CISSP CBK Review
THIS STUDY GUIDE WAS GREATLY IMPROVED BY HENRY GUZMAN
IN JANUARY 2005
THANKS FOR YOUR CONTRIBUTION
January 2006: Thanks to Intensified for his correction about CSMA/CA being
used on WLAN and NOT CSMA/CD as it was specified. Good catch!!
Access Control
Telecommunications & Network Security
Security Management Practices
Application and System Development
Cryptography
Security Architecture and Models
Operations Security
BCP and DRP
Law, Investigation, and Ethics
Physical Security
Access Control
Access control protects the systems and resources from unauthorized access, and,
usually determines the level of authorization.
Subject - Entity requiring access to an object – user or process. (Active).
Object - Entity to which access is requested – file, process. (Passive).
Access control consists of the following primary areas
Identification
Authentication
Authorization
Accountability
The last three of these are largely comprised of ‘logical access controls’.
Identification
Biometrics Very sophisticated and accurate, but expensive.
Type 1 error Rejection on authorized individuals – false reject rate(FRR)
Type 2 error Acceptance of individual that should be rejected (FAR)
CER Crossover error rate – point at which false acceptance equals false rejection –
expressed as a percentage. Important measurement of biometric system’s accuracy.
The lower the better.
Other barriers to widespread adoption of biometrics include user acceptance, enrollment
time and throughput.
Page 1 of 89
CISSP CBK Review
Collected biometric images are stored in a corpus.
Page 2 of 89
CISSP CBK Review
Effectiveness versus Acceptance of biometric devices
Order of Effectiveness
Palm scan
Hand geometry
Iris scan
Retina pattern
Fingerprint
Voice verification
Facial Recognition
Signature Dynamics
Keystroke Dynamics
Order of Acceptance
Iris scan
Keystroke dynamics
Signature dynamics
Voice verification
Facial recognition
Fingerprint
Palm scan
Hand Geometry
Retina Pattern
Authentication
The three general types of authentication are
Something a person knows.
Something a person has.
Something a person is.
Strong authentication requires two of these three (two-factor authentication).
Passwords
Passwords are the most commonly used, but also considered one of the weakest. A
cognitive passwords is information only you should know, like your mother’s maiden
name.
One-time Passwords
There are two types of one-time password – synchronous and asynchronous. One-time
passwords are usually generated by a token device that communicates with an
authentication service.
Synchronous – Token device synchronizes with authentication server via a time based
or event based synchronization. Token device and auth server share the same secret
key.
Asynchronous – Uses a challenge-response scheme to communication with the
authentication server.
Other authentication mechanisms
Private key – digitally signing a message.
Passphrase – transformed into a virtual password
Memory card – holds information but does not process it. ATM card.
Smart card – capability of processing information.
Authorization
The system knows who you are (authentication) and must now decide if you can carry
out the requested actions. This is where authorization comes into play. Access criteria
is the crux of authorization
Page 3 of 89
CISSP CBK Review
Access criteria types can be broken up into
Roles
Groups
Physical or logical (network) location
Time of day
Transaction type
All access criteria should default to “no access”.
Need to know principle
Management’s job is to determine the “need to know”.
Administrator job is to configure access control and security mechanisms to fullfil the
need to know requirements.
Single Sign-on Mechanisms
Scripting Batch files containing logic details. Insecure. High maintenance recording and
maintaining scripts.
Kerberos
Kerberos is a single sign-on system that uses symmetric key cryptography (DES) and
end to end encryption. Kerberos eliminates the need for transmitting passwords over the
network. In order to implement Kerberos, all software in use me be Kerberos
compatible or, “kerberized”. The components of Kerberos are
KDC Key distribution center. Holds user’s and services’ keys. The foundation of kerberos
is the client and server’s trust in the KDC. The KDC actually consists of a ticket granting
service and authentication server.
Principals Entities requiring KDC services – users, apps or services. The KDC and each
principal share a secret key.
Ticket Tickets are created by the KDC and given to a principle when that principle needs
to authenticate to another principle.
