module 1

advertisement

ISC2 CISSP CBK Resource List

This material is an extract from the FY2000 CBK Review Courses. The material is under constant review and revision so some of this information contained herein

COULD BECOME STALE-DATED. Users of this information should crossreference to the CBK review material received during your review course. This will provide added assurance that you are dealing with the appropriate version of this material.

Every attempt has been made to accurately transcribe the information in this list from the source documents for easy review. Any errors or omissions are regretted but this training aid is provided AS IS with no guarantees or warranties of any sort.

ABOUT THE “mock” EXAM

The questions for the CBK Review Course have been prepared ESPECIALLY for this course and are intended to be REPRESENTATIVE of the actual questions and process applicants would encounter in the CISSP Certification Exam. These sample questions are intended to provide guidance as to expectations of the exam process. Applicants should focus attention on the structure and language style of the questions rather than the difficulty of the questions or the quality of the answer options. Getting the right answer is good. Understanding the questioning process while getting the answer right is better.

The question will seek the BEST answer as the correct answer. Where possible, there will be references, and a discussion for contentious (close but not quite correct) responses.

4/12/2020

Specific answers to exam oriented questions.

- The examination consists of 250 multiple choice questions with four (4) choices.

25 of these questions are included for research purposes only. The research questions are not identified; therefore, answer all questions to the best of your ability. Examination results will be based only on the 225 scored questions on the examination.

The pass rates run about 73% to 76% overall and have been remarkably consistent over the past 3 years.

Please note that no percentage scores are used to calculate overall scores or determine pass/fail status, but rather, the raw scores are converted onto a reporting scale in accordance with the appropriate equating formula for each unique test form. Equating is conducted to ensure that every candidate has the same opportunity to pass, thereby correcting for the fact that the difficulty levels of test forms vary slightly from test to test

(because questions are replaced over time). Candidates must score 700 on the scale to pass.

Those who attend CBK Review seminars score about 3-6 points higher in raw points, which translates into 9-18 points higher on the reporting scale

(which runs from 1 - 1000). This fact is significant, since the candidate score distribution aggregates around the passing point, and thus, training seminars clearly help a significant number of candidates get above the passing point.

NOTE:

The exam is difficult. A significant amount of self-study and review of references is required to pass. The CBK Review course is intended to provide a guideline of areas where this additional self-study should be focused.

September 13, 2002 Page 2 of 79

Table of Contents

MODULE 1

.................................................................................................................... 1

INFOSEC MANAGEMENT PRACTICES ................................................................... 1

USEFUL LINKS FOR RISK ANALYSIS AND ASSESSMENT ..................................... 1

Recognised Definitions ................................................................................................... 2

MODULE 2

.................................................................................................................. 11

SECURITY ARCHITECTURE & MODELS .................................................................... 11

MODULE 3

.................................................................................................................. 17

ACCESS CONTROL SYSTEMS AND METHODOLOGY ....................................... 18

MODULE 4

.................................................................................................................. 28

APPLICATIONS & SYSTEMS DEVELOPMENT SECURITY ................................ 28

MODULE 5

.................................................................................................................. 29

OPERATIONS SECURITY ......................................................................................... 29

MODULE 6

.................................................................................................................. 31

PHYSICAL SECURITY .............................................................................................. 31

MODULE 7 ...................................................................................................................... 35

CRYPTOGRAPHY ...................................................................................................... 35

MODULE 8

.................................................................................................................. 47

TELECOMMUNICATIONS & INFO SECURITY ......................................................... 47

MODULE 9

.................................................................................................................. 56

BUSINESS CONTINUITY PLANNING &

DISASTER RECOVERY PLANNING ....................................................................... 56

MODULE 10

................................................................................................................ 57

LAW, INVESTIGATION & ETHICS ......................................................................... 57

ISC2 CISSP CBK Resource List

MODULE 1

INFOSEC MANAGEMENT PRACTICES

USEFUL LINKS FOR RISK ANALYSIS AND ASSESSMENT http://www4.nationalacademies.org/cpsma/cstb.nsf/web/pub_cybersecurity?OpenDocum

ent http://www.insurancetranslation.com/Language_Perils/current.htm

http://www.joelwuesthoff.com/

Joel Wuesthoff was in my class at NASA in November 2001. He and his legal colleague passed the test and are now working on legal related information gathering for LIE.

He passed on these sites. I think you will find his web site useful.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA requires implementation of privacy and security regulations pertaining to individually identifiable health information. See http://aspe.hhs.gov/admnsimp/Index.htm

.

Gramm Leach Bliley (GLB): http://www.senate.gov/ ~banking/conf/

U.S. regulations pertaining to the privacy of financial information.

International Standards Organization: http://www.iso.ch/iso/en/ISOOnline.frontpage

British Standards Institute (BSI): http://www.bsi-global.com

Toward Standardization of information security

Information Systems Audit and Control Association (ISACA): http://www.isaca.org

Provides access to their COBIT (Control Objectives for Information and related

Technology), Standards for Information Systems Control Professionals ( http:// www.isaca.org/standard/stand3.htm

), and their K-NET repository of information.

Commonly Accepted Security Practices and Recommendations: http://www.caspr.org

The Platform for Privacy Preferences Project (P3P): http://www.w3.org/P3P

Developed by the World Wide Web Consortium, is emerging as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit.

April 12, 2020 Page 1 of 79

ISC2 CISSP CBK Resource List

National Institute of Standards and Technology: http://csrc.nist.gov/csrc/standards.html

EU Data Protection Directive: http://europa.eu.int/comm/internal_market/en/media/dataprot/law/index.htm

Federal Information Processing Standards (NIST): http://csrc.nist.gov/publications/fips/index.html

Recognised Definitions

Risk DEFINITION

The potential for realization of unwanted, adverse consequences to human life, health, property, or the environment; estimation of risk is usually based on the expected value of the conditional probability of the event occurring times the consequence of the event given that it has occurred.

Thomas Cool provides an alternative definition of risk in the context of uncertainty. http://econwpa.wustl.edu/eprints/get/papers/9902/9902002.abs

Risk analysis DEFINITION

A detailed examination including risk assessment, risk evaluation, and risk management alternatives, performed to understand the nature of unwanted, negative consequences to human life, health, property, or the environment; an analytical process to provide information regarding undesirable events; the process of quantification of the probabilities and expected consequences for identified risks.

Risk assessment DEFINITION

The process of establishing information regarding acceptable levels of a risk and/or levels of risk for an individual, group, society, or the environment.

Risk estimation DEFINITION

The scientific determination of the characteristics of risks, usually in as quantitative a way as possible. These include the magnitude, spatial scale, duration and intensity of adverse consequences and their associated probabilities as well as a description of the cause and effect links.

Risk evaluation DEFINITION

A component of risk assessment in which judgments are made about the significance and acceptability of risk.

April 12, 2020 Page 2 of 79

ISC2 CISSP CBK Resource List

Risk identification DEFINITION

Recognizing that a hazard exists and trying to define its characteristics. Often risks exist and are even measured for some time before their adverse consequences are recognized.

In other cases, risk identification is a deliberate procedure to review, and it is hoped, anticipate possible hazards.

Delphi and Modified Delphi

Policies/Standards & Procedures Hierarchy

The chart in The Policy Overview (Slide 17) shows the hierarchy of various instructional documents relative to Security management. At the top is the general policy that is management’s statement of direction - what is expected to be accomplished to properly secure company information.

Next are the implementing policies that each LOB (Line Of Business) will create and adhere to. Then follows the other documents that are driven out of the various policies.

We are separating standards from procedures to eliminate the confusion when such terms as “standard operating procedures” are used. Standards are now hardware or software mechanisms selected as the organizations method of addressing a security risk. For instance, a specific anti-virus product or password generation token that has been chosen for use throughout the organization. Procedures are statements of step-by-step actions to be performed to accomplish a security requirement. For instance; password-changing procedures would be a step by step process.

Baselines are descriptions of how to implement security packages to ensure that implementations result in a consistent level of security throughout the organization.

Different systems (platforms) have different methods of handling security issues.

Baselines are created to inform user groups about how to set-up the security for each platform so that the desired level of security is achieved consistently.

Guidelines are the only discretionary element of these controls. They are used to help focus people who need to make judgements in the performance of security actions, such as in user registration.

Security architecture is a “buzz” word that has been around for several years now that refers to the security structure being employed by the organization for all of the systems and networks that make up the information processing operation. We mention it here because, if a comprehensive set of baselines are established, they represent the security architecture of the organization.

April 12, 2020 Page 3 of 79

ISC2 CISSP CBK Resource List

A sampling of the topics that could be addressed by procedures are presented in Slide 28.

Procedures, like policies, are considered to be mandatory requirements.

COMSEC is a government acronym meaning communications security.

System high mode is a government term meaning a mode of operation wherein each user has all of the following:

Valid security clearance for all information within the system.

Formal access approval & signed non-disclosure agreements for all information on the system.

Valid need-to-know for some of the information contained within the system.

Guidelines and RAINBOW Series documents. There are 28 of these dealing with various components of the Trusted Computer Base (TCB). Go to: http://www.radium.ncsc.mil/tpep/library/rainbow/

Generally accepted security principles are being created as a result of the report of the

Secure System Study Committee of the National Academy of Science. The committee was formed to evaluate the status of computer security in the U.S. The findings were reported in the “Computers At Risk” (CAR) book.

The first recommendation was that a list of generally accepted system security principles be established that all reasonably secure computer systems would use to provide protection for the system resources.

They would provide guidelines for vendors to incorporate into their products and users in the selection of products to purchase. The international committee is about half way thru development of a 3 tiered set of principles. The top level, called pervasive principles, have been defined. They are overarching, high level philosophies. The next level, broad functional principles are really the first that address specific security goals. For instance, access control, disaster recovery, etc. These are drafted. The lowest level will be the detailed principles that address and support implementation of the broad principles.

For instance, ids & passwords for access control.

The Rainbow series, after the colors of the covers of the booklets, are National Computer

Security Center (an NSA facility) guidelines for the protection of trusted systems.

Contains good info for all security functions.

What follows is an interesting presentation to the Senate Committee on Governmental

Affairs by Peter G. Neumann, Principal Scientist, Computer Science Laboratory, SRI

International, Menlo Park CA 94025-3493

Entitled “Computer-Related Infrastructure Risks for Federal Agencies” http://www.csl.sri.com/neumann/senate98.html

TCSEC

April 12, 2020 Page 4 of 79

ISC2 CISSP CBK Resource List

The purposes of the TCSEC (Orange Book).

Provides the user with a measurement for the evaluation of trust of a system component.

Provides the vendor with guidance for the security to build in to trusted systems.

Provides a basis for specifying system requirements. For instance, ACF2 was evaluated at the C2 level so could be specified for IBM mainframe systems that required discretionary access control.

TCSECThis lists the basic requirements for a trusted system (secure system in private sector terminology).

Provides confidentiality.

The security policy is the organization’s policy describing the level of protection required.

Objects are passive entities, such as files that subjects (people or programs acting for people) need to access. For mandatory access control, they need to be labeled to indicate their sensitivity level or classification (government terminology).

Subjects need to be identified to enable the access control mechanism to determine if the subject is authorized to access the object.

Audit information must be protected from tampering. Hackers often modify audit records to erase their tracks on the system.

The evaluation by NCSC (American National Computer Security Council) is to ensure that the performance requirements of the mechanism are met.

The security mechanisms must be protected from tampering so they can be depended upon.

ITSEC

Briefly describes the purpose of ITSEC (Information Technology Security Evaluation

Criteria). Previously each country had their own version of the evaluation criteria.

ITSEC combined the European versions with the Orange Book and expanded the scope to include integrity & availability as well as confidentiality.

Common Criteria - ISO 15408 - Version 2 (5/98).

This URL http://csrc.nist.gov/cc/ccv20/ccv2list.htm

IS FOR: VERSION 2.1 / ISO IS

15408 (last updated: 31 January 2000)

British Standard 7799 - URL for OSI 17799 is http://www.iso-17799.com/ and http://www.cccure.org/modules.php?op=modload&name=Web_Links&file=index&l_op

=viewlink&cid=116

April 12, 2020 Page 5 of 79

ISC2 CISSP CBK Resource List

The critical technologies list was originated during the Reagan administration because it was felt that too much high tech info was being obtained and potentially used against the

U.S.

SUI (Sensitive but Unclassified Information) is an earlier term - now called SBU

(Sensitive But Unclassified).

U.S. Government/NATO information requiring protection against unauthorized disclosure is classified as TOP SECRET, SECRET, CONFIDENTIAL, etc. That is NOT what we are talking about Lists the objectives for classifying information.

Note that the words “destruction/modification/disclosure” map to our standard

“availability/integrity/confidentiality”.Sensitive Systems Information

This addresses some of the considerations that are involved in deciding what information to mark with its classification. For instance, competitive edge information could be very valuable to the organization as well as to competitors, knowing what the potential risks to the compromise of information are can help determine the need for classification, and the evaluation of protective measures may indicate that they are inadequate to protect the information.

Document labeling refers to the marking of classification on hard copy.

Object labeling refers to the marking of classification on magnetic media (files).

Classifications Schemes

Criteria - some of the reasons for classifying or declassifying information.

Obviously information that is very valuable to the organization or competitors if it is disclosed needs to be classified in order to be afforded appropriate protection.

Age - often the value of nondisclosure decreases with time, so that after a certain age the classification is lowered. Note that in the military some classified documents have the label that they are automatically declassified after so many years.

Useful life - once the information has been superceded, for instance, the original information can often be declassified.

Associations - information associated with individuals that comes under privacy law would need to be classified for protection. Some legal information associated with ongoing cases or business affairs could also be classified so that it wouldn’t be disclosed to unauthorized persons.

Elements - those things that relate to classification of information. Who is authorized to classify or access, who is designated to maintain custody, what are the conditions under which information could be copied, what logging is required to maintain a record of access or custody, what are the marking and labeling requirements, and how will the information be filed so that it is protected.

April 12, 2020 Page 6 of 79

ISC2 CISSP CBK Resource List

Limitations - usually the individual that creates the information is the classifier unless a department or function centralizes this task. Different classifiers may not recognize the same need for classification, so ability to classify may be a limitation. The custodian is the keeper of the information files. Obviously, an unethical custodian could allow unauthorized access to classified information. The administrator of the classification system may or may not devote enough attention to the job to ensure that the classification system is working appropriately.

Procedures - the steps in establishing a classification system. Naming the administrator comes first, then the details of how information will be classified and labeled. Most organizations have the info originator do the classification subject to concurrence by the supervisor. Any exceptions to the classification policy need to be documented.

Some of the normal controls that are specified

. Avoid “open view” means there should be procedures that specify that classified documents or files must not be left where an unauthorized person can see the classified information, e.g., documents left open on a desk or files left open on a PC.

Termination/transfer procedures refer to procedures for declassifying information or transferring the custody to another person, function or facility.

External distribution - this describes some of the instances where classified information can be allowed out of the organization. When you have an agreement with another organization, e.g., a co-contractor, etc. to maintain the confidentiality of the information.

To comply with a court order, you may have to disclose classified information.

Government contractors who sell work in accordance with procurement agreements will disclose classified information related to the project. Finally, a senior executive may authorize classified competitive information to be released to external groups.

Destroying/desensitizing provisions are those that specify how to securely destroy classified information or to reduce its classification when no longer required at the original level.

Some effective procedures for monitoring compliance with classification policy are needed.

Some additional benefits of classification.

Makes users aware that they are using information that the organization is committed to protecting from unauthorized access.

Provides the identification of information that is considered to be critical for the business success.

If integrity is a concern, classification can identify data that must only be modified in authorized ways.

If confidentiality is a concern, classification can ensure that users understand the value of the information to the organization and the need to protect it. How to protect it can also be identified.

April 12, 2020 Page 7 of 79

ISC2 CISSP CBK Resource List

Some of the ways that information classification can be compromised.

Data aggregation classification problems occur when unclassified or lower classified data are combined resulting in information that is more sensitive and warranting a higher classification. For instance, information created by individual subcontractors on a project may be unclassified until combined with that of the other subcontractors in a finished project that may then be classified to avoid unauthorized disclosure. The risk of this happening is real and the countermeasures involve being alert to the potential problem and increase the classification accordingly.

Virus - custodians and owners of automated classified information have access to the information as part of their job. An unauthorized person could trick a custodian or owner into running a program that contains a Trojan horse that causes the classified file to be placed in a location where the unauthorized person could get access to it. The control for this vulnerability is to invoke mandatory access control that involves the system being responsible for ensuring that sensitive files would not be written to an insecure location.

