secure state. Access Matrix Model – Defined as the policy for user authentication, and has several implementations such as access control lists (ACLs) and capabilities. It is used to describe which users have access to what objects. The matrix consists of four major parts: A list of objects A list of subjects A function T that returns an objects type The matrix itself, with objects making the columns and the subjects making the rows The two most used implementations are access control lists and capabilities. ACLs are achieved by placing on each object a list of users and their associated rights (Columns). Capabilities are accomplished by storing on each subject a list of rights the subject as for every object (Rows). Information Flow Model – This model is based on a state machine, and it consists of objects, state transitions, and lattice states. In this context, objects can also represent users. Each object is assigned a security class and value, and information is constrained to flow in the directions that are permitted by the security policy. Identification and Authentication Techniques: Identification – The act of a user professing an identity to a system usually in the form of a logon. Authentication – The verification that the users claimed identity is valid and is usually implemented through a password at logon time. Authentication is based on the following three factor types: Type 1: Something you know, such as a PIN or password Type 2: Something you have, such as a smart card Type 3: Something you are, such as a fingerprint Knowledge-based Passwords, PINs, and Passphrases Passwords – Several Schemes can be used: User Selected Generated Token generated Default Composition – Combination of two, totally unrelated words Passphrases – Good way of having very strong passwords Password Management Issues Lifetime Considerations Cost of replacement Risk of compromise Guessing attacks Number of times used Password Changing Considerations 60 days regular user 30 days privilege users 15 days security officer Use Security Policies to control password management issues Characteristic-based (biometrics, behavior) – Automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. There are three main performance measures in biometrics: False Rejection Rate (FRR) or Type 1 error – The percentage of valid subjects that are falsely rejected. False Acceptance Rate (FAR) or Type 2 error – The percentage of invalid subjects that are falsely accepted. Crossover Error Rate (CER) – The percent in which the FRR equals the FAR. Order of Effectiveness Iris Scan Retina Scan Fingerprint Hand Geometry Voice Pattern Keystroke Pattern Signature Token – A software or hardware object used to identify an identity in an authentication process. This object is used to control access and is passed between cooperating entities in a protocol that synchronizes use of a shared resource. Tickets - TBD One-Time Passwords - TBD Smart Card Administrative Single Sign-On (SSO) – Single sign-on addresses the cumbersome situation on logging on multiple times to access different resources. Users identify only once to a system, then information needed for future system access to resources is forwarded by the initial system. Pro’s More efficient user log-on process The ability to use stronger passwords Con’s Once user has logged on, they can freely roam the network Kerberos (MIT project Athena) – A trusted, third party authentication protocol that was developed at MIT. Using symmetric key cryptography, it authenticates clients to other entities on a network of which a client requires services. Sesame (Secure European System for Applications in a Multivendor Environment) – Addresses the weaknesses in Kerberos. Uses public key cryptography for the distribution of the secret keys and provides additional access control support. It uses the Needham-Schroeder protocol. Access Control Methodologies and Implementation: Centralized/Remote Authentication Access Controls RADIUS (Remote Authentication Dial In User Server) – A protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. Uses the Client/Server model Transactions between the client and the RADIUS server are authenticated through the use of a shared secret, which is never sent of the network. TACACS – A client/server protocol for handling authentication, authorization, and accounting messages. TACACS+ is the latest Cisco implementation. It provides attribute control (authorization) and accounting. Authorization can be done on a per-user/pergroup basis, and is dynamic. Decentralized Access Control – Domains are based on trust, trust relationships sometimes can be compromised if proper care is not taken. Domains – A security domain is a single domain of trust that shares a single security policy and a single management source. Usually, domains are defined as a sphere of influence. Trust – Trusted Subject is a subject that is part of the TCB. File and Data Ownership and Custodianship Implementation of data classification requires support from higher management. It is useless if the policies are not enforced at the highest level. The ISO should consider developing the policy as such: Define information as an asset of the business unit Declare local business managers as owners of the information Establish Information Systems staff as custodians of the information Clearly define roles and responsibilities Determine data classification criteria Determine controls for each classification Methods of Attack Brute Force – Identifying secret data by testing all possible combinations. Denial of Service – An attack on the operating system that renders the target to reply reliably. Spoofing – An attack in which on person or process pretends to be another person or process that has more privileges. Dictionary – Password attack involves trying list of possible passwords. Spamming – Involves repeatedly sending identical e-messages to a particular address. Man-in-the-Middle – Commonly consists of the attacker intercepting or changing traffic destined for another machine. Sniffers – A program or device that monitors data traveling over a network. Crackers – Individuals who try to break into computers systems. Monitoring Intrusion Detection – The process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions. IDS Types Network-Based IDS – Provides reliable, real-time information without consuming network or host resources. Listens to the network passively for know attacks. Host-Based IDS – Reviews the system and even logs in order to detect an attack on the host or if the attack was successful. IDS Detection Methods Signature-Based ID – In a signature-based ID, signatures or attributes of known attacks are referenced and compared against. Statistical Anomaly-Based ID – An IDS acquires data and defines a “normal” usage profile for the systems. Types of Intrusions Input Validation Error Buffer Overflow Boundary Condition Access Validation Error Exceptional Condition Handling error Environmental Error Configuration Error Race Condition Penetration Testing Phase 1 – Information Gathering Phase 2 – Gaining Access Phase 3 – Denying Services Phase 4 – Evade Detection Phase 5 – Backdoor and Covering Tracks