Realm A “realm” is the set of components and principles that the KDC provides services
for.
AS Authentication service – this is part of the KDC.
Kerberos Authentication Process
The client trusts the KDC and the services trust the KDC due to their secret keys. An
overview of the process when a client wan’t to use a service via Kerberos is
The client sends its user id and the name of the requested service to the KDC.
The KDC provides a session key for the client and service to use. One is encrypted with
the user secret key and the other with the service secret key.
Page 4 of 89
CISSP CBK Review
The KDC generates a service ticket containing both session keys. This ticket is sent back
to the client. The user enters their password and if the password is correct, the client
converts it into the necessary key to decrypt the client session key in the ticket.
The client decrypts the client portion of the ticket to get the session key and sends the
ticket on to the service. The service uses its own private key to decrypt the session key.
The user and service are now authenticated to each other and communicate with
encrypted data via the session key.
Secret key Shared between KDC and a principle.
Session key Shared between two principles.
Kerberos weakness
Kerberos has a number of weaknesses that can make it vulnerable to attack. Some of
these are
The KDC is a single point of failure.
The secret keys are temporarily stored on user’s workstations, in memory, etc.
Session keys are decrypted and reside on user’s workstations.
Vulnerable to password guessing.
Does not protect network traffic.
When a user changes password, the KDC database needs to be updated with a new
corresponding secret key.
Replay attacks can be used against Kerberos.
Sesame
Secure European System for Applications in a Multiuser Environment. Sesame is a single
sign-on system designed to address some of the kerberos weaknesses. It uses public
key cryptography for distribution of secret keys and supports MD5 and CRC32 hashing.
Still vulnerable to password guessing. Sesame uses the Needham-Schroeder protocol.
Thin Clients
No local processing. Thin clients for the user to login to the network just to be able to
use the computer.
Kryptoknight
Kryptoknight is another single sign-on protocol similar to Kerberos. The main difference
is that there is a peer-to-peer relationship among parties and the KDC.
ACCESS CONTROL MODELS
An access control model is a framework that dictates how subjects access objects. There are
three main types of access control model mandatory access control, discretionary access
control and role-based access control.
Discretionary (DAC) The creator of a file is the ‘owner’ and can grant ownership to
others. Access control is at the discretion of the owner. Most common implementation is
through access control lists. Discretionary access control is required for the Orange Book
“C” Level.
Mandatory (MAC) Much more structured. Is based on security labels and
classifications. Access decisions are based on clearance level of the data and clearance
Page 5 of 89
CISSP CBK Review
level of the user, and, classification of the object. Rules are made by management,
configured by the administrators and enforced by the operating system. Mandatory
access control is required for the Orange Book “B” Level.
Role-Based (RBAC) Continually administered set of controls by role within
organization. Access rights assigned to roles – not directly to users. Roles are tighter
controlled than groups - a user can only have one role. Can use different types of RBAC
Role-based Role within organization.
Task-based Specific task assigned to the user.
Lattice-based Upper and Lower bounds
Access Control Techniques and Technologies
Once a company decides on the access control model to use, the technologies and
techniques to implement that model need to be determined
Role-based
Can be used with MAC – Labels assigned to roles. Or with nondiscretionary controls such as NT Groups.
Rule-based
Example - Router or firewall rules – user cannot change.

Restricted interfaces
Menus and shells –ATM machine
Database views
Physically constrained interfaces.

Access Control Matrix
Table of subjects and objects indicating access.

Capability Tables
Specifies the access a certain subject has to specific objects. Corresponds to a
row in the access control matrix. Bound to subject.
Access Control Lists
Bound to object. List of subjects authorized to access a specific object, and,
the level of access/authorization.

Content-dependant
Database views are a good example – access is based on the data content itself.

Context-dependant
Access is based on location, time of day, previous access history, etc.
Access Control Administration
Access control administration is either centralized, decentralized or a hybrid of the two.