Roles & Responsibilities

Organizations can be centralized, decentralized, or somewhere in between.

The location of the IT/IS security function within an organization would be ideally where significant power & authority exists. For instance, under the C IO, Administrative VP,

Information Resources VP, etc. NOT under Operations or IT, where an obvious conflict of interest would occur. But, where ever necessary to get the job done.

Organization planning is usually accomplished in terms of long term (Strategic Planning), mid term (Tactical Planning) and near term (Operational Planning). Sometimes these are referred to as the Planning Horizon.

Security architecture: statement of information resource control objectives based on organization security policy. Purpose is to implement a reasonable & consistent level of security across all systems & platforms.

Usual information security function responsibilities include:

• Establish & maintain the security program

- Develop/implement/integrate policies, procedures, baselines & guidelines.

- Maintain resource access controls

- Provide guidance on processing & telecom security issues.

- Conduct security awareness training.

- Provide risk analysis services.

- Investigate incidents

• Provide InfoSec audit coordination.

Roles are usually classified as line or staff. Line being those who are directly responsible for accomplishing the purpose of the organization. Staff being those who support the line personnel. Matrix management is often used to accomplish specific projects, such as,

April 12, 2020 Page 8 of 79

ISC2 CISSP CBK Resource List risk analysis or disaster recovery planning. Matrix management is a cross function operation where people are assigned from various functions to form a team to accomplish the project. Members of the team report to the team leader for project performance but remain assigned to their function for administrative purposes.

Another term often used is that of Custodian. The custodian is responsible for operating the system for the owner and is responsible for ensuring that the information processing resources, including data, are protected in accordance with policy and the owner’s instructions.

Point out that every employee has a security responsibility that should be spelled out in their job description.

Separation of duties is used to force collusion to manipulate a system for own purposes.

Incompatibles: Origination, approval, receipt of purchases; production system programming & use; audit & info. Security.

Penetration test execution: To demonstrate the capability, rapidity & depth of penetration. To determine the organization’s ability to protect itself (from being altered, made unavailable for use, being disclosed). Provide management report that includes: identification of security flaws (demonstrated effect of flaws), verification of levels of existing infiltration resistance, appropriate recommendations.

Military-oriented war: Examples - virus attacks on enemy systems, intercepting transmissions & implanting code to dump enemy database, attaching worm to enemy radar signal to destroy computer network, modify content of intercepted TV & radio signals to provide disinformation, saturate enemy computers, hack enemy networks, modify maintenance & logistics system info.

Economic espionage: government-oriented activity to provide competition-enhancing information to favored businesses. Vulnerabilities: proprietary info not identified or adequately protected, transmission system inadequately protected, unaware employees, etc.

Techno-terrorists: Use force against persons/property to coerce government, are politically motivated, use intense fear. Potential tactics: destruction of information, interference with electronic circuits, disabling computer systems with high-energy beam

(i.e., radio wave, microwave), penetrate systems & corrupt data (hospital records, government check processing, tax returns, train routing, etc.

Types of Incidents

Virus: self propagating, unauthorized computer instruction or data, spreads on contact, parasitic. Apparently started by Fred Cohen experiments (10/84). Original types: Boot infectors (move/overwrite original boot sector), System infectors (memory resident),

General .com or .exe infectors (infects any .com or .exe file).

Virus examples: Stealth virus (hides from detection programs), Multipartite virus (infects in more than one place), Self-garbling virus (hides from detection programs by garbling most virus code. Garble can change each time spread. Header program degarbles virus body when run.), Polymorphic virus (self garbling, header changes each time spread)

Worm: propagates working version to other computer, unauthorized instructions, spreads per instructions, self contained program. Example - Morris worm. (see URL for details)

April 12, 2020 Page 9 of 79

ISC2 CISSP CBK Resource List http://www.goldinc.com/html/maloy/SECURITY/morris_worm.html

Macro virus: macros are included in data files (i.e., auto-open in document template file).

Macro languages allow programmers to edit, delete. & copy files. Virus infects macro & adds infected macros to existing documents (Winword.concept was first macro virus discovered in wild in 1995). Microsoft Word, Excel & Amipro originally most affected.

Trojan horse/logic bomb: intentionally hidden code/text/circuitry, attacks when triggered.

April 12, 2020 Page 10 of 79

ISC2 CISSP CBK Resource List

MODULE 2

SECURITY ARCHITECTURE & MODELS

Multi-state describes a capability of a system to have a process in suspension which can be accessed (usually by an interrupt) all of the processes variables and boundaries are kept active and the system can effectively switch between states almost instantaneously.

(MULTICS actually had seven rings). For more, go here: http://www.mit.edu:8001/afs/net/user/srz/www/multics.html

Ring 1 the Operating system security kernel

Ring 2 the other OS functions - peripheral control

Ring 3 System utilities: sort, database functions etc.

Ring 4 Application space

Outer rings access inner functions through system calls

System design issues can reduce data confidentiality weakness.

Strong Typing – used in AS/400 and Sidewinder firewall (Secure Computing)

TOCTOU is a special class of issues related to system timing.

Consider the case where system access is only checked at log-in, then a user is deleted while already logged-on.

The authors are David Bell and Leonard LaPadula.

W

R

Mandatory AC

B LEVEL CONTROL

CONFIDENTIALITY

R/W

This is a diagram to help explain the Bell-LaPadula model. Let’s assume there are 3 layers of secrecy or sensitivity regarding our data - the layer our data resides in, a layer of higher secrecy, and a layer of lower secrecy.

1. The Simple Security Property says that if you have Read capability, you can read data at your level of secrecy, you can read data at a lower layer of secrecy, but you must not

April 12, 2020 Page 11 of 79

ISC2 CISSP CBK Resource List read data at a higher layer of secrecy. Otherwise, you would be reading someone else’s secrets you are not entitled to.

2. The Star Property says that if you have Write capability, you can write data at your level of secrecy, you can write your secret data to a higher layer of secrecy without compromising its value, but you must not write your secret data to a lower layer of secrecy. Otherwise, you would be divulging your secrets to others who are not entitled to see it.

3. The Strong Star Property says that if you have both Read and Write capabilities, you can read and write your data to your level of secrecy, but you cannot read and write to levels of higher secrecy or lower secrecy. Otherwise, you would have the problems experienced by the previous 2 properties.

To help you remember this model, call it the “Read Down - Write Up” model.

April 12, 2020 Page 12 of 79

ISC2 CISSP CBK Resource List

BIBA

INTEGRITY

R

R/W

W

BIBA

This is a diagram to help explain the Biba model. Let’s assume there are 3 layers of accuracy or integrity regarding our data - the layer our data resides in, a layer of higher accuracy, and a layer of lower accuracy.

1. The Simple Integrity Property says that if you have Read capability, you can read in data at your level of accuracy, you can read in data from a higher layer of accuracy, but you must not read in data from a lower layer of accuracy. Otherwise, you would risk contaminating the accuracy of your data.

2. The Integrity Star Property says that if you have Write capability, you can write data at your level of accuracy, you can write your accurate data to a lower layer of accuracy without compromising the accuracy at that layer, but you must not write your accurate data to a higher layer of accuracy. Otherwise, you would risk contaminating the data at that higher layer.

You’ll notice that this diagram is almost the exact opposite of the Bell-LaPadula model.

To help you remember this model, call it the “Read Up - Write Down” model.

April 12, 2020 Page 13 of 79

ISC2 CISSP CBK Resource List

[5] Biba , Kenneth. J. "Integrity Considerations for Secure Computer Systems", MTR-

3153, The Mitre Corporation, April 1977.

[6] Bell, David. E.; LaPadula, Leonard. J. "Secure Computer System: Unified

Exposition and Multics Interpretation", MTR-2997, The MITRE Corporation,

March 1976.

This diagram shows how each criterion is built on those that went before.

ITSEC

’91

TCSEC - Trusted Computer System Evaluation Criteria

TNI - Trusted Network Interpretation

TDI - Trusted Database Interpretation

CSSI - Computer Sub-System Interpretation

CTCPEC - Canadian Trusted Computer Product Evaluation Criteria

ITSEC - Information Technology Security Evaluation Criteria

April 12, 2020 Page 14 of 79

ISC2 CISSP CBK Resource List

Network

Security

Framework

Document

Detect and React

Overview

PKI/KMI

Overview

Protect

WAN

Overview

Protect

Boundary

Overview

Protect

Inside

Enclave

Overview

Technology Specific Security

Specifications/Requirements

Common Criteria

Protection Profiles

H/W F/W = HardWare/FirmWare

Trusted Computer System Evaluation Criteria (TCSEC):

Implementation of the Bell & LaPadula secrecy model

Trusted systems - TCSEC classes

Div. D: minimal protection

Div. C: discretionary protection

Class (C1): discretionary security protection

Class (C2): controlled access protection

Div. B: mandatory protection

Class (B1): labeled security protection

Class (B2): structured protection

Class (B3): security domains

Div. A: verified protection

Class (A1): verified design

April 12, 2020 Page 15 of 79

ISC2 CISSP CBK Resource List

Again, because ITSEC ratings come in pairs, you can have, for example, F-IN, E4 or F-

AV, E2, and so on.

ITSEC Functionality Classes

Corresponding to

ITSEC

TCSEC

D

F-C1, E1

F-C2, E2

F-B1, E3

F-B2, E4

F-B3, E5

F-B3, E6

=

=

=

=

=

=

C1

C2

B1

B2

B3

A1

F= Functionality rating; E= Assurance Evaluation rating

For more, go here: http://www.boran.com/security/itsec.htm

CHANGE CONTROL

Downloading - consider backup before changes:

1.

•Protects integrity and availability.

2.

•Reduces re-downloading if downloaded data is lost or destroyed.

3.

•Software should perform automatic backup.

•Backup system selection considerations:

1.

•Size of application

2.

•Size of uploaded or downloaded files

3.

•Subsequent processing of data

4.

•Frequency of uploading and downloading

Program change controls

 •Applications centrally developed

 •Security review change control procedures during system audit

 •Production program change procedure

•Programmer changes source code on test version

•Program tested with test data

•Program reviewed & approved by program manager

•Test code copied to production source library

•No programmer access & change without following procedure

Unique names are necessary to avoid confusion and misrouting and can be a problem because different locations may be responsible for registering users or nodes.

April 12, 2020 Page 16 of 79

ISC2 CISSP CBK Resource List

Some clients & servers actually examine each others content or code to ensure they’re talking to the intended process. Others employ some mechanism (e.g., pair-wise authentication) to be confident they know that they are talking to the expected instance of each other. Pair-wise authentication techniques are resistant to spoofing and playbacks.

For example, www browsers & servers can use crypto protocols like secure socket layer

(SSL) or secureIP. SSL always authenticates the server to the client but, optionally, it may authenticate the client to the server.

Communication protocols are the formal languages that clients & servers use to talk to each other. TCP/IP is most widely used. Application Programming Interfaces (APIs) are how clients & servers appear to each others‘s programs & programmers. APIs permit clients to use servers that implement a service without having to know anything else about the service (e,g,. SQL - clients don’t have to know anything about the database server or vice versa.

Database servers control access to such database abstractions as tables, views, rows, and columns.

Identification & authentication - each process has some expectation of behavior of the other & will not work if that behavior is not exhibited.

Some servers will refresh the client code with trusted code to ensure the client can be trusted.

In addition to logs & journals, a complete audit trail will include source documents, statements, confirmations, reconciliation reports, and application journals. These must refer to the external environment (who, what, where, & when) and to each other.

Alarms - We’re talking intrusion detection. Whole servers may be dedicated to sophisticated intrusion detection. These servers monitor the traffic visible to them on the

NW looking for patterns that are typical of attacks in general, which are specific to known attacks, or which are simply unexpected. These include such products as

NetRanger, Session Wall, & Network Flight Recorder.

Isolation - Clients & servers implemented on separate hardware platforms provide very reliable process-to-process isolation. The client can’t make any persistent change to the programs or procedures of the server. The server allows the client to change client data on the server but this can be limited & controlled. This form of isolation is more reliable than that on a single multi-user platform. Clients may execute code downloaded from servers but this is a violation of process-to-process isolation and makes them vulnerable to a Trojan Horse attack. Therefore, clients must be careful to deal with trusted servers, prefer signed code, & take steps to protect their files from arbitrary acts by imported code.

Cooperation - It’s unlikely that either could accomplish all objectives by itself. This includes control objectives such as error detection & correction.

MODULE 3

April 12, 2020 Page 17 of 79

ISC2 CISSP CBK Resource List

ACCESS CONTROL SYSTEMS AND METHODOLOGY

Layers of Control

Some personnel controls include:

1. Employee signs Information Security Agreement upon hiring. Employee understands organization’s Security Policy and consequences of violations of that Policy.

2. Require employee to take vacations

3. Employee departure issues--

If hostile, have employee leave immediately

Availability (encryption keys used by employee)

Review of non-disclosure agreement

Last bullet- An example of separation of work areas and duties is to keep programmers out of the computer room.

Access to Network

Built-in Security Controls , Issues- different administrative domains

- need to authenticate accessing individual

- enforcement of security policies among domains

- handling of multi-level security policies

Network Control Center - provides hardware and software to support data base with information on routers, communications software, hosts and information exchange among network resources

Network Interface Unit (Network Interface Card) - connects hosts and workstations to the network (LAN); usually implemented at Layer 2 (Data Link) of the ISO OSI model

Routers - can implement packet filtering (based on packet source and destination addresses and rules), routing according to policy requirements regarding security. A router is machine and OS independent; transfers data between networks of different technologies

Access to applications, files, records, fields

Authorization tables - define privileges subject has to an object (read/write etc.).

An example is IPSec which provides authenticity and confidentiality services through the

Authentication Header (AH) and Encapsulated Security Payload (ESP.). AH authenticates the TCP/IP connection and the ESP provides confidentiality and integrity services for TCP/IP packets

Files can be encrypted with DES or other encryption algorithms

April 12, 2020 Page 18 of 79

ISC2 CISSP CBK Resource List

Passwords can be encrypted. (One way encryption for storage using a hash function)

Deterrence

Ensure that personnel realize that “bad” things can happen to them if the organization’s security policy is violated. Serious violations can involve law enforcement and possible arrest.

Another deterrent is to emphasize that even if it is possible to break into the network, data are protected to the degree that nothing of value can be accessed.

Note that biometrics are used for Identification in Physical Controls and Authentication in Technical (Logical) Controls.

Definitions

Some historical definitions that are relevant here and in other modules:

1.

Monitor - Mechanism that monitors all access operations. (Graham & Denning,

1972, Protection Principles and Practices , Proceedings of the 1972 Spring Joint

Computer Conference, 417-429, Montvale, NJ, AFIPS Press)

2.

Reference Monitor - General mechanism that ensures that each access is authorized by the access matrix (Anderson, 1972, Computer Security Technology

Planning Study, Report ESD-TR-73-51 , Vol.. I AD 758206, Bedford, MA; U.S.

Air Force Electronic Systems Division)

Good slide presentation (although it is NT based) at: http://cs.gmu.edu/~dsaridak/osbook/nt/sld034.html

Technical (Logical Controls) should be self protecting.

Dial up access control systems utilize passwords and PIN numbers to authenticate the user.

In call back systems, the user dials in to the computer system, provides an ID and password and then hangs up. The system then looks up an authorized telephone number corresponding to the ID in a table and calls back utilizing that number. The user usually has to enter another password upon answering.

Disadvantages of call back include:

1. Password may be compromised since it is available in the clear

2. Circumventing by call forwarding to another number

3. User must be at a fixed location corresponding to the number in the table

Audit trails must be protected from compromise or erasure

Violation reports identify activities that may portend a breach or attempted breach of the system access controls. An example is numerous attempts at logging in trying different passwords.

April 12, 2020 Page 19 of 79

ISC2 CISSP CBK Resource List

“Clipping levels” are implemented that report only suspected violations that rise above a

“normal” threshold of events that occur in the regular order of business.

Intrusion detection systems automatically acquire data on user activity and attempt to identify and detect incidents of misuse. Statistical and artificial intelligence techniques are utilized to flag deviations from patterns of “normal” usage or to compare suspect attacks against a data base of known attack signatures. Intrusion detection systems monitor misuse or attempted misuse from internal as well as external sources.

To be used in Court, these methods should be reviewed regularly in the normal order of business.

Clipping levels should be set to reduce the volume of date to be evaluated.