Examples of centralized access control technologies include
RADIUS Remote Authentication Dial-In User Service. Usually used for dialup. Access
server requests user login credentials and forwards to a backend RADIUS server. Can
use callback for additional security.
Page 6 of 89
CISSP CBK Review
TACACS (Terminal Access Controller Access Control System). There are several types of
TACACS
TACACS Combines its authentication and authorization processes. Passwords are
static.
XTACACS Separates authentication, authorization and accounting processes.
TACACS+ XTACACS with two-factor user authentication. Supports token
authentication.
Security Domain
A security domain is defined as a “realm of trust”. Subjects and objects share common
security policies and procedures and are managed by the same system. Also used within
operating systems and applications to protect system files or processes. It can also be
defined as the complete set of resources available to a user.
Access Control Methods
There are three broad categories of access control layers
Administrative
Technical
Physical
Administrative controls
Policies and procedures Guidelines + standards + baselines
Personnel controls Hiring, firing, promotions, transfers, separation of duties, rotation
of duties, forced vacation.
Supervisory structures Clear lines of reporting.
Awareness Training
Security Testing Drills, penetration testing, queries to employees, interviews, reviews.
Physical controls
Network segregation.
Perimeter security.
Computer controls.
Work area separation.
Data backups.
Cabling.
Technical (Logical) Controls
System Access – See previous access control mechanisms.
Network architecture – Logical controls can provide segregation and protection of an
environment. I/P address ranges, subnets, routing between networks, etc.
Network Access – Logical network access controls – routers, switches, NICs, bridges.
Page 7 of 89
CISSP CBK Review
Encryption and Protocols
Control Zone – Technical and physical control. Surrounds and protects network devices
that emit electrical signals. TEMPEST related.
Access Control Types
Each control method can also perform different functionality. The functionality types are
Preventative
Detective
Corrective
Deterrent
Recovery
Compensating
For example
Preventative-Administrative
Policies and procedures, effective hiring practices, background checks, data
classification, security awareness training.
Preventative-Physical
Biometrics, badges, swipe cards, guards, dogs, motion detectors, fences, mantraps,
locks and alarms.
Preventative-Technical
Passwords, biometrics, smart cards, encryption, call-back systems, database views,
antivirus software, ACLs, firewalls, IDS
Auditing
Accountability Auditing capabilities ensure that users are held accountable for their
actions, verify that policies are enforced, deter improper actions and are an investigative
tool.
There are 3 main types of audit tool
Audit reduction
Variance detection
Attack-signature detection
Audit data must be protected from unauthorized viewing and modification.
Access Control Practices
The following tasks should be carried out regularly
Deny access to undefined or anonymous accounts
Page 8 of 89
CISSP CBK Review
Limit and monitor administration accounts
Suspend access after a number of failed logins
Remove accounts as soon as someone leaves an organization.
Format Access Control Models
Bell LaPadula The Bell LaPadula model is built on state machine concepts and focuses
on confidentiality. The objective of this model is to ensure that the initial state is always
secure and that transitions always result in a secure state. Bell LaPadula defines a
secure state through 3 multilevel properties
Simple Security Policy No read up – a lower level subject cannot read a higher level
object. Protecting confidentiality.
Security * (star) property No write down – do not allow confidential information to
be written to a local level, where a lower level subject will be able to view it.
Discretionary Security Property Uses a discretionary access control matrix to
manage exceptions.
Biba Model The Biba model is lattice based and focuses on integrity more than
confidentiality. Biba specifies the following three axioms
Simple Integrity Axiom No read down. A higher level subject cannot read information
from a lower level. This prevents higher level reports and data being corrupted by lower
level (and less trustworthy) information.
Integration * (Star) Axiom No write up. A subject cannot write data above its
security level – higher level data might be compromised by lower level, less trustworthy
data.
A subject at one integrity level cannot invoke a subject at a higher integrity level
Clark-Wilson Model was developed after the Biba model and ensures integrity. The ClarkWilson Model utilizes separation of duties to ensure that authorized users do not make
unauthorized changes to data. In this way task are divided into different parts and different
subjects each do different parts. Often times subjects under the Clark-Wilson Model cannot
access data directly, but must instead go through a program or other third party, which
helps to ensure the subject has the proper classification. This model has emphasis on
internal and external consistency. Clark-Wilson uses well formed transactions, separation of
duties and the labeling of subjects and objects with programs to maintain integrity. Security
properties are partly defined through five certification rules, suggesting the check that
should be conducted so that the security policy is consistent with the application
requirements.
CDI – Constrained Data Item A data item whose integrity must be preserved.
IVPS – Initial Verification Procedures Confirm that all CDIs are in a valid integrity
state when the IVP is run.
TP – Transformation Procedure Manipulates the CDIs through a well-formed
transaction, which transforms a CDI from one valid integrity state to another.
Page 9 of 89
CISSP CBK Review
UDI – Unconstrained Data Item Data items outside of the control area such as input
information.
Any TP that takes a UDI as input must either convert the UDI into a CDI or reject the
UDI and perform no transaction at all.
Unauthorized disclosure of information
There are several ways in which information can be inadvertently disclosed. The follow
items are related to information disclosure
Object Reuse Reassigning media to a subject when media might still contain some
residual information. Make sure media is cleaned. Degaussing works best. Object reuse
controls are required for TCSEC B2 and above.
Emanation Picking up radiation emitted by devices. Can use TEMPEST technology to
block. TEMPEST is very expensive, some alternatives are
White Noise – Uniform spectrum of random electrical signals used to disguise real
data.
Zones – Control zones.
Access Control Monitoring
Keeping track of who attempts to access specific resources, access control monitoring is
an important detective mechanism usually carried out by intrusion detection systems
Intrusion Detection Systems (IDS)
Network Based IDS Monitors network, or a segment of the network (passive). Known
as NIDS. Placement of sensors is a critical part of configuring a network based IDS.
Place a sensor on the outside firewall to detect attacks and inside the firewall to detect
invasions. Another factor to consider is that the network traffic should never exceed the
IDS threshold, or the IDS may just start to drop packets.
Host-Based Monitors a specific system, such as your critical servers.
Intrusion detection systems have two main methods of operation
Knowledge / Signature based This type of IDS looks for known attacks and is
therefore weak vs new attacks. There are less false alarms. This type of IDS may also
fail to detect “slow” attacks extended over a long period of time.
Behavior based / Statistical IDS This type of IDS detects deviations from expected
behavior of users and systems. May use expert systems. Detects new attacks and
doesn’t rely on a database of signatures to be updated, but, can cause more false
positives.
Relational Database Security
Relational database security is a growing area of concern. The following are areas
relating to database technology and security
Page 10 of 89
CISSP CBK Review
Schema Description of the database and its tables. Usually written using a DDL.
Cardinality Number of rows in a table.
Degree Number of columns in a table.
Domain The set of all allowable values an attribute can take.
Entity Integrity & Referential Integrity
View - Virtual table defined from other tables that is used to restrict access, hide
attributes and provide content-dependant access. Views help implement least privilege
and need to know principles.
To protect against “inference attacks”, databases may have a minimum query set size
and prohibit query of “all but one” tuples. Highly secure systems may also employ
context dependant access control where the tuples a user can read are based on those
already read.
Threats
The main categories of threat to access control mechanisms are
Dictionary attack.
Brute force attack.
Spoofing at login – fake login screen to capture details.
A “trusted path” can mitigate login spoofing.
The following measures are used to compensate for internal and external access
violations
Backups
RAID
Fault tolerance
Business continuity planning
Insurance
Top
TELECOMMUNICATIONS & NETWORK SECURITY
Open Systems Interconnect (OSI) model
Developed early 1980s and introduced in 1984
 OSI Model
Application
Presentation
Session
Transport
Network
Data Link
Physical
TCP/IP Model
|
| Application
|____________
<--> Host to Host
<--> Internet Layer.
|
| Network Access Layer.