Keystroke monitoring is performed on a specific sequence such as a password or can be conducted during a session.

Keystroke monitoring should be based on an organizational information security policy, should be well communicated and must apply to all in the organization. These actions legitimize its use.

Time is needed to review the audit information.

Review and analysis of audit data can be expedited by setting clipping levels and by automated tools.

It is possible to record data selectively based on user or object attributes(Class B1

Systems)

Exception reports note suspicious events (failed logins)

Preventive audit - accumulating events that may portend misuse

Initiate real- time alarms when thresholds passed (Class B3)

Non-repudiation is the inability of a sender to deny sending a message and of a receiver, who admits receiving a particular message, to declare that a different message was received.

The audit trail data should be protected at the most sensitive system level.

Definitions

Well Formed Transaction (Clark-Wilson Model)

* Data objects whose integrity is to be maintained are constrained data items (CDI)

* CDI’s are transformed only through transformation procedures (TP’s)

* IVP - Integrity Verification Procedure - which assures that all CDI’s are in a valid state; checks for internal and external consistency

* Only TP’s can operate on CDI’s

* Authorship must be logged

April 12, 2020 Page 20 of 79

ISC2 CISSP CBK Resource List

Brute force - try all possible methods

Dictionary - try all possible passwords

Spoofing - one person or process pretends to be a person or process with more privileges

Denial of Service - preventing authorized users from having access to the system by

“hogging” all services.

Definitions:

Social engineering: - utilizing social skills to deceive people and trick them into revealing secrets.

Covert channel: - a channel that violates the organization’s security policy through an unintended communications path. Covert channels have the potential for occurring when two or more subjects or objects share a common resource. This type of unintended communication can be used to violate the *- property of the Bell LaPadula model.

Timing channel: - using timing of occurrences of an activity to transfer information in an unintended manner. Saturating or not saturating a communications path in a timed fashion can transfer information to a receiver observing the communication path in synchronism with the sender.

Storage channel: - utilizes changes in stored data to transfer information in an unintended manner. Filling or clearing a memory area by a sender can indicate a 1 or 0 to a receiver reading the same memory area.

Malicious code: - code that can gain access to a system and, in executing, violates security policy. Examples include viruses, Trojan horses and worms.

Mobile code: - code that is transferred from one resource to another for execution. An example is Java applets written in the Java programming language that are transferred from a server to a client for execution. Java code executed inside a Web Browser can reveal information that is on the local hard drive. Also, a HTTP Header will report information that Web Browsers will provide, such as last addressed IP address, machine

IP address, username, password and Browser type.

The object reuse/remanence issue is one that continues to be controversial. The issue centers on whether overwriting is the best method (supported by private industry because of the relative difference in cost between degaussing and overwriting, and the availability of effective degaussing machines), or degaussing (which is supported by certain sensitive sectors in the U.S. Government). Some concerns are:

* Failure of overwrite program

-Errors during operation

-Inability to overwrite unusable sectors

April 12, 2020 Page 21 of 79

ISC2 CISSP CBK Resource List

* Inadequate degaussing

-Operator error

-Degausser failure

Test periodically - at least at 6 month intervals.

Definitions

TEMPEST one definition is (Transient Electromagnetic Pulse Emanation

Standard)

Masking by software - device driver that develops a cancellation signal that cancels emanating characters.

Programmers brought into an organization to implement Y2K “fixes” had access to sensitive and critical areas of code and therefore had the potential of inserting malicious code.

Definitions

Review of terms in Biometrics

False reject rate - percentage of authorized individuals who are erroneously rejected by the biometric system

False accept rate - percentage of unauthorized individuals who are erroneously accepted by the biometric system

Crossover error rate - rate at which false accept rate = false reject rate

(The smaller the value of CER, the better is the system)

False Accept Rate False Reject Rate

Crossover Error Rate (CER)

Sensitivity

April 12, 2020 Page 22 of 79

ISC2 CISSP CBK Resource List

Passphrase - a phrase you can remember; take a letter from each word of a passphrase and use the result as a password. (It Was A Dark And Stormy Night)…..password is

IWADASN

Suspend ID.

“x” (time interval) is an organization selected number, usually between 3 and 10. This is an important control to prevent hackers from a brute force attack (trying all combinations of ID and password). Rather than suspending the ID, some organizations make users wait a period of time before trying to logon again (5 minutes the first time, 15 the second,

60 the third, etc.).

Definitions

Polonius pad is based on challenge-response scheme where sender and receiver know a common secret key and use it only one time.

Memory Card

1. Stores user’s ID, issuer’s identity and expiration date

2. Needs special card-reading equipment

3. Used with 4 - digit PIN (ATM cards)

Definitions

Smart Card

1. Has computer on-board

2. Used with PIN or password

3. Used in telephone calls and retail transactions

4. Verifies user’s PIN or password

5. Assembles data stream of user’s name, date, time and password

6. Enciphers message using secret key known to Application System (AS) and transmits to AS

7. Successful if AS can decode message

8. Also used for access control to workstations or PC’s

9. Can utilize public key cryptography

Sometimes called micro-controller cards.

Two factor - what you have and what you know.

A major advantage is that the logon process (ID & PW) is done at the reader instead of at the host. Therefore, the ID & PW aren’t exposed to hackers while in transit to the host.

Windows 2000 uses Kerberos model

Alternative to Kerberos is SESAME

April 12, 2020 Page 23 of 79

ISC2 CISSP CBK Resource List

Uses two tickets

Uses public/private key technology

Has a trusted authentication server at each host (simplifies key management)

1.

Can have more than one domain on a server

2.

A subject’s domain is the set of objects to which it has access

3.

In the diagram, two distinct and separate security domains exist on the Server and only those individuals or subjects authorized can have access to the information on a particular domain.

Definitions

Relational model defines 5 primitive operations:

1.

Select- defines a new relation made up of tuples that satisfy a formula. For example, all the tuples of employees whose employment status is part-time

”Common uses for the tuple as a data type are (1) for passing a string of parameters from one program to another, and (2) representing a set of value attributes in a relational database”.

2.

Project - defines a new relation by including a subset of attributes and removing duplicate tuples. For example, employees could be projected onto name and address to form a mailing list.

3.

Union - If we have two relations, S and T, with compatible schemas, the minus defines a new relation comprised of tuples that are in S but not in T.

4.

Minus - If we have two relations, S and T, with compatible schemas, the union defines a new relation comprised of each tuple that is either in S, T or in both S and T

5.

Times - If we have two relations, S and T, with compatible schemas, times defines a new relation that is the Cartesian product of S and T.( Each tuple of T is appended to each tuple of S.)

6.

Join (Equijoin) - selects tuples that have equal values for some attributes from the

Cartesian product of S and T. For example, employees and department staffs can be joined by social security number

7.

View - new relations that are defined using basic operations of select, project and join. Views can hide attributes or implement content-dependent access restrictions.

Views support least privilege..

April 12, 2020 Page 24 of 79

ISC2 CISSP CBK Resource List

Cartesian product n.

A set of all pairs of elements (x, y) that can be constructed from given sets, X and Y, such that x belongs to X and y to Y.

Bind can be compared to a compiler and the Plan is the equivalent of the code generated by the compiler.

Definitions

Explicit

Access given by View--granting individual to a resource.(Put someone on the ACL)

Implicit

Grant to a role, then role can access.

Both implicit and explicit are discretionary. (Do not have labels applied to objects)

Data owner of data base can confer Grant capabilities to another user, USER1.

USER1 then can confer Grant capabilities to USER2.

However, if data owner does not wish USER1 to have the ability to confer GRANT capabilities to USER2, data owner can confer Select option to USER1.

A problem may arise with the latter item. In some instances, USER1 may be able to circumvent the intent of the data owner by making a copy of the data.

Then, USER1 is the owner of the copy and can confer Grant privileges to USER2.

Labels may be applied to fields, rows, columns, views, etc. (Re Orange Book)

Since labels affect performance, they are rarely used for elements more granular than views.

Definitions

Entity integrity

Tuple cannot have null value in primary key

Guarantees tuple uniquely identified by primary key value

Referential integrity

For any foreign key value, the referenced relation must have a tuple with the same value for its primary key

Prevents tuples from assignment to nonexistent attributes.

April 12, 2020 Page 25 of 79

ISC2 CISSP CBK Resource List

The Row defines the capabilities that a subject has with respect to all objects in the Table.

For example, Process A (subject) has read access to File X and Read/Write capability to

File Y.

The Column is a control list and defines the subjects and their corresponding capabilities relative to a specific object. In the example chart, File X can be read by Process A and written to by Joe.

Supports integrity and confidentiality by limiting capabilities to write and/or read files.

Context- dependent

Uses knowledge of the context in which the decision is to be made, e.g., location, time of day, etc.

Run Confidential data in the morning and run Secret data in the afternoon

Configuration items include software, documentation, editors, compilers, firmware and configuration management tools.

Each configuration item has a unique identifier.

A specific configuration is built from the library of items.

Baseline is the set of configuration items at some identified point in the life cycle. This

Baseline is the reference against which all changes must be approved.

Intrusion Detection (IDS) system looks for insider misuse as well as external intrusions.

IDS can be network-based or host-based.

Network-based IDS monitors network events in real-time and, thus, provides accurate data. It is passive and does not consume resources of the host network. Network-based

IDS will not detect an attack against a specific host from the host’s console.

Host-based IDS will detect at attack on the host, directly and will provide the ability to respond more effectively to an attack. The data available in the host are usually not sufficient to perform extensive intrusion detection. Host-based IDS consumes some of host’s resources.

Assumes misuse pattern is unusual for the party being monitored

To generate the “normal” profile, statistical samples of the system are taken over a period of normal operation and use. These data are used to create metrics of certain system operations such as memory usage, CPU utilization and network packet traffic.

An advantage of this approach is that the IDS can detect new types of attacks.

A disadvantage is that the IDS will not detect an attack if it does not significantly affect the metrics being compiled.

Expert system is made up of:

1.

Inference engine - processes knowledge available to the expert system using methods of searching for problem solutions

2.

Knowledge base - typically IF -THEN rules that express expert knowledge

April 12, 2020 Page 26 of 79

ISC2 CISSP CBK Resource List

3.

Reasoning methods are separate from knowledge base

April 12, 2020 Page 27 of 79

ISC2 CISSP CBK Resource List

MODULE 4

APPLICATIONS & SYSTEMS DEVELOPMENT SECURITY

References

PMI – Project Management Institute http://www.pmi.org/

CASE http://www.qucis.queensu.ca/Software-Engineering/tools.html

Ahh, The Old Windows Without Microsoft Trick: http://search.knowledgestor.com/info/com.g2news_csn_286_03.html

STRUCTURED DESIGN METHODOLOGIES: The “firehose technique” =

NOTE: Please respect the disclaimer! http://www.ul.ie/~cscw/shug/cs4417/

ODBC http://ourworld.compuserve.com/homepages/VBrant/ http://ourworld.compuserve.com/homepages/Ken_North/odbcmyth.htm

April 12, 2020 Page 28 of 79

ISC2 CISSP CBK Resource List

MODULE 5

OPERATIONS SECURITY

Physical access to both data center and restricted environments within areas such as the tape library. Are there technical controls as well and when they fail can you fall back on the physical?

Who’s watching the operator/system administrator?

Compensating controls are a combination of controls such as physical and technical or technical and administrative or all three.

Examples - Super User password under lock and key requiring two signatures to unlock.

Banks where it takes 2 keys to open vault.

Card access to data center with in and out log.

True fault tolerant systems are designed to have redundancy and will automatically fail over.

Fail over - when one system/application fails, operations will automatically switch to the backup system. Designed to be transparent to the users.

Fault resilient systems are designed without redundancy and in the event of failure result in slightly longer downtime. The differences in percent uptime and downtime are slightly higher than fault tolerant.

Common Criteria language includes:

Degraded Fault Tolerance - specifies which capabilities the TOE will still provide after a failure of the system. Examples of general failures are flooding of the computer room, short term power interruption, breakdown of a CPU or host, software failure, or buffer overflow. Only functions specified must be available.

Limited Fault Tolerance - specifies against what type of failures the TOE must be resistant. Examples of general failures are flooding of the computer room, short-term power interruption, breakdown of a CPU or host, software failure, or overflow of buffer.

Requires all functions to be available if specified failure occurs.

Continuity of operations includes continuity of controls across states.

Operating software refers to both the configuration and inventory.

Audit trail of who checked out media tapes and when.

Common Criteria for audit requirements for distributed environments - audit requirements for networks and other large systems may differ significantly from those needed for stand-alone systems.

September 13, 2002 Page 29 of 79

ISC2 CISSP CBK Resource List

larger, more complex and active systems require more thought concerning which audit data to collect and how this should be managed, due to lowered feasibility of interpreting (or even storing) what gets collected.

traditional notion of a time-sorted list or “trail” of audited events may not be applicable in a global asynchronous network having (arbitrarily) many events occurring at once.

multi-object audit repository, portions of which are accessible by a potentially wide variety of authorised users, may be required if audit repositories are to serve a useful function in distributed systems.

misuse of authority by authorised users should be addressed by systematically avoiding local storage of audit data pertaining to administrator actions.

Rainbow series guidelines - Orange Book

Detailed discussion in Architecture domain. Referring to levels of trust.

Common Criteria - security management roles - reduces the likelihood of damage resulting from users abusing their authority by taking actions outside their assigned functional responsibilities. It also addresses the threat that inadequate mechanisms have been provided to securely administer the TSF (TOE security functions). Requires that information be maintained to identify whether a user is authorised to use a particular security-relevant administrative function. Some management actions can be performed by users; others only by designated people within the organisation. Allows the definition of different roles, such as owner, auditor, administrator, daily-management. The roles as used in this family are security related roles. Each role can encompass an extensive set of capabilities (e.g. root in UNIX), or can be a single right (e.g. right to read a single object such as the help-file). Some type of roles might be mutually exclusive. For example the daily-management might be able to define and activate users, but might not be able to remove users (which is reserved for the administrator (role)). This class will allow policies such as two-person control to be specified.

Security roles: roles that are recognised by the system. These are the roles that users could occupy with respect to security. Examples are: owner, auditor and administrator.

Restrictions on security roles: conditions that govern role assignment. Examples of these conditions are: “an account cannot have both the auditor and administrator role” or “a user with the assistant role must also have the owner role”.

Assuming roles - roles that require an explicit request to be assumed. Examples are: auditor and administrator. Ensuring that the integrity of the system is restored.

September 13, 2002 Page 30 of 79

ISC2 CISSP CBK Resource List

Trusted Recovery: Ensure that the TSF can determine that the TOE (system, application) is started up without protection compromise and can recover without protection compromise after discontinuity of operations. This is important because the start-up state of the TSF determines the protection of subsequent states.

Manual recovery: allows a TOE to only provide mechanisms that involve human intervention to return to a secure state.

Automated recovery: provides, for at least one type of service discontinuity, recovery to a secure state without human intervention; recovery for other discontinuities may require human intervention. (hierarchical to manual recovery).

Automated recovery without undue loss: also provides for automated recovery, but strengthens the requirements by disallowing undue loss of protected objects.(hierarchical to automated recovery).

Function recovery: provides for recovery at the level of particular SFs (security functions), ensuring either successful completion or rollback of TSF data to a secure state.

References

(ISC)2 http://www.isc2.org

Common Criteria http://csrc.nist.gov/cc/

Rainbow Series http://csrc.nist.gov/secpubs/rainbow/

Glossary of InfoSec and InfoSec Related Terms http://security.isu.edu/infosec_glossary.html

MODULE 6

PHYSICAL SECURITY

RESOURCES:

Practical UNIX Guide to Internet Security – Stafford & Garfunkle http://www.rcmp-grc.gc.ca/tsb/pubs/index.htm

Note: Excess volts, as charted below, can harm the electrical equipment. Excess amperes can cause serious harm to humans.

September 13, 2002 Page 31 of 79

ISC2 CISSP CBK Resource List

Static Charge Effect on Microcomputers

Charge (Volts) Possible Damage

40

1,000

Logic Circuits, sensitive transisters

Touching Cathode Ray Tube may clear screen, crash buffer

1,500 Touching Disk drive may attract contaminants to surface and cause data loss or head crash - For example, Smoke particles average .00025in.or .0006125 centimeters In diameter, which is 2-5 times

2,000

4,000 greater than disk head clearance.

System shutdown

Touching printer may cause jam

17,000 May shock system out of parity

Control over contaminate levels in a computer room is an extremely important consideration. Normal operating activities can cause a buildup of conductive particles on circuit boards, microswitches and other components which can cause equipment failure and perhaps result in spontaneous combustion within computer equipment. Damage caused by smoke/gas is also a serious concern. Be especially sensitive to the danger from a fire in another part of a facility that could project smoke particles & toxic /corrosive gas through the air or ventilating systems. The following are concerns:

• Smoke & gas travel much faster. Farther & easier than heat or flame.

• The diameter of a typical smoke particle averages .00025 inch (.00636 millimeter) which is 2-5 times larger than a disk/head clearance.

• Smoke damages secondary storage devices whereas corrosive gasses damage every device.

Embedded Wire is the most secure from tampering/compromise. It is also called

“Wiegand”. http://www.zdnet.com/eweek/news/0112/12bio.html

Hand Geometry is not Hand Topology (the side view elevations of parts of the hand) which is not discriminating enough to be effective. Hand Geometry includes many characteristics of the hand, including thickness, width, length, etc. The palm print like the fingerprint is OK.

Retina pattern measures the blood vessels of the eye - is relatively intrusive.

Iris Scan is accomplished by using a camera, perhaps located on the wall, that recognizes an individuals eye(s) as s/he passes by. Not intrusive

Facial recognition matches an individual’s facial patterns with the patterns held in the database.

September 13, 2002 Page 32 of 79

ISC2 CISSP CBK Resource List

Fresnel lens - a thin optical lens of many concentric rings having the properties of a much thicker & heavier lens: used in cameras, lighthouse beacons, etc. For more, go here: http://lighthousegetaway.com/lights/fresnel.html

In a really secure facility with high walls/fencing and guard towers a search light might be appropriate at the guard towers (e.g., prison yard, nuclear facility).

Critical areas around buildings - install lighting at least 8 feet (2.4 meters) high & with illumination of 2 foot candles (lumens). (NIST specification)

Photoelectric - Active Infrared beam(s) that trigger an alarm when the beam is broken

Ultrasonic - Ultrasound energy bounced of the floors, walls, objects. The receiver detects “foreign” signal change caused by intruder and sounds the alarm

Microwave - Receiver diode picks up transmitted and “bounced” energy waves in an enclosure. Intruder disrupts the waves and activates the alarm

Passive infrared - where objects radiate IR with the heat of their bodies. Detector notes change and triggers an alarm

It is important that all electrical power installation meet national and local code.

Additionally, most large commercial buildings will be supplied with three-phased power by the utility and power company, which provides electric currents in phases based on the customer’s need. Most data centers have both three-phased and single phased equipment

Consequently, electric system design must provide for all anomalies that can affect operations. This part will be describing the significant ones.

There are also some considerations related to selecting an alternate power source for data center operations. These include:

Benefits/costs of alternatives

Required maintenance/testing

Resulting hazards

Fuel supply

Electrical fire

Hydrogen gas from batteries http://www.powerware.com/

Voltage Fluctuations:

Micros operate within 10 % of 110 volts;

ANSI standards permit 8 % drop between source & meter and 3.5 % between meter & computer;

Brownouts may lose 10 %;

Surges & sags may cause micro damage;

Protect by surge suppressor

EMI - Common-mode noise occurs between hot & ground wires. Traverse-mode noise occurs between hot & neutral wires.

September 13, 2002 Page 33 of 79

ISC2 CISSP CBK Resource List

RFI - can damage data, CPU, peripheral components

Protect against EMI/RFI by shielding

Portable extinguishers can enable people to suppress a fire before the automatic systems actuate & cause additional damage.

Some organizations recommend that tile removal tools (tile lifters) be located at each extinguisher station so that when a fire is detected under the raised floor the cause can be quickly determined and the fire suppressed by using a portable extinguisher (Halon 1211,

FM200, water, soda).

Portable extinguishers can be a first line of defense to prevent a small fire from escalating to a disaster.

Both Halon 1211 and FM200 gasses meet the safety requirements of less that 10% concentration. However, FM-200 does not release ozone depleting substances into the atmosphere.

Other replacement alternatives include:

PFC-410 or CEA-410

PFC-218 or CEA-308

NAF S-III

FE 13

Argon

Argonite

Inergen

September 13, 2002 Page 34 of 79

ISC2 CISSP CBK Resource List

MODULE 7

CRYPTOGRAPHY

TEMPEST: Stands for Transient Electromagnetic Pulse Emission Standard. It is the standard by which the government measures electromagnetic computer emissions and details what is safe (allowed to leak) from monitoring. The standards are detailed in

NACSIM 5100A, a document which has been classified by the National Security

Agency.

Devices which conform to this standard are called TEMPEST certified.

In 1985, a Dutch scientist Wim van Eck published a paper which was written about in the prestigious "Computers & Security" journal, "Electromagnetic Radiation from Video

Display Units: An Eavesdropping Risk?" Vol 4 (4) pp 269-286. The paper caused a panic in certain government circles and was immediately classified as is just about all

TEMPEST information.

Wim van Eck's work proved that Video Display Units (CRT's) emitted electromagnetic radiation similar to radio waves and that they could be intercepted, reconstructed and viewed from a remote location. This of course compromises security of data being worked on and viewed by the computer's user. Over the years TEMPEST monitoring has also been called van Eck monitoring or van Eck eavesdropping.

A scary story: http://www.thecodex.com/c_tempest.html

More information on DNSSEC: http://www.ietf.org/ids.by.wg/dnssec.html

RFC 2065 & RFC 2035

More information on SSL: http://home.netscape.com/products/security/ssl/protocol.html

More information on SHTTP:

S-HTTP (ref; http://www.webopaedia.com

) keyword search = SHTTP

An extension to the HTTP protocol to support sending data securely over the World Wide

Web. Not all Web browsers and servers support S-HTTP.

Another technology for transmitting secure communications over the World Wide Web --

Secure Sockets Layer (SSL) -- is more prevalent. However, SSL and S-HTTP have very different designs and goals so it is possible to use the two protocols together. Whereas

SSL is designed to establish a secure connection between two computers, S-HTTP is designed to send individual messages securely. Both protocols have been submitted to the

Internet Engineering Task Force (IETF) for approval as a standard.

September 13, 2002 Page 35 of 79

ISC2 CISSP CBK Resource List

S-HTTP was developed by Enterprise Integration Technologies (EIT), which was acquired by Verifone, Inc. in 1995.

MORE S-HTTP reading; http://www.terisa.com/shttp/current.txt

From Duke University: http://www.duke.edu/~wgrobin/ethics/netshop/s-http.htm

In 1994, EIT developed (S-HTTP) Secure Hypertext Transfer Protocol. It is a securityenhanced version of HTTP. S-HTTP provides transaction security services for electronic commerce. It adds encryption elements to standard browser applications. By adding public-key security methods from RSA Data Security it enhances traditional HTTP transactions.

S-HTTP has been implemented commercially by Terisa Systems, which was co-founded by EIT and RSA Data Security in 1994. Terisa produces a security toolkit software product that allows software developers to integrate S-HTTP into their World Wide Web clients and servers.

More information on GSS-API: http://gits-sec.treas.gov/cryptosec/sld001.htm

This is a

32 slide PPT presentation.

GSS-API is specified in [RFC 1508], and [RFC 1509] http://www.faqs.org/rfcs/rfc1508.html

Generic Security Service Application Program

Interface http://www.faqs.org/rfcs/rfc1509.html

Generic Security Service API : C-bindings

More information on https: (Ref; Netguru)

HTTPS

HTTPS (Secure Hypertext Transfer Protocol) is a Web protocol developed by Netscape and built into its browser that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS is really just the use of Netscape's

Secure Socket Layer (SSL) as a sub-layer under its regular HTTP application layer.

(HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer,

TCP/IP.) SSL uses a 40-bit key size for the RC4 stream encryption algorithm, which is considered an adequate degree of encryption for commercial exchange.

Suppose you use a Netscape browser to visit a Web site such as NetPlaza ( http://www.netplaza.com

) and view their catalog. When you're ready to order, you will be given a Web page order form with a URL that starts with https://. When you click

"Send," to send the page back to the catalog retailer, your browser's HTTPS layer will encrypt it. The acknowledgement you receive from the server will also travel in encrypted form, arrive with an https:// URL, and be decrypted for you by your browser's

HTTPS sub-layer.

HTTPS and SSL support the use of X.509 digital certificates from the server so that, if necessary, a user can authenticate the sender. SSL is an open , nonproprietary protocol

September 13, 2002 Page 36 of 79

ISC2 CISSP CBK Resource List that Netscape has proposed as a standard to the World Wide Consortium ( W3C ). HTTPS is not to be confused with SHTTP, a security-enhanced version of HTTP developed and proposed as a standard by EIT.

S/MIME is a specification for secure electronic messaging. In 1995, several software vendors got together and created S/MIME to solve a very real problem - interception and forgery of e-mail. Protecting sensitive data is a real concern, especially in a world that is becoming increasingly more wired. The goal of S/MIME is to make it easy to secure messages from prying eyes. Since its creation, S/MIME has come a long way. S/MIME is short for Secure Multipurpose Internet Mail Extensions. The specification was designed to be easily integrated into e-mail and messaging products. S/MIME builds security on top of the industry standard MIME protocol according to an equally important set of cryptographic standards, the Public Key Cryptography Standards

(PKCS). The fact that S/MIME was created using other standards is important for something that is likely to be widely implemented. Users will benefit from the widespread adoption of S/MIME. Privacy, Data Integrity, and Authentication will be available to anyone with an e-mail package that implements S/MIME.

The Message Security Protocol is a very recent protocol developed to address the problems related to e-mail security. MSP provides writer-to-reader security services.

These security services include confidentiality, integrity, data origin authentication, access control, non-repudiation with proof of origin, and non-repudiation with proof of delivery. http://www.imc.org/workshop

The PKCS family of standards addresses the following need: an agreed-upon standard format for transferred data based on public-key cryptography. PKCS covers several aspects of public-key cryptography, including RSA encryption, Diffie-Hellman key agreement, password-based encryption, extended-certificate syntax, cryptographicenhancement syntax, and private-key information syntax. PKCS evolved from three broad design goals: to maintain compatibility with Privacy-Enhanced Mail, to extend beyond PEM, and to be suitable for incorporation in future OSI standards.

SSH is a protocol for secure remote login and other secure network services over an insecure network. The SSH protocol consists of three major components: Transport layer protocol provides server authentication, confidentiality, and integrity with perfect forward secrecy. User authentication protocol authenticates the client to the server.

Connection protocol multiplexes the encrypted tunnel into several logical channels. http://www.vandyke.com/

LUC – Short form for the LUCAS combinations that use the analog of some of the values of other crypto techniques. LUC is a public-key crypto system developed by a group of researchers in Australia & New Zealand. The cipher implements the analogs of El Gamal,

Diffie-Hellman & RSA over Lucas sequences. It uses Lucas functions instead of exponentiation. It's inventor Peter Smith has since then implemented four other algorithms with Lucas functions: LUCDIF, a key negotiation method like Diffie-

Hellman; LUCELG PK, equivalent to El Gamal public-key encryption; LUCELG DS,

September 13, 2002 Page 37 of 79

ISC2 CISSP CBK Resource List equivalent to El Gamal digital signature; and LUCDSA, equivalent to the US Digital

Signature Standard. LUC Encryption Technology Ltd has obtained patents for cryptographic use of Lucas functions in United States and New Zealand.

Although there are several implementations of public key crypto currently in use, the

RSA algorithm is the most popular. It is in use worldwide.

Basically, you can’t decrypt with the same key used to encrypt. The 2 keys are the one kept secret by the owner & the one made public. The operation of this technology will be discussed later.

Key distribution is not a problem with public key technology because the public key doesn’t need to be kept confidential, however, ensuring that a specific public key belongs to a specific person is a problem addressed by certification to be described later.

For now, discuss the use of private key (symmetric) crypto for encrypting large messages because of its speed but the use of public key (asymmetric) crypto to distribute the symmetric key to the recipient for use in decrypting the message.

FOR MORE see: http://www.ssh.fi/tech/crypto/algorithms.html#asymmetric

Lucifer was an earlier crypto system developed by IBM.

Non-linear - an S-Box is used which is a nonlinear function which substitutes four output bits for six input bits within a DES device to make the DES algorithm a nonlinear process. A linear process is one in which the output is directly proportional to the input - not a desirable condition for encryption.

How DES works: http://www.zolatimes.com/V2.28/DES.htm

Recertification: http://csrc.nist.gov/fips/dfips46-3.pdf

Taken from the publication:

With this modification of the FIPS 46-2 standard:

1. Triple DES (using TDEA- triple data encrypting algorithm), as specified in ANSI

X9.52 will be recognized as a FIPS approved algorithm.

2. Triple DES will be the FIPS approved symmetric encryption algorithm of choice.

3. Single DES (using DEA) will be permitted for legacy systems only. New procurements to support legacy systems should, where, feasible, use Triple DES products running in the single DES configuration.

4. Government organizations with legacy DES systems are encouraged to transition to

Triple DES based on a prudent strategy that matches the strength of the protective measures against the associated risk.

In 1997 a US programmer was able, through use of the Internet, to crack a 56-bit DES key in 4 months by writing a program to try all keys. At the start of the attack, 20 PC

September 13, 2002 Page 38 of 79

ISC2 CISSP CBK Resource List users were running the program, when it finished there were about 14,000 PC users working on it.

Almost a year later in January, 1998, Challenge II used 22,000 participants with a total of

50,000 CPUs (at a peak rate of 26 trillion keys per second) to crack a 56-bit DES key in

39 days.

Recently in July, 1998, the Electronic Fund Foundation cracked the 56-bit DES key in 3 days using equipment that costs less than $250,000.

January 19, 1999 distributed.net and EFF solve the DES-III challenge in a record 22 hours, 15 minutes, 4 seconds.

These accomplishments were attacks against the key length not the algorithm and involved a brute force attack - trying all keys, so it would be equally successful against other crypto systems.

The solution for protecting very sensitive data is to pick an algorithm with a longer key, as many are doing who have shifted to triple DES (to be addressed later). http://www.distributed.net/history.html

It is anticipated that triple DES and the Advanced Encryption Standard (AES) will coexist as FIPS approved algorithms allowing for a gradual transition to AES. (The AES is a new symmetric-based encryption standard under development by NIST. AES is intended to provide strong cryptographic security for the protection of sensitive information well into the 21st century.). http://csrc.nist.gov/encryption/

August 9, 1999

NIST’s Information Technology Laboratory chose the following five contenders as finalists for the AES:

MARS

RC6

Rijndael

Serpent developed by International Business Machines Corp. of Armonk, N.Y.; developed by RSA Laboratories of Bedford, Mass.; developed by Joan Daemen and Vincent Rijmen of Belgium; developed by Ross Anderson, Eli Biham and Lars Knudsen of theUnited

Twofish

Kingdom, Israel and Norway respectively; and; developed by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner,

Chris Hall and Niels Ferguson.

(Many members of this latter group are associated with Counterpane Systems of

Minneapolis). No significant security vulnerabilities were found for the five finalists during the initial analysis of the algorithms, and each candidate offers technology that is potentially superior for the protection of sensitive information well into the 21st century.

NIST requested proposals for the AES on Sept. 12, 1997. Each of the candidate algorithms supports cryptographic key sizes of 128, 192 and 256 bits. At a 128 bit key size, there are approximately 340,000,000,000,000,000,000,000,000,000,000,000,000

(340 followed by 36 zeroes) possible keys.

September 13, 2002 Page 39 of 79

ISC2 CISSP CBK Resource List

RECENT WINNER ANNOUNCED WAS Rijndael (pronounced RHINE-DOLL) developed by Joan Daemen and Vincent Rijmen of Belgium; The cipher has a variable block length and key length. http://www.esat.kuleuven.ac.be/~rijmen/rijndael/

AES: http://csrc.nist.gov/encryption/aes/aes_home.htm

This is the description of Clipper which has met with great resistance to implementation by the private sector as well as internationally. The problem, of course, is the escrow provision which would enable government (law enforcement) to obtain the escrowed key

& thereby read the encrypted message regardless of what session key was used. Being pushed by law enforcement to enable them to monitor crooks/drug traffickers who might use DES to hide data (a somewhat unbelievable case). Also, at one time scheduled for use in cellular phones to maintain the confidentiality of calls. Used in this context would seem to involve a difficult key distribution problem if the person at the other end, and only the one intended, needed to decrypt the call.