Page 11 of 89
CISSP CBK Review
“Each protocol at a specific OSI layer communicates with a protocol that operates at the
same OSI layer on another computer. This happens through encapsulation”
The protocols, technologies and computers that operate within the OSI model are called
open systems.
Application Layer
The application layer works closest to the user and handled message exchanges,
terminal sessions, etc. The application does not include the actual applications, but the
protocols (APIs) that support the applications.
Examples of protocols running in the application layer include
SMTP, HTTP, LPD, FTP, WWW, Telnet, TFTP
Presentation Layer
The presentation layer received data from the application layer and puts it into a format
that all computers using the OSI model can understand.
The presentation layer is not concerned with the meaning of data, but the correct syntax
and format. The presentation layer can often be considered a “translator”.
This layer also handles encryption and compression.
ASCII, JPEG, TIF, GIF, Encryption, Compression, MIDI, MPEG
Session Layer
When two computers need to communication, or transfer information, a connection
session needs to be set up between them. The session layer is responsible for
establishing a connection, maintaining it during data transfer and releasing it when
done.
The session layer works in 3 phases
Connection establishment
Data Transfer
Connection release
Common protocols at the session layer are
SSL, NFS, SQL, RPC
Transport Layer
When two computers are going to communicate, they must first agree on how much
information each will send at a time, how to determine if data was lost in order to
retransmit and other parameters. The computers agree on these parameters through a
process at the transport layer, OSI layer 4.
Page 12 of 89
CISSP CBK Review
The transport layer helps provide more reliable data transfer, error correction and flow
control. It assembles data into a stream for transmitting over the network, and handled
multiplexing if necessary. The transport layer also handles the teardown of virtual
circuits and the multiplexing of upper layer applications.
TCP, UDP, SPX
Network Layer
The main responsibility of the network layer is to insert information into the packet’s
header so that it can be properly routed. Routing protocols build and maintain their
tables at this layer.
The protocols at this layer do not ensure packet delivery – they rely on the transport
layer for that.
Protocols operating at this level include
IP, ICMP, RIP (Routing information protocol), OSPF (Open shortest path first), BGP
(Border gateway protocol) and Internet group management protocol (IGMP)
Most routers also run in the network layer.
Data Link Layer
As data travels down the ISO stack it comes to a point where it needs to be translated
into LAN or WAN binary format for line transmission. This happens at the data link layer.
The data link layer is where the operating system knows what format the data frame
must be in to transmit over Token Ring, Ethernet, FDDI, ATM, etc.
Network cards bridge the data link and physical layer. The data link layer actually
consists of two sub layers
Media Access Control (MAC)
Logical Link Control (LLC)
Protocols operating in the data link layer include
SLIP, PPP, RARP, L2F, L2TP, ISDN ARP
Bridges operate in the data link layer.
Physical Layer
The physical layer converts bits into voltage for transmission. This layer controls
synchronization, data rates, line noise and physical medium access.
Protocols operating in the physical layer include
Page 13 of 89
CISSP CBK Review
RS232, SONET, HSSI, X.21
Repeaters operating in the physical layer.
OSI Security Services and Mechanisms
OSI defines 6 basic security services to secure OSI communications
Authentication
Access Control
Data confidentiality
Data integrity
Non-repudiation
Logging and Monitoring
In addition, the OSI model defines 8 security mechanisms. A security mechanism is a
control that is implemented in order to provide the 6 basic security services
Encipherment
Digital Signatures
Access Control
Data Integrity
Authentication
Traffic Padding
Routing Control
Notarization
TCP/IP
I/P is a network layer protocol and provides datagram routine services.
Two main protocols work at the transport layer, TCP and UDP.
TCP Handshake
1. Host -------- SYN --------->
<----- SYN/ACK ----->
--------- ACK -------->
Host B
The TCP/IP model has 4 layers
Application
Host to host
Internet
Network Access
The TCP/IP model layers correspond to the ISO model layers as follows
Application
Host to Host
Internet
Network Access
Application, presentation, session.