Escrow - put in the care of a third party until certain conditions are met (e.g., court order authorizing law enforcement access to the key).

Clipper chip information: http://www.epic.org/crypto/clipper/

ECC on Smart Cards http://www.logica.com/globe/globe07/smartcard.html

Discussion about Processor power.. http://www.snf.unsw.edu.au/~snf/quant2.html

The IEEE PKI resource pages… http://grouper.ieee.org/groups/1363/index.html

http://www.pgp.com/ & http://www.pgp.com/products/dtop-security-data/default.asp

PGP Freeware

PGP MIT Freeware Downloads.

PGP is the world's defacto standard for email encryption and authentication, with over 6 million users. PGP 6.5.1 MIT freeware supports RSA, PGP email and secure client-toclient connections using PGP certificates. It is available for non-commercial use only.

September 13, 2002 Page 40 of 79

ISC2 CISSP CBK Resource List

The commercial PGP VPN Client is available from Network Associates and is fully

IPSec compliant with support for X.509 certificates from industry leaders such as

VeriSign, Entrust and Net Tools, and VPN gateway support to create encrypted network connections to your company for secure remote access. The commercial client also includes PGPdisk for lightning fast disk, file and directory encryption and authentication in addition to technical support!

PGP FAQ: http://www-ipg.umds.ac.uk/d.hill/FAQs/cryptography-faq/minioverview/faq.html

PGP TELEPHONE: See: http://web.mit.edu/network/pgpfone/

MIT has been distributing PGPfone beta test version 1.0b2 for Windows '95 and

Windows NT since July 11, 1996

MIT has been distributing PGPfone beta test version 1.0b7 for the Macintosh since July

11, 1996.

Version 1.0b2 DOES NOT TALK to earlier versions.

Version 1.0b7 for the Macintosh works with 1.0b2 for Windows '95

PGPfone (Pretty Good Privacy Phone) is a software package that turns your desktop or notebook computer into a secure telephone. It uses speech compression and strong cryptography protocols to give you the ability to have a real-time secure telephone conversation via a modem-to-modem connection. It also works across the Internet!

S/MIME is a specification for secure electronic mail. S/MIME stands for

Secure/Multipurpose Internet Mail Extensions and was designed to add security to e-mail messages in MIME format. The security services offered are authentication (using digital signatures) and privacy (using encryption).

S/MIME (Secure/ Multipurpose Internet Mail Extensions) is a protocol that adds digital signatures and encryption to Internet MIME (Multipurpose Internet Mail Extensions) messages described in RFC 1521. MIME is the official proposed standard format for extended Internet electronic mail. Internet e-mail messages consist of two parts, the header and the body. The header forms a collection of field/value pairs structured to provide information essential for the transmission of the message. The structure of these headers can be found in RFC 822. The body is normally unstructured unless the e-mail is in MIME format. MIME defines how the body of an e-mail message is structured. The

MIME format permits e-mail to include enhanced text, graphics, audio, and more in a standardized manner via MIME-compliant mail systems. However, MIME itself does not provide any security services. The purpose of S/MIME is to define such services, following the syntax given in PKCS #7 for digital signatures and encryption. The MIME body section carries a PKCS #7 message, which itself is the result of cryptographic processing on other MIME body sections.

September 13, 2002 Page 41 of 79

ISC2 CISSP CBK Resource List

S/MIME has been endorsed by a number of leading networking and messaging vendors, including ConnectSoft, Frontier, FTP Software, Qualcomm, Microsoft, Lotus,

Wollongong, Banyan, NCD, SecureWare, VeriSign, Netscape, and Novell. For more information on S/MIME, check http://www.rsa.com/smime/ .

PKCS (Public-Key Cryptography Standards) is a set of standards for implementation of public-key cryptography. It has been issued by RSA Data Security, Inc. in cooperation with a computer industry consortium, including Apple, Microsoft, DEC, Lotus, Sun, and

MIT. PKCS #7 is a flexible and extensible message format for representing the results of cryptographic operations on some data. PKCS #10 is a message syntax for certification requests. Both have been submitted as Internet Drafts: PKCS #7: Cryptographic Message

Syntax and PKCS #10: Certification Request Syntax.

S/MIME does use digital certificates. The X.509 format is used due to its wide acceptance as the standard for digital certificates. VeriSign has set up a certificate hierarchy specifically to support the S/MIME effort. Contact VeriSign at 650-961-7500 for more information on the S/MIME hierarchy, or visit their web site at http://www.verisign.com

. The S/MIME Class 1 Certificate CSR submit available at https://digitalid.verisign.com/client/smimeStep1.htm provides a mechanism for users of

S/MIME user agents to obtain X.509v3 certificates signed under the VeriSign Class 1

Individual Subscriber CA. This document describes the format of the enrollment messages required to request a certificate, and details on how the signed certificate is packaged and returned. http://www.verisign.com/smime/index.html

The security services provided by this protocol include:

Connectionless Confidentiality, Data Origin Authentication,

Connectionless Integrity, and Access Control

Non-repudiation with proof of origin (message signature)

Non-repudiation with proof of delivery (signed receipts)

Confidentiality, data origin authentication, and integrity are provided through the encryption of the message content and associated key management mechanisms. Access control within MSP involves rule based access control. Based on the sensitivity of the message and the authorizations of the originator, recipient, and workstation, MSP makes the access control decision. Identity-based access controls are the responsibility of the originator, supported by the strong authentication provided by MSP. Non-repudiation with proof of origin involves the generation of a digital signature which allows a recipient to establish the authenticity of a message and the originator's identity to a third party.

Non-repudiation with proof of delivery is provided through the return of a receipt signed by the recipient and allows the originator to establish to a third party that the message was received by the recipient. This receipt is bound to the original message through the signature; consequently, this service may be requested only for signed messages. http://www.imc.org/workshop/sdn701.doc

Visa and Mastercard have jointly developed the Secure Electronic Transaction (SET) protocol as a method for secure, cost effective bankcard transactions over open networks.

September 13, 2002 Page 42 of 79

ISC2 CISSP CBK Resource List

SET includes protocols for purchasing goods and services electronically, requesting authorization of payment, and requesting credentials” (i.e. certificates) binding public keys to identities, among other services. Once SET is fully adopted, the necessary confidence in secure electronic transactions will be in place, allowing merchants and customers to partake in electronic commerce.

SET supports DES for bulk data encryption and RSA for signatures and public key encryption of data encryption keys and bankcard numbers. The RSA public - key encryption employs Optimal Asymmetric Encryption Padding. SET is being published as open specifications for the industry, which may be used by software vendors to develop applications.

More information can be found at http://www.visa.com

and http://www.mastercard.com

Mondex is a payment system in which currency is stored in smartcards. These smartcards are similar in shape and size to credit cards, and generally permit the storage of sums of money up to several hundred dollars. Money may be transferred from card to card arbitrarily many times and in any chosen mounts. There is no concern about coin sizes, as with traditional currency.

The Mondex system also provides a limited amount of anonymity. The system carries with it one of the disadvantages of physical currency: if a Mondex card is lost, the money it contains is also lost. Transfers of funds from card to card are effected with any one of a range of intermediate hard-ware devices.

The Mondex system relies for its security on a combination of cryptography and tamperresistant hardware. The protocol for transferring funds from one card to another, for instance, makes use of digital signatures (although Mondex has not yet divulged information about the algorithms employed). Additionally, the system assumes that users cannot tamper with cards, i.e., access and alter the balances stored in their cards.

The Mondex system is managed by a corporation known as Mondex International Ltd., with a number of associated national franchises. Pilots of the system have been initiated in numerous cities around the world.

For more information on Mondex, visit their website at http://www.mondex.com

.

SHTTP (Secure Hypertext Transfer Protocol) is another protocol for providing more security for WWW transactions. In many ways it is more flexible than SSL; however, due to Netscape's dominance in the marketplace SSL is in a very strong position. However, the electronic marketplace is evolving very fast, so it is hard to know what will be the situation in a few months or years.

There is an Internet draft at:

September 13, 2002 Page 43 of 79

ISC2 CISSP CBK Resource List http://search.ietf.org/internet-drafts/draft-ietf-wts-shttp-06.txt

The Internet Engineering Task Force (IETF)’s IP Security Protocol (IPSec) working group is defining a set of specifications for cryptographically-based authentication, integrity, and confidentiality services at the IP datagram layer. These specifications are expected to emerge as Internet Proposed Standard RFCs. The IPSec group’s results comprise a basis for interoperably secured host-to-host pipes, encapsulated tunnels, and

Virtual Public Networks (VPNs), thus providing protection for client protocols residing above the IP layer. The protocol formats for IPSec’s Authentication Header (AH) and IP

Encapsulating Security Payload (ESP) are independent of the cryptographic algorithm, although certain algorithm sets are specified as mandatory for support in the interest of interoperability. Similarly, multiple algorithms are supported for key management purposes (establishing session keys for traffic protection), within IPSec’s

ISAKMP/Oakley framework.

For more info on IPSec: http://www.ietf.org/html.charters/ipsec-charter.html

SSH, or Secure Shell, is a protocol which permits secure remote access over a network from one computer to another. SSH negotiates and establishes an encrypted connection between an SSH client and an SSH server, authenticating the client and server in any of a variety of ways (some of the possibilities for authentication are RSA; Security Dynamics

SecurID tokens; and passwords). That connection can then be used for a variety of purposes, such as creating a secure remote login on the server (effectively replacing commands such as telnet, rlogin, and rsh) or setting up a VPN (Virtual Private Network).

When used for creating secure logins, SSH can be configured to forward X11 connections automatically over the encrypted “tunnel” so as to give the remote user secure access to the SSH server within a full-featured windowing environment. SSH connections and their X11 forwarding can be cascaded to give an authenticated user convenient secure windowed access to a complete network of hosts. Other TCP/IP connections can also be tunneled through SSH to the server so that the remote user can have secure access to mail, the web, file sharing, FTP, and other services.

The SSH protocol consists of three major components: Transport layer protocol provides server authentication, confidentiality, and integrity with perfect forward secrecy. User authentication protocol authenticates the client to the server. Connection protocol multiplexes the encrypted tunnel into several logical channels. The SSH protocol is currently being standardized in the IETF’s SECSH working group.

More information about SSH, including how to obtain commercial implementations, is available from SSH Communications Security, Ltd. ( http://www.ssh.fi

), Data Fellows,

Ltd. ( http://www.datafellows.com

), and VanDyke Technologies, Inc.

( http://www.vandyke.com

).

KERBEROS

September 13, 2002 Page 44 of 79

ISC2 CISSP CBK Resource List http://www.isi.edu/~brian/security/kerberos.html

“The Moron's Guide to Kerberos,

Version 1.2.2”

The key escrow issue

"Mary had a crypto key, she kept it in escrow,

and everything that Mary said, the Feds were sure to know."

-- Sam Simpson, July 9, 1998

1st bullet - the goal of key recovery.

2nd bullet - lists the purposes of the Alliance. Alliance was formed in response to demand from customers who are conducting more & more of their business processes electronically. Internationally available strong encryption would enable these firms to send sensitive information securely over the Internet and other international networks.

Members of the Alliance include: The Boeing Company, Bull HN Information Systems,

Candle Corp., Commercial Crypto, Compaq Computer Corp., CygnaCom Solutions,

Cylink Corp., Digital Link, Fujitsu Corp., Mitsubishi Electric Corp., Motorola, Inc.,

Network Associates, Inc., Novell, Inc., Platinum Technology, Inc., Racal Security and

Payments, Rainbow Technologies, Inc., VeriSign, Inc., VPNet Technologies, Inc. http://www.kra.org/

By carefully measuring the amount of time required to perform private key operations, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems. Against a vulnerable system, the attack is computationally inexpensive and often requires only known ciphertext. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements.

Differential Power Analysis (DPA) describes a new class of attacks against smart cards and secure cryptographic tokens. Discovered by researchers at Cryptography Research in

San Francisco, DPA attacks exploit characteristic behaviors of transistor logic gates and software running on today's smart cards and other cryptographic devices. The attacks are performed by monitoring the electrical activity of a device, then using advanced statistical methods to determine secret information (such as secret keys and user PINs) in the device.

Http://www.cryptography.com/timingattack

Http://www.cryptography.com/dpa/qa

Considerable controversy has raged over the past several years regarding the NSA refusal to permit the export of strong encryption systems. The only real compromise has been to allow the export if a process for putting the key in escrow is provided.

September 13, 2002 Page 45 of 79

ISC2 CISSP CBK Resource List

Transborder Data Controls: Several policies & standards exist to identify issues regarding transmission of data between countries. Because the individual countries can change their regulations & because technology often presents many new challenges not anticipated by existing regulations, the source of the most thorough and accurate data control policies exists on the Internet. One of the recent documents available on the

Internet is from the Netherlands. To reference it, use a WWW browser with the subject

“Transborder data security.”

COCOM - Coordinating Committee on Multilateral Export Controls. CoCom is an informal organization that cooperatively restricts strategic exports to controlled countries.

Was terminated and reformed as Wassenaar Arrangement.

Wassenaar Arrangement - Twenty-eight countries agreed on December 9, 1995 in the

Hague to establish the Wassenaar Arrangement on Export Controls for Conventional

Arms and Dual-Use Goods and Technologies. They will form for the first time a global multilateral regime covering both armaments and sensitive dual-use goods and technology. The arrangement will respond to the new security threats of the post Cold

War by providing greater openness through information sharing about arms and technology transfers worldwide. The regime will focus on the threats to international and regional peace and security. A central part of the regime is the commitment by its members to prevent the acquisition of armaments and sensitive dual-use items for military end-users to states whose behavior today is, or becomes, a cause for serious concern, such as Iran, Iraq, Libya and North Korea. http://www.wassenaar.org/

Echelon is the name given to the project of US interception stations scattered throughout the world. US satellites monitor terrestrial radio, microwave, and cellphone communications

Echelon - US interception stations similar to Menwith Hill are scattered worldwide.

Date: Mon, 15 Jun 1998 http://www.usajournal.com/page34.htm US Journal Federal

Page ECHELON: AMERICA'S SPY IN THE SKY

September 13, 2002 Page 46 of 79

ISC2 CISSP CBK Resource List

MODULE 8

TELECOMMUNICATIONS & INFO SECURITY

TELECOM

RFC INDEX: http://www.cis.ohio-state.edu/hypertext/information/rfc.html

ISO 7498 http://www.iso.ch/

Domain Name Space

SEVEN NEW TLD PROPOSALS SELECTED

.coop

.info

.museum

.name

TLD

.aero

At its meeting on 16 November 2000, the ICANN Board selected seven new toplevel domains (TLDs) for negotiation of agreements. The new TLDs and their intended purposes are listed below. For additional information, please contact the applicants:

Sponsored/

Unsponsored

Sponsored

Purpose

Air-transport industry

Applicant

Societe Internationale de Telecommunications

Aeronautiques SC,

(SITA)

Contact(s)

Rosa Delgado

.biz Un-sponsored Businesses

JVTeam, LLC (now known as NeuLevel)

Barbara Blackwell

Manager, Public

Relations

Tel: +1 202 533 2730

Fax: +1 202 533 2976

Sponsored Cooperatives

National Cooperative

Business Association,

(NCBA)

Un-sponsored

Unrestricted use

Afilias, LLC

Sponsored

Un-sponsored

Museums

For registration by individuals

Museum Domain

Management

Association, (MDMA)

Global Name Registry,

LTD

Paul Hazen

Moshe Fogel

Cary Karp

Kenneth Hamma

Hakon Haugnes

September 13, 2002 Page 47 of 79

ISC2 CISSP CBK Resource List

.pro Un-sponsored

Accountants, lawyers, and physicians

RegistryPro, LTD

Wireless Data Network Considerations

Elana Broitman http://www.logica.com/globe/globe12/wireless.html

http://www.nokia.com/networks/index.html

Switches http://www.arrowpoint.com/index.html

http://www.arrowpoint.com/

UTP details http://www.bicsi.org/tia300.htm

Ethernet details http://www.ots.utexas.edu/ethernet/ethernet-home.html

SCMA-CA http://www.cs.brown.edu/courses/cs196-5/lect/01/index.htm

http://www.cs.brown.edu/courses/cs196-5/lect/01/sld073.htm

Digital Subscriber Lines - MORE ABOUT xDSL’s

There are a number of similar, yet competing forms of DSL

ADSL - Asymmetric Digital Subscriber Line

SDSL – Single-Line Digital Subscriber Line

HDSL – High-Rate Digital Subscriber Line

RADSL – Rate-Adaptive Digital Subscriber Line

VDSL – Very-High-Data-Rate Digital Subscriber Line

Others:

CDSL – Consumer Digital Subscriber Line from Rockwell

IDSL - "ISDN DSL" A scheme from Ascend

 UDSL – the EWSD UDSL line card from Siemens: http://www.icn.siemens.com/icn/news/1999/99081101.html

SP HDSL "Single Pair HDSL" Half T1 speed over one twisted pair.

September 13, 2002 Page 48 of 79

ISC2 CISSP CBK Resource List http://www.gyrene.com/adsl/serial.htm

This site will provide MORE than you ever needed to know!! http://www.cisco.com/warp/public/707/

VPN http://www.corecom.com/external/vpn/vpntable.html

SOCKS http://www.socks.nec.com/

GSS-API SOCKS Implementation: rfc1961

GREAT LINK! http://www.forbes.com/tool/html/98/apr/0424/featb.htm

RAID Characteristics

For a comprehensive treatment of the various RAID configurations and techniques go to: http://www.acnc.com/04_01_00.html

Details of RAID 10 (RAID 0 + RAID 1)

RAID Level 10 requires a minimum of 4 drives to implement

CHARACTERISTICS/

ADVANTAGES

DISADVANTAGES

September 13, 2002 Page 49 of 79

ISC2 CISSP CBK Resource List

RAID 10 is implemented as a striped array whose segments are RAID 1 arrays

RAID 10 has the same fault tolerance as RAID level 1

RAID 10 has the same overhead for fault-tolerance as mirroring alone

High I/O rates are achieved by striping RAID 1 segments

Excellent solution for sites who would have otherwise gone with

RAID 1 but need some additional performance boost

Very expensive

All drives must move in parallel to proper track lowering sustained performance

Very limited scalability at a very high inherent cost

RECOMMENDED USES

Applications

Database server requiring high performance and fault tolerance but not capacity

RAID http://www.raid-advisory.com/ RAID Advisory Board http://components.about.com/compute/components/gi/dynamic/o ffsite.htm?site=http://www.adaptec.com/products/guide/abcra id.html

The ABC’s of RAID

IPSec http://w3.antd.nist.gov/Groups/ITG/IP_Security/Cerberus/cer berus.html

http://www.ietf.org/rfc/rfc2401.txt

Buffer Overflow Attacks http://sun.soci.niu.edu/~crypt/other/vclrev.htm

September 13, 2002 Page 50 of 79

ISC2 CISSP CBK Resource List http://www.infosecuritymag.com/may99/news.htm

“Ping of Death” (aka large packet ping attack)

The size, content and order of an IP data packet or IP datagram is well-defined and specified for standard network transmission. However, it is possible to create malformed

IP datagrams that will cause undesirable consequences. Network intruders have learned about these attack methods and usually employ them to disrupt the targeted network.

These deliberately malformed datagrams are referred to as “illegal IP datagrams.”

The typical Ping of Death modifies the header of the ping packet to indicate that there is more data in the packet than there actually is.

"Effectively, the server hangs because the IP stack is waiting for the rest of the data,"

Also, a malformed IP datagram may be encountered with TCP, UDP and IPX traffic. http://ciac.llnl.gov/ciac/bulletins/h-18.shtml

DoS Attack (aka Denial of Service) http://netsecurity.about.com/compute/netsecurity/gi/dynamic/offsite.htm?site=http://www

.securityportal.com/list%2Darchive/bugtraq/

SYN Attack (aka SYN FLOOD)

What is a SYN attack?

A SYN attack is done by having the attacker send many thousands of invalid SYN "start connection" messages to the ISP involved. Even a slow computer and connection can send many, many of these a second. The ISP automatically takes these requests and waits

45 seconds (as a timeout period) expecting a response to the ISP ACK and outbound

SYN, then discards the original SYN and resets for the next event.

This delay creates an enormous load on victim machines, causing them to be unable to respond to legitimate requests. A SYN attack is usually done from bogus addresses; a different fake address is sent with each packet, making it extremely difficult to trace. This means that you cannot counteract a SYN attack by limiting access from the source IP address, since that address is unknown.

A SYN attack exploits the use of a small buffer space during the TCP 3-packet handshake (SYN 1000 outbound, ACK 1001 + SYN 2000 inbound, ACK 2001 outbound) in order to prevent a server from accepting inbound TCP connections.

September 13, 2002 Page 51 of 79

ISC2 CISSP CBK Resource List

When the server receives the first SYN=1 packet , it stores this connection request in a small ‘in-process’ queue. Since sessions tend to be established rather quickly, this queue is small and only able to store a relatively low number of connection requests. This was done for memory optimization, in the belief that the session would be moved to the larger queue rather quickly, once the handshake was successfully completed, thus making room for more connection requests. A SYN attack floods this smaller queue with connection requests. When the destination system issues a reply, the attacking system does not respond (usually caused by spoofing the source address with a false return address). This leaves the connection request in the smaller queue until the timer expires and the entry is purged. By filling up this queue with bogus connection requests, the attacking system can prevent the system from accepting legitimate connection requests. Thus, a SYN attack is considered a denial of service. Since the use of two memory spaces is a standard

TCP function, there is no way to actually fix this problem, OTHER THAN to program the firewall to recognize these “false SYN’s” through sensing a repetitive SYN timeout condition and refuse to respond.

TEARDROP

In order to understand how a teardrop attack is used against a system, you must first understand the purpose of the fragmentation offset field and the length field within the IP header. The fragmentation offset field is typically used by routers and other systems. If the system receives a packet that is too large for the next segment, the router will need to fragment the data before passing it along. The fragmentation offset field is used along with the length field so that the receiving system can reassemble the datagram in the correct order. When a fragmentation offset value of zero is received, the receiving system assumes either that this is the first packet of fragmented information or that fragmentation has not been used. If fragmentation has occurred, the receiving system will use the offset to determine where the data within each packet should be placed when rebuilding the datagram.

A teardrop attack starts by sending a normal packet of data with a normal-size payload and a fragmentation offset of 0. From the initial packet of data, a teardrop attack is indistinguishable from a normal data transfer. Subsequent packets, however, have modified fragmentation offset and length fields. This ensuing traffic is responsible for crashing the target system. When the "2nd" packet of data is received, the fragmentation offset is consulted to see where within the datagram this information should be placed. In a teardrop attack, the offset on the 2nd packet claims that this information should be placed somewhere within the 1st fragment. When the payload field is checked, the receiving system finds that this data is not even large enough to extend past the end of the

1st fragment; it is actually fully contained inside of it. Since this was not an error condition that anyone expected, there is no routine to handle it and this information causes a buffer overflow, crashing the receiving system. For some operating systems, only one malformed packet is required. Others will not crash unless multiple malformed packets are received. http://webopedia.internet.com/TERM/D/DoS_attack.html

http://www.winplanet.com/winplanet/reports/561/4/

September 13, 2002 Page 52 of 79

ISC2 CISSP CBK Resource List

SMURF

A type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim.

All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees.

Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network.

Fraggle is a similar attack using UDP instead of ICMP. http://www.wired.com/news/technology/0,1282,9506,00.html

http://users.quadrunner.com/chuegen/smurf.txt

http://www.oingo.com/topic/83/83237.html

TCP Wrapper

TCP Wrapper: the Transmission Control Protocol (TCP) Wrapper software package monitors incoming network traffic & controls network activity. It is a simple but very effective piece of publicly available software set up to run whenever certain ports

(corresponding to certain services) are connected. TCP Wrapper provides simple access control list protection, as well as improved logging, for services that are started by the inetd (Unix) program. Despite its name, the TCP Wrapper package supports UDP-based services in addition to TCP-based services.

A simplified summary:

Transport Control Protocol (TCP) provides reliable virtual circuits for connections across networks using the Internet Protocol (IP). A server machine that wishes to provide a network service listens to a particular TCP port by running a program called a daemon.

A client machine that wishes to make use of a service sends a connection request packet to the port they wish to use, and a connection for that service is opened.

Each service offers a potential way into the server machine. A client being used by an attacker might try to abuse one of these services. Some of the standard services are:

September 13, 2002 Page 53 of 79

ISC2 CISSP CBK Resource List

Simple mail transport protocol (SMTP). SMTP is used by a remote machine to transfer mail to a local machine.

Telnet provides simple terminal access, protected by login.

Finger and whois are ways of getting information about a user or users on a machine.

File transfer Protocol (ftp) is used to transfer files between servers and clients

"r" services. (i.e. rlogin, rcp, etc.) provide facilities for un-authenticated login, copying etc. between machines.

Information protocols are used to provide services such as gopher, wais and www.

Some of these applications (eg: telnet) were written in the "good old days" when everyone was honest, and beer cost 5d a pint. (5d = 5 English Pence)

Consequently, they have few security features, so that access is not controlled, and usage is not recorded (logged). http://www.uwindsor.ca/security/TCPWrapper.html

says:

TCP Wrapper is a program which buffers server daemons from internet connections.

With this package you can monitor and filter incoming requests for a number of TCP/IP network services.

A client (in this case telnet) is executed on a remote machine and makes a request for connection to the server. The server has a daemon running which sits and waits for connections. In this case the server daemon is telnetd.

In this case the client telnet connects to the TCP Wrapper daemon. The wrapper determines if the request for connection should be made based on a number of rules defined by the system administrator. If it is deemed that the connection is a valid one, the wrapper executes the telnetd daemon and the person is then allowed to connect (or login into the server in this case).

A TCP wrapper is a program that listens to one or more TCP port(s), carries out verification (against a pre-determined authorized IP address list) and logging, and passes control to the original daemon if security conditions are satisfied (i.e. ANY OTHER security checking dictated by policy). In this way, the applications can be made accessible to trusted hosts, while denying access to the rest of the world.

Problem. An attacker can make their machine (or some other machine they have gained control of) impersonate a trusted host. THEREFORE, the use of TCP wrappers to the exclusion of OTHER security tests represents a vulnerability.

September 13, 2002 Page 54 of 79

ISC2 CISSP CBK Resource List http://ciac.llnl.gov/ciac/ToolsUnixNetSec.html

has a list of Network Security Tools including TCPWrapper: ipacl logdaemon portmap rpcbind

Sara

SATAN screend securelib

TCP Wrappers xinetd

WARNING: http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html

CERT ADVISORY warns that some downloads of of the source code for the TCP

Wrappers tool (tcpd) were modified by an intruder and contain a Trojan horse. See the advisory and take the necessary precautions.

CERT Advisories (the latest one) http://www.cert.org/advisories/

ALSO VERY USEFUL: http://www.sans.org/newlook/home.htm

September 13, 2002 Page 55 of 79

ISC2 CISSP CBK Resource List

MODULE 9

BUSINESS CONTINUITY PLANNING & DISASTER RECOVERY PLANNING http://www.netoffice.u-net.com/bcp.htm

http://www.datavault.co.uk/ http://www.globalcontinuity.com/ http://www.stortek.com/StorageTek/news/nr990127a.html

http://www.comdisco.com

http://www.logisticsbureau.com.au/srvinvmn.htm

http://dr.org/index.htm

http://dr.org/drp-501.html

http://www.drj.com/

BUSINESS CONTINUITY PLAN

Master Disaster Recovery Plan

Dept

Plans

End-User

Plans

Communication

Voice & Data

September 13, 2002 Page 56 of 79

Tech. Platforms -

Mainframes,

LANs, Distributed

Processing

ISC2 CISSP CBK Resource List

MODULE 10

LAW, INVESTIGATION & ETHICS

HELPFUL POCKET GUIDE – “Best Practices for Seizing Electronic Evidence

”: A joint project of the USSS, International Association of Chiefs of Police (IACP), and, the

National Institute of Justice.

http://www.treas.gov/usss/electronic_evidence.htm

For additional copies send email to:

Iacp_manual@usss.treas.gov

Overview statistics - In the 1999 Computer Security/ FBI computer crime survey, 57% reported that they had found actual intrusions into their networks and 26% reported theft of proprietary information. The incident handling entity for the civilian agencies of the

U.S. Government, FedCIRC, reported that 130,000government sites totaling 1,100,000 hosts were subject to attacks in 1998. For the latest go to: http://www.gocsi.com/press/20020407.html

We then cover a brief discussion of computer crime, starting with some statistics on attack scripts available on the Internet.

Then we move on to discuss computer crime, ranging from those committed by individuals to those committed by organizations or nations. It includes relatively simple attacks (stealing a password taped under the keyboard) to relatively complex attacks

(SYN flooding). It covers one-person crimes to those involving a number of participants.

Computer crimes may include insider as well as outsider attacks. They may involve just one jurisdiction or cross international boundaries.

The main point is computer crimes are growing into New Crimes, New Criminals and

New Complexities.

These statistics come from a NIST (National Institute of Standards & Technology) of the

U.S. Commerce Dept. Go to: http://www.nist.gov/ . The report is entitled Computer

Attacks: What They are and How to Defend Against Them and is dated May, 1999. The statistics given are a sample of attacks taken from what NIST calls the Global Attack

Toolkit (GAT), which includes attack scripts found on high profile Internet Web sites.

These scripts are available to the average surfer and, in this usage, provides a database which can serve as a forensic tool and as an attack script search tool for information security people.

There are many lists of the types of computer crime.

September 13, 2002 Page 57 of 79

ISC2 CISSP CBK Resource List

Generally, there are 2 categories of computer crime: using a computer to accomplish crime (computer-related white collar crime) and crime against the computer (theft of services, unauthorized access, denial of service, etc).

BREACHES OF PHYSICAL SECURITY is the 1st category. It involves ways by which physical security is inadequate or can be subverted.

DUMPSTER DIVING is looking in trash containers or other locations where imporant information may be thrown away as garbage or recyclables. There have been many computer crime incidents where someone was able to get an operations manual, password lists or other important information and use that to penetrate systems.

Take a look at this individual and his web site dedicated to the topic: http://www.phonelosers.org/dd.html

WIRETAPPING is as it stated except that it is used on wires as well as radio frequencies,

Internet channels, FM sidebands and the countless other ways that information is communicated today. Wiretapping can occur even if there is physical security within an organization since the nodes or links through which the message goes can be attacked outside the organization.

Obviously a very sensitive subject: http://civilliberty.about.com/newsissues/civilliberty/cs/wiretapping/index.htm?iam=mt&t erms=wiretapping

EAVESDROPPING ON EMANATIONS is gathering of electronic signals which some machines throw off and which some say can be captured with inexpensive equipment.

Due to the potential to capture emanations and then to read messages, the U.S. Govt. has developed a program called TEMPEST, which has required special lead shielding and other protections on equipment, resulting in TEMPTEST equipment costing around 3 times non-TEMPEST equipment. In recent years, the Govt. has modified TEMPEST requirements, which seems to indicate that the threat is less than thought or that …. (fill in the blank);

Still in business….

http://www.tempest-inc.com

/

DENIAL OR DEGRADATION is closing off information processing by various ways including Syn flooding and other acts that affect organizations. Usually construed as

Denial of Service (DOS) or Distributed Denial of Service (DDOS).

A very resourceful site: http://staff.washington.edu/dittrich/misc/ddos/

BREACHES OF PERSONNEL SECURITY include ways that people can gain unauthorized access to information.

September 13, 2002 Page 58 of 79

ISC2 CISSP CBK Resource List

A useful start: http://www.oreilly.com/catalog/crime/chapter/cri_02.html#18248

MASQUERADING is pretending that you are an authorized person in order to gain access to what that person has legitimate access to.

See above:

SOCIAL ENGINEERING includes ways to “fake out” someone so that they will reveal sensitive information such as passwords or connect a person to an outside line, allowing them to sell phone service. It is a skillful way to use knowledge of an organization against the organization.

See above:

HARASSMENT is posting malicious messages about someone or a continued onslaught of hang ups or even false virus alerts to create havoc

See above:

BREACHES OF COMM. AND DATA SECURITY includes:

1.

–DATA ATTACKS are ways to penetrate files or to make unauthorized changes.

An interesting paper: http://www.terra-networks.com/Library/paperF1.htm

2.

–SOFTWARE ATTACKS include virus and other ways to impact software.

Another interesting but lengthy article: http://www.av.ibm.com/Papers/Smoke/smoke.html

3.

–BREACHES OF OPERATIONS SECURITY which include going around access controls

A good site to visit: http://www.cerias.purdue.edu/coast/coast.html

4.

–DATA DIDDLING is changing information

Here’s a scary document. Look at methods and tools of attack #3. http://www.law.berkeley.edu/journals/btlj/articles/14_2/Lee/html/text.html

5.

–IP SPOOFING is pretending to be an authorized IP address and thus to gain access to system.

September 13, 2002 Page 59 of 79

ISC2 CISSP CBK Resource List

You might want to bookmark this site for future definitions. http://webopedia.internet.com/TERM/I/IP_spoofing.html

6.

–PASSWORD SNIFFING is collecting passwords as they go across communication lines and then using the passwords to penetrate systems.

Good tutorial. Lots more forward and backward. http://www.ceas.rochester.edu:8080/CNG/docs/Security/node8.html

7.

-EXCESS PRIVILEGES is gaining supervisory level access. http://www.dandy.net/oracat/websec/chapter/ch01.html

EQUITY FUNDING was one of the 1st examples of computer crime. In the mid-70’s, Equity Funding Corporation executives were found using a computer to create false insurance policies which increased the value of their company. Because auditors audited around the computer rather than through the computer, the illegal scheme went on. As a result of this crime, the field of EDP auditing developed so that auditors could understand computer controls and help to prevent computer crimes.

Interesting review: http://www.scripophily.net/scripophily/equityfindo.html

414 GANG were a group of teenagers in Milwaukee, Wisconsin (area code 414) who used a demon dialer to randomly call around North America and, when they received a dialtone, guessed passwords. Using this simple routine, they were able to get into a cancer hospital, a corporation, a government facility, etc. When their exploits hit the news in the mid-1980’s, hackers became known to the public and the dangers of penetrations was a big topic of concern.

Great stuff BUT you will have to read a bit into the story to find the 414 references. http://home.c2i.net/nirgendwo/cdne/ch4web.htm

KEVIN MITNICK is one of the most famous crackers (dangerous and destructive hackers) who became know when he penetrated Digital Equipment Corporation’s worldwide network as well as broke into the system of a famous computer security expert

(Shimamura) and did other exploits which got him applause in the hacker community.

There is even a web site dedicated to this crook:

http://www.gulker.com/ra/hack/

CUCKOO’S EGG is the name of the book written by Cliff Stoll. He was an astrophysicist at the Lawrence Berkeley Labs when he was assigned to be a part-time computer security person. He discovered a 75 cent error in a supposedly non-used account and, in investigating this, he found a group of people who were gaining unauthorized access to classified systems in the U.S. He tried to get the attention of the

September 13, 2002 Page 60 of 79

ISC2 CISSP CBK Resource List

FBI, CIA and other government agencies but nobody believed him. He then went and trapped the perpetrators who were later found to have been Germans spying for the KGB.

Just one of a host of resources: http://www.ercb.com/brief/brief.0059.html

CHAOS COMPUTER CLUB is a famous European group that keeps publicly pointing out the security shortfalls of banks and other major corporations. They also distribute information on security problems around the Internet.

For what it is worth – it’s a start: http://www.wired.com/news/topstories/0,1287,17082,00.html

INTERNATIONAL ECONOMIC ESPIONAGE is a growing problem involving nations which are using hacker techniques as well as other methods to gain access to sensitive proprietary information. Allies often spy on one another to try to gain competitive advantage in the global economy.

A good reference: http://www.usdoj.gov/criminal/cybercrime/tejassen.htm

INTERNET WORM was the shutting down of the Internet in the late 1980’s by Robert

Morris Jr., who set off a worm (though it is often called a virus) which got out of hand. It showed the vulnerability of the Internet and the society, resulting in a successful testing of the major U.S. federal computer crime law.

Looks like an interesting book: http://sunland.gsfc.nasa.gov/info/guide/The_Internet_Worm.html

MELISSA VIRUS & MALICIOUS CODE . New dangerous attacks. http://www.cert.org/advisories/CA-1999-04.html

Difficult to assess the amount of computer crime because most goes unreported.

Chart also mentions some of the problems in getting a handle on computer crime.

Major point is that computer crime has grown into a serious problem and is no longer just a nuisance or just a problem in developed nations. These crimes are really the

“computerization” of traditional financial,/economic/white collar crimes. Many of the attacks are really low tech, such as social engineering where someone talks their way to gaining passwords as well as high tech. It is important to note that laws often develop after technology develops and, given the speed of technological change, the law is not always able to respond adequately.

INFORMATION WARFARE is the name given to how nations can target an adversary nation by attacking electrical, power, computer, communications and other important infrastructures. Internet sites for some information on this include http://www.ciao.gov

September 13, 2002 Page 61 of 79

ISC2 CISSP CBK Resource List

Hackers try to learn everything they can about computers. Crackers is the term used for the more destructive, negative hackers who do damage while hackers can be used as a term for those who operate within certain limits of non-damage, etc. Sometimes it is hard to tell one from the other but also a mistake to see them all as the same. http://www.enteract.com/~lspitz/pubs.html

Computer crime differs from other types of crimes as discussed in this and the following charts. In this chart, we look at the new criminals, which include the types listed.

The major point is that there are quite different legal systems which differ on the rights of the accused, the role of the judge, the nature of evidence, and other essential legal concepts. While we try to be international in our discussions of computer crimes and laws, U.S. laws will be discussed in some detail since they were often the first laws on a particular criminal activity and/or they are instrumental in other nation’s law development.

Note that this Civil law (sometimes aka Napoleonic Law) should not be confused with the Civil (or tort) laws found in the U.S., which we will discuss in a moment.

Some definitions: Don’t overlook that Napoleonic Law is the legal system in Quebec

Canada and Louisiana. http://www.fast-times.com/political/dictN20.html

With much more computer crime crossing international borders, sometimes there are vast differences between the legal system of the nation where the attack came from and the nation where the attack caused the damage. This can lead to international disputes.

Discussion of US civil law, also called tort law. It involves individuals and organizations, with the government not involved in the direct way it is as in criminal cases. This page contains some of the conditions found in US civil law cases. Note how the punishments in a civil suit differ from those in a criminal case. Think of the OJ

Simpson scenario as an example of the differences between criminal and civil punishments.

Compensatory damages include: Actual damages to the victim, i.e., attorneys fees, lost profits, investigation costs.

Punitive damages include: those set by jury to punish the offender.

Statutory damages include those damages determined by law that the violation entitles the victim.

Note that computer crime (as some people define it) is only one of the issues that is covered, e.g., child porn is not specifically a computer crime but the Internet allows it to be distributed and thus this falls under a computer crime activity.

As of Oct. of 1998, these legal principles apply and the result is that questions have been raised about whether a multi-national corporation with headquarters in the U.S. can receive privacy-type information from within the European Union even though it belongs to the corporation. Since the U.S. laws are less adequate in protecting privacy than are the E.U. laws, privacy laws may limit distribution outside of the E.U.

September 13, 2002 Page 62 of 79

ISC2 CISSP CBK Resource List

Several privacy issues will be discussed on the next few pages. The first is worker monitoring, which has increasingly been a problem. The ways of monitoring noted have expanded with computerization. One question is how much is too much, even if this is within the legal rights of employers?

On a follow-up slide, there is discussion of how monitoring is structured to be done in a legal manner. Then there is a discussion of e-mail privacy, which was a hot topic just a few years ago but now seems to have become less of a public issue, maybe because it is so prevalent.

Then there is a discussion of the type of keystroke monitoring legal in U.S. Government agencies. This is from the Dept. of Justice as is the banner found on the next pages. The banner was suggested as an appropriate way to inform visitors and employees that monitoring is happening.

Note that there are other ways to protect privacy. For example, IBM has said that it will not advertise with a company which does not have clear and acceptable privacy policies and practices. E-Trust is an organizations funded by major companies that evaluates the policy statements and practices of Web sites. The CPA’s in the U.S. have also indicated that they will audit and then provide a seal of approval for sites which have developed privacy statements.

A study by Ann Branscomb from Harvard developed a way to indicate how the various states in the U.S. established computer crime laws. It has been expanded to a more general focus on how nations emphasize particular issues as they develop laws against computer crimes. In essence, governments can choose one or more of the above as a means to develop computer crime laws.

Privacy Act based on how to protect privacy of citizens from the growing use of technology

Privacy Act: http://www.doc.gov/ecommerce/privacy.htm

Foreign Corrupt Practices Act was created after bribes from U.S. aircraft manufacturers were given to foreign officials. In order to prevent this, the FCPA requires that all financial transactions of a corporation are so well controlled that if a bribe was given, the senior executives would find it and stop it, since such bribes are against U.S. law.

Foreign Corrupt Practices Act: http://www.ljx.com/practice/intrade/0521fcpa.html

Crime Control Act was as stated on slide

Medical Computer Crime Act as stated on slide. Note that it was the result of the 414 gang mentioned earlier, where teenagers broke into cities, include the Sloan Kettering

Cancer Hospital in NYC.

Many nations have seen how U.S. laws have and have not worked and have then developed their own laws as part of the war against computer crime.

September 13, 2002 Page 63 of 79

ISC2 CISSP CBK Resource List

This is the major federal law. It is Title 18, United Stated Code, Section 1030, the

Computer Fraud & Abuse Act. It covers using a computer to defraud others using a

”Federal Interest" computer.

“Federal interest computer” is one where U.S. federal money or information is involved, whether that includes the purchase of the computer, the penetration of federal information, etc.

It also includes crimes where 2 or more states are involved in where the crime was committed or where the victim was located, used exclusively by U.S. or financial institution, used partly by U.S. or financial institution and the attack affected operation of that computer. It also covers using a computer in interstate commerce or communications (covering 2 or more states in nation. Example: PC in NY steals info from mainframe in TX to commit fraud.

Federal Sentencing Guidelines are put out by the U.S. Sentencing Commission. The

Guidelines cover how individuals found guilty of breaking federal law and organizations, such as corporations, found guilty of breaking federal law or gaining from such breaking of law can be punished in an equitable and just way. For organizations, this means that the more that they attempt to protect, detect, and report crimes, the lower the punishment.

Senior executives are charged with the responsibility to make sure that their organizations are in compliance with the law. If not, the punishments can reach $290 million and federal probation for the organization. Since 1997, computer-related crimes fall under the Guidelines. For an analysis, you can point the group to (Sherizen) paper on how the

Guidelines relate to information security, which can be found under publications on this website— http://www.computercrimestop.com .

NISPA is the start of seeking answers to how vulnerable the infrastructure of a nation

(gas and oil, telecommunications, transportation, etc) are are risks since they are often dependent upon vulnerable computerized commands and controls. Points to vulnerability of nations from attacks against their infrastructures.

Protects all U.S. Government computers even if not used in interstate commerce, refers to computers used in foreign commerce (not just interstate) and punishes trespassers who recklessly cause damage.

This is the Canadian law regarding computer crimes. Offenses punishable by up to 10 years in prison for: http://rr.sans.org/country/canadian_leg.php

Unauthorized obtaining computer service

Unauthorized interception of any function of a computer system

Use of computer system to commit offense

Mischief committed by willfully:

Destroying or altering data

Rendering data useless

Obstructing lawful use of data

Obstructing authorized access to data

Topics covered in this recommendation include:

Search and seizure

September 13, 2002 Page 64 of 79

ISC2 CISSP CBK Resource List

Technical surveillance

Obligations to cooperate with the investigating authorities

Electronic evidence

Use of encryption

Research, statistics and training

International cooperation

Violations of law, for example, can stem from the Foreign Corrupt Practices Act (1977) which amended the Federal Securities & Exchange Act of 1934. It specifies that:

Transactions be authorized

Transactions be recorded for financial statements

Access to assets be authorized

Assets be reconciled

Corporate executives are personally liable

FBI

Secret Service

CSI

Euro

UN

Intellectual Law

Computer Crime Law http://www.fbi.gov/scitech.htm

http://www.treas.gov/usss http://www.gocsi.org

http://www.europa.eu.int/index.htm

http://www.ifs.univie.ac.at/~uncjin/uncjust.htm

http://www.cyber.harvard.edu

http://www.usdoj.gov/criminal/cybercrime/index.html

Avoid threats - or similar pressure because the court may refuse to accept evidence secured by force or intimidation.

Written statement - time & discussions with other witnesses can affect memory so get statements in writing asap. If statements are prepared by the investigator, for the witness to sign, make frequent typos so witness will make & initial corrections, thereby avoiding the witness claiming words were added above his signature.

Computer generated storage records are not strictly evidence (i.e., printout shows the state of the HD at the time of printing unless authenticated by the custodian or other qualified witness who has custody of the records on a regular basis, regularly relies on the records, or knows they’re prepared during regular course of business.

Visual/audio - during the event could be security cameras, recordings of conversations, etc. After event they could be films of the scene or the physical workings of the computer system. These need to be authenticated by witnesses as to how, when, & where they were created.

Evidence protection against tampering, corruption, deterioration, etc. is necessary so it must be kept in locked storage under the care of a responsible custodian.

Hearsay - evidence based not on personal knowledge but what was told to the witness is inadmissible. This is a U.S. legal concept but may have counterparts in other nations.

September 13, 2002 Page 65 of 79

ISC2 CISSP CBK Resource List

It points out the problems of relying upon computerized records since, without adequate protection, those records can be manipulated, changed, destroyed or in other ways made invalid for acceptance in a court.

There are exceptions to the hearsay rule for computer generated information.

An exception to the hearsay rule is when it can be proven that business documents created at or near time by or from info transmitted by (a) Person with knowledge, (b)Kept in course of regular conducted business, (c) As regular practice of that business and (d)

Shown by testimony of custodian or other qualified witness

Documents must be created at or near the time of the incident being investigated.

Vouched for by persons with knowledge of their creation & use. They must be kept in the normal course of business, not generated for the investigation. They must be entered into evidence in court by testimony of the custodian or other qualified witness

This can be shown by a memory or disk dump which shows what was there at the time of the dump rather than that the info is accurate.

As suspects are identified, specific action taken depends on who they are and what level they are in the organization.

Suspect checklist - things to look at to best identify suspects.

Motives can sometimes be obtained from a review of personal records to identify a grudge; someone recently fired, punished, or having financial problems; a change in the standard of living; etc.

Means (Ability) addresses the technical no how to commit the crime. Opportunity - access to the system, etc.

Motive, means (ability) & opportunity are the 3 key elements possessed by the best suspects.

Vacation history - fraud suspects, in particular, don’t take much.

Prior employment - records of recent hires might uncover a motive.

Possible witnesses include victim coworkers, system administrators, other users, & persons nearby.

Sources of evidence include the collection of physical evidence (coordinate this activity with legal representatives) which might be: source documents, source/object code, console logs, system documentation, logs & audit tapes/files, etc.

Note that if the law enforcement is called in too early in a case, they take over the case and their rules of evidence and protection of civil liberties apply. On the other hand, if they are called in too late in a case, they may not be interested or able to do much, since your organization may have destroyed evidence or in other ways lost the case.

September 13, 2002 Page 66 of 79

ISC2 CISSP CBK Resource List

Best thing is to make contact with law enforcement before incidents happen and find out what types of cases they cover, what are the losses that must be shown in order to be of interest to the law, etc.

Intrastructure http://www.ciao.gov

COAST/CERIAS

Hitech Crime Investigation

CERT

FIRST http://www.cerias.purdue/edu http://www.htcia.org

http://www.cert.org

http://www.first.org

Nat. Law Enforcement http://www.nlectc.org

The web site for International Computer Security Association (which used to be the

National Computer Security Association) is http://www.icsa.net

The Resource Guide can be requested from the ICSA. Peter Tippett, who contributed to this section of the module, is President of that organization.

The Computer Ethics Institute -= http://www.brook.edu/ITS/CEI/CEI_HP.HTM

Computer Ethics Institute, 11 Dupont Circle, NW

Suite 900 Washington DC 20036

Ph: 202-939-3707 Fx: 202-797-7806

PLEASE SEE THEIR WEBSITE AT http://www.cpsr.org

http://www.cpsr.org/program/ethics/cei.html

Ten Commandments of Computer Ethics.

ISSA

EFF

Ethics Update

(ISC)

2

Sanford Sherizen, PhD http://www.issa-intl.org

http://www.eff.org

http://www.ethics.acusd.edu/index.html

http://www.ISC2.org

http://www.computercrimestop.com/ .

MORE REFERENCES:

NOTE: The following links have been provided to future CBK courses by your predecessors… The unspoken rule is that you too will have an opportunity to contribute to future CBK content once you achieve CISSP status… WELCOME ABOARD!!

Internet Engineering Task Force (IETF) Request For Comments (RFC’s) can be found at: http://www.cis.ohio-state.edu/htbin/rfc/INDEX.rfc.html

.

Your ISC2 Instructor Team….The following references have been compiled by Rob

Slade, one of the ISC2 Instructor team… It will be updated as time allows….. a comparison of the various CISSP guides, at:

September 13, 2002 Page 67 of 79

ISC2 CISSP CBK Resource List http://victoria.tc.ca/techrev/mnbkscci.htm

or http://sun.soci.niu.edu/~rslade/mnbkscci.htm

a list of books and resources by domain, at: http://victoria.tc.ca/techrev/mnbksccd.htm

or http://sun.soci.niu.edu/~rslade/mnbksccd.htm

a glossary of security terms, at: http://victoria.tc.ca/techrev/secgloss.htm

or http://sun.soci.niu.edu/~rslade/secgloss.htm

September 13, 2002 Page 68 of 79

ISC2 CISSP CBK Resource List

29 sample Q&A : Sample questions from InfoSecurity magazine http://www.infosecuritymag.com/oct99/sampleexam.htm

Biba Link : A paper on the Biba model in PDF format http://seclab.cs.ucdavis.edu/arpa/LaSCO/slides/seminar.970603.extra-slides.pdf

Ethics and the Internet : RFC 1087: Ethics and the Internet http://rfc.fh-koeln.de/rfc/html/rfc1087.html

Forensic Tool : Witese Venema/Dan Farmer's forensics information, program, etc. http://www.porcupine.org/forensics/

Hacking Exposed : Link for the book (lots of useful links and scripts) http://www.hackingexposed.com/

Moron's guide to Kerberos : Moron's guide to Kerberos (His title, not mine) http://www.isi.edu/~brian/security/kerberos.html

NIST: Policies and Publications : Lots of useful background material http://csrc.nist.gov/policies/welcome.html

Network World Newsletters : E-mail subscription form for a number of network info including security http://www.nwwsubscribe.com/foc54/ javed.ikbal@f...

brian.gadbois@g...

Sample questions from the SRV books : http://www.cissps.com/Cissp_Exam/Practice/practice.html

Sandy Sherizen's Web site : http://www.computercrimestop.com/

Searching & Seizing Computers : Federal Guidelines http://www.cybercrime.gov/searching.html

SecurityFocus : Info security information site http://www.securityfocus.com

The RAINBOW series : DoD Guidelines on computer security http://www.radium.ncsc.mil/tpep/library/rainbow/index.html

Various attacks: Names and explanations : Extremely useful resource if you are running/considering an IDS http://www.networkice.com/advice/Intrusions/default.htm

Web Security FAQs : List of 101 questions and answers on web security http://www.w3.org/Security/faq/www-security-faq.html

alex.popowycz@f...

AND, from the DynCorp Class: A discussion about the BEOWOLF UNIX PROJECT…. http://www.beowulf.org/ http://www.beowulf.org/intro.html

A great STUDY SITE for Info Security topics related to DATABASE DESIGN: http://www.wi-inf.uni-essen.de/~ifs/summerschool/

September 13, 2002 Page 69 of 79

ISC2 CISSP CBK Resource List

READING LIST (contributed by Jim Blake, CISSP, 11/02/2000)

This list was compiled from recommendations forwarded to me by many CISSPs in response to my query on the CISSP Forum on 09/20/2000. I appreciate all the recommendations and suggestions and thank all who took the time and effort to contribute. This is by no means a complete reading list of security related material, but should be more than adequate to get started. I’ve included information on the author(s), the ISBN and the cost at Amazon ( http://www.amazon.com/ ), Barnes & Noble

( http://www.bn.com/ ) and CRC Press ( http://www.crcpress.com/ ), when available. The comments in parentheses are from those who forwarded the title(s). Along with the security titles some of the contributors added some less technical and fiction books that they found interesting. I’ve kept them on the list for everyone’s consideration.

Fighting Computer Crime: A New Framework for Protecting Information; Donn Parker,

August 1998, ISBN: 0471163783; $31.99 in www.amazon.com

& www.bn.com

Practical Unix and Internet Security 2 nd

Edition; Simson Garfinkel & Gene Spafford,

April 1996, ISBN: 1565921488; $31.96 on www.amazon.com

& www.bn.com

(Also recommend all O’Reilly Security books)

Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2 nd

Edition; Bruce

Schneier, October 1995; ISBN: 0471117099; $43.96 on www.amazon.com

& www.bn.com

Secrets and Lies: Digital Security in a Networked World; Bruce Schneier; August 2000;

ISBN: 0471253111; $23.99 on www.amazon.com

& www.bn.com

TCP/IP Illustrated: The Protocols, Volume 1; W. Richard Stevens; November 1993;

ISBN: 0201633469; $65.95 on www.amazon.com

& www.bn.com

(There are also

Volumes II & III)

TCP/IP Illustrated: The Implementation, Volume 2; Gary Wright & W. Richard Stevens;

October 1994; ISBN: 020163354X; $65.95 on www.bn.com

& www.amazon.com

. (The programmer's accompaniment to the excellent Volume 1 title. Valuable for troubleshooting and understanding interaction between the network and application layers)

UNIX System Administration Handbook 3 rd

Edition; Evi Nemeth, Garth Snyder & Trent

Hein; July 2000; ISBN: 0130206016; $68.00 on www.amazon.com

& www.bn.com

UNIX in a Nutshell, 3 rd

Edition; Arnold Robbins; August 1999; ISBN: 1565924274;

$1996 on www.amazon.com

& www.bn.com

(For any UNIX commands you forget.)

DNS and BIND, 3 rd

Edition: Cricket Liu, Paul Albitz, Mike Loukides; September 1998;

ISBN: 1565925122; $30.36 on www.amazon.com

& www.bn.com

(If you ever need a secure BIND implementation.)

September 13, 2002 Page 70 of 79

ISC2 CISSP CBK Resource List

Sendmail, 2 nd

Edition; Bryan Costales, Eric Allman; January 1997; ISBN: 1565922220;

$35.96 on www.amazon.com

& www.bn.com

(If you ever need to secure a Sendmail server there is a lot of good stuff in here.)

Hacking Exposed, 2 nd Edition; Stuart McClure, Joel Scambray, George Kurtz; October

2000; ISBN: 0072127481; $31.99 on www.amazon.com

& www.bn.com

. (An update from the original)

Web Security – A Step-by-Step Reference Guide, Lincoln Stein; December 1997; ISBN:

0201634899; $23.96 on www.amazon.com

& www.bn.com

Web Security Sourcebook, Aviel Rubin, Daniel Geer, Marcus Ranum; June 1997; ISBN:

047118148X; $31.99 on www.amazon.com

& $39.99 on www.bn.com

Network Intrusion Detection: An Analyst's Handbook, 2 nd Edition; Stephen Northcutt,

Judy Novak; September 2000; ISBN: 0735710082; $36.00 on www.amazon.com

& www.bn.com

Building Internet Firewalls, 2 nd

Edition; Elizabeth Zwicky, Brent Chapman, Simon

Cooper; June 2000; ISBN: 1565928717; $35.96 on www.amazon.com

& www.bn.com

Firewalls and Internet Security: Repelling the Wily Hacker, 2 nd Edition; William

Cheswick & Steven Bellovin; February 2001; ISBN: 020163466X; $36.95 on www.amazon.com

(This will be published in February 2001 and at the present time is not on the Barnes & Noble web site)

Understanding Public-Key Infrastructure: Concepts, Standards & Deployment

Considerations; Carlisle Adams & Steve Lloyd; November 1999; ISBN: 157870166X;

$50.00 on www.amazon.com

& www.bn.com

e-counsel: The Executive's Legal Guide to Electronic Commerce; Robinson & Cole LLP;

June 2000; ISBN 0970016603; $39.95 on www.amazon.com

One contributor suggested instead of Schneier you could also try:

Handbook of Applied Cryptography; Alfred Menezes, Paul van Oorschot, Scott

Vanstone; October 1996; ISBN: 0849385237; $84.95 on www.amazon.com

& www.crcpress.com

and $94.95 on www.bn.com

(a very comprehensive book)

Cryptography and Network Security Principles and Practice; William Stallings; June

1998; ISBN: 0138690170; $73.75 on www.bn.com

, $74.00 on www.amazon.com

.

Pimality and Cryptography; Evangelos Kranakis. This book is out of print but may be available on the used book market. (If you are mentally ill or a math genius)

September 13, 2002 Page 71 of 79

ISC2 CISSP CBK Resource List

Cryptology; Albrecht Beutelspacher; April 1994; ISBN: 0883855046; $47.75 on www.bn.com

; $35.95 on www.amazon.com

. (Super easy reading to get you to understand cryptography)

Maximum Linux Security: A Hacker’s Guide to Protecting Your Linux Server and

Workstation; Anonymous; September 1999; ISBN: 0672316706; $31.99 on www.bn.com

and www.amazon.com

. (Security from the distributed hosts' perspective; highlights a lot of common system holes)

Blueprints for High Availability: Designing Resilient Distributed Systems; Evan Marcus

& Hal Stern; January 2000; ISBN: 0471356018; $34.99 on www.amazon.com

. (A good title focusing on designing uninterruptible services. Very host/service- centric; weak on network fault tolerance)

Designing Network Security; Merike Kaeo; May 1999; ISBN: 1578700434; $45.00 on www.bn.com

& $50.00 on www.amazon.com

. (Good overall intro; moderate depth; many Cisco-specific examples)

Hack Proofing Your Network: Internet Tradecraft; Ryan Russell; July 2000; ISBN:

1928994156; $39.96 on www.bn.com

& www.amazon.com

. ("Hacker" title; good stuff

(esp. buffer overflows); specific exploit examples; sadly lacking DoS content)

Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet;

Eoghan Casey; January 2000; ISBN: 012162885X; $69.95 on www.bn.com

& www.amazon.com

. (Discusses several topics for investigators and forensics; moderately beneficial to a general practitioner)

The Process of Network Security: Designing and Managing a Safe Network; Thomas

Wadlow; October 1999; ISBN: 0201433176; $34.95 on www.bn.com

& www.amazon.com

. (Good content on approaching security as an overall process, with good examples. Written by the founder of Pilot Network Services, a security

Outsourcing firm)

Network Intrusion Detection: An Analyst’s Handbook, 2 nd

Edition; Stephen Northcutt &

Judy Novak; September 2000; ISBN: 0735710082; $36.00 on www.bn.com

& www.amazon.com

. (Like the title says; good content, but may be redundant if you have much SANS material (he chairs [?] the SANS group on IDS and IR)

Information Systems Security Officer's Guide: Establishing and Managing an

Information Protection Program; Gerald Kovacich; May 1998; ISBN: 0750698969;

$36.95 on www.bn.com

& www.amazon.com

. (Focused on defining and establishing a policy)

Defending Your Digital Assets Against Hackers, Crackers, Spies and Thieves, 1 st

Edition; Randall Nichols, et al; December 1999; ISBN: 0072122854; $44.00 on

September 13, 2002 Page 72 of 79

ISC2 CISSP CBK Resource List www.bn.com

, $39.99 on www.amazon.com

. (RSA press book; initial look-see is positive, but still in my to-read pile).

The entire collection of SANS guides on Intrusion Detection / Incident Response, as well as their set for securing NT and Unix systems. Go to: ( http://www.sans.org

).

And some less technical titles and fiction:

Takedown (Tsutomu Shimomura); (a sensationalized account of Kevin Mitnick's breach of Shimomura's systems and subsequent capture. Accounts of the break-in (blind spoofing attack) are interesting; most of the rest is an autobiographical ego trip.).

Masters of Deception (Michelle Slatalla) - accounts of earlier hacker / phreaker activities.

The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen (Johnathan

Littman) - an account of Kevin Poulsen's wrongdoings.

Cybershock (Winn Schwartau) - a look at the hacking problem as a whole, including social and political issues.

Fiction:

The Moon is a Harsh Mistress by Robert Heinlein.

When H.A.R.L.I.E. was One by David Gerrold (Out of print but available).

SoftWar by Thierry Breton & Denis Beneich (Out of print but available).

Terminal Compromise by Winn Schwartau (Out of print but available).

The Minotaur by Stephen Coonts.

Cryptonomicon by Neal Stephenson.

Snow Crash, Neal Stephenson.

The Long Run, Daniel Keyes Moran (Out of print and highly sought after).

Neuromancer (and the sequels), William Gibson.

Islands in the Net, Bruce Sterling.

The Shockwave Rider, John Brunner (the precursor to the 80's Cyberpunk).

September 13, 2002 Page 73 of 79

ISC2 CISSP CBK Resource List

INTERESTING REFLECTIONS:

Islands in the Clickstream: http://www.thiemeworks.com

. Islands in the Clickstream is an intermittent column written by Richard Thieme exploring social and cultural dimensions of computer technology and the ultimate concerns of our lives.

DEFINITIONS:

Polymorphism

In object-oriented programming , polymorphism (from the Greek meaning "having multiple forms") is the characteristic of being able to assign a different meaning to a particular symbol or "operator" in different contexts.

For example, the plus sign (+) can operate on two objects such that it adds them together

(perhaps the most common form of the + operation) or, as in boolean searching, a + can indicate a logical "and" (meaning that both words separated by the + operator must be present in order for a citation to be returned). In another context, the + sign could mean an operation to concatenate the two objects or strings of letters on either side of the + sign.

A given operator can also be given yet another meaning when combined with another operator. For example, in the C++ language, a "++" following a variable can mean

"increment this value by 1". The meaning of a particular operator is defined as part of a class definition. Since the programmer can create classes, the programmer can also define how operators work for this class of objects; in effect, the programmer can redefine the computing language.

Another example of polymorphism could be the 'object' designed to provide a service, say, printing service. In one instance of the 'print object' the class definition might be related to printing to a laser printer, with the suitable attributes to provide accurate image representation on this device. In another instance, the 'print object' class definition might provide a "print to file" service, which will have different attributes and setup requirements.

A source: Robert Lafore, Object-Oriented Programming in C++ , Waite Group Press,

Corte Madera, CA, USA, (1995).

Polyinstantiation:

This is one definition of polyinstantiation related to medical records contained in the above source book. http://ftp.sunet.se/pub/security/docs/nistpubs/800-8.txt

September 13, 2002 Page 74 of 79

ISC2 CISSP CBK Resource List

Polyinstantiation is frequently used with mandatory access control database systems to control inference. This section is intended to explain polyinstantiation. Inference, and the application of polyinstantiation for inference control, are described in Section 3.4,

Inference.

In the following example, the database is a single relational table. The table contains two columns: Patient name and Disease. The Patient name field is the key for this table.

There are two clearance levels, HIGH and LOW. Two sets of data exist; the first set is

HIGH data (Figure 3) and the second is the LOW data set (Figure 4).

The HIGH data include patients under police guard, such as Jackson, or patients with confidential diseases. The LOW data include all other patients, and perhaps some of the

HIGH patients with different data.

When users with LOW security level browse the database, they are only permitted to see the LOW data. If a user wishes to add a LOW record with primary key X, the command is accepted even if a HIGH record exists with that key.

When a user with HIGH security level browses the database, they see all of the HIGH records, as well as the LOW records with a primary key that is not found in the HIGH data. The resulting table is shown in Figure 5. Note that the record for Howard does not appear twice; only the HIGH level record appears.

This feature may be useful in a number of ways. LOW users cannot determine if a HIGH record exists with key Gordon by attempting to create a record and checking for an error message. Dual records could be used, as in the case of Howard, to prevent LOW users from discovering the true nature of Howard's illness. This is intended to prevent disclosure by inference.

In many situations, polyinstantiation may be implemented by a local database security administrator, using only standard features from SQL'89. The above example is easily implemented with two base tables, known only to the security administrator, and a single view available to all other users.

Patient Name | Disease

=========================

Howard

Gordon

| AIDS

| Syphilis

| Gun shot Jackson

Figure 3. High Data

September 13, 2002 Page 75 of 79

ISC2 CISSP CBK Resource List

Patient Name | Disease

=========================

Smith | Lung Cancer

Howard

Jones

Hamp

| pneumonia

| 2nd Degree Burns

| heart failure

Figure 4. Low Data

Patient Name | Disease

=========================

Howard

Smith

Gordon

Jackson

Jones

Hamp |

Figure 5. High user's view

| AIDS

| Lung Cancer

| Syphilis

| Gun shot

| 2nd Degree Burns

heart failure

September 13, 2002 Page 76 of 79

Download