Transport
Network
Data Link, Physical
The Host-to-host layer handles
Page 14 of 89
CISSP CBK Review
TCP
UDP
- Virtual Circuit, sequenced, slower, more reliable
- “Best effort”, connectionless.
Internet layer
I/P
ARP
RARP
ICMP
- No guarantee of delivery, delivery in sequence or only once.
- I/P to MAC
- MAC to I/P
Protocol Numbers
The I/P header contains a protocol field. Some common protocols are
- ICMP
– IGMP
6 - TCP
17 – UDP
Data Structures
Within the I/P protocol suite, when an application formats data for sending over
the network, it is a message.
At the transport layer, TCP works on the data and it is now a segmenti. The
segment is passed to the network layer.
The network layer adds addressing and routine and the bundle is now called a
datagram.
The datagram is passed off to the data link layer which frames the datagram with
a header & trailer. It is now called a frame.
TCP
Application Layer
Transport Layer
Network Layer
Data Link Layer
UDP
Message
Packet
Datagram
Frame
Message
Segment
Datagram
Frame
General Classes of Network Abuse
Class A Unauthorized access of restricted network services. Also called “login abuse”.
Refers to legitimate users accessing network services that should be restricted to them.
Class B Unauthorized use of a network for non-business purposes.
Class C Eavesdropping
Class D DOS and other disruptions
Page 15 of 89
CISSP CBK Review
Class E Network Intrusion. Refers to the use of unauthorized access to break into
the network from the outside. Classic cases are spoofing, piggybacking and backdoor
exploitation.
Class F Probing. An active variation of eavesdropping.
Additional Attacks SYN attacks, Buffer Overflow, Teardrop attack and Smurf.
Common Session Hi-jacking attacks



IP Spoofing attacks.
TCP sequence number attacks.
Other fragmentation attacks – using fragmented packets to hide true contact.
NETWORKING
LAN Media Access Technologies
Most of the differences between LAN and WAN take place at the data link layer
“Two LANs connected by a router is an internetwork, not a bigger LAN. Each LAN has its
own addressing scheme and broadcast and communication mechanisms. If they are
connected by different data link technologies such a frame relay of X.25 then we are
looking at a WAN”
Ethernet
Usually a bus or star topology
IEEE 802.3 standard
Shared media – all devices take turns and detect collisions
Uses broadcast and collision domains
CSMA/CD access method (Carrier Sense Multiple Access with Collision Detection)
Uses coaxial or twisted pair.
Common Implementations
10base2 ThinNet. Uses coaxial cable. Max length of 185 meters and provides up to
10mbs throughput. Uses BNC connectors.
10base5 ThickNet. Uses thicket coaxial cable. Longer cable segments and less
interference.
10baseT Twisted-pair copper wiring. RJ45 connectors, usually in a star topology with a
hub or switch.
Fast Ethernet Regular ethernet running at 100mbps over twister pair wiring.
Ethernet Types Table
Type
Cabling
10base2, ThinNet Co-Axial
Speed
10mbps
Page 16 of 89
CISSP CBK Review
10base5, ThickNet
10base-T
100base-FX, Fast
1000base-T
Co-Axial
UTP
UTP
UTP
10mbps
10mbps
100mbps
1,000mbps
Token Ring
802.5 standard, originally developed by IBM
Signal travels in a logical ring
Each computer is connected to a hub called a Multistation Access Unit (MAU)
16mbps capacity
Active Monitor – removes frames that are continually circulating
Beaconing – attempts to work around errors.
FDDI – 802.8
Fiber Distributed Data Interface
Developed by ANSI
High speed token-passing media access technology
Speed of 100mbvps – usually used as a backbone network using fiber optics.
Fault tolerance – second counterrotating ring.
Can be used up to 100kms, so popular in MANs
CDDI (copper distributed data interface) is a version that can be used locally.
802.8 standard.
CABLING
LAN Media
Ethernet
Standard
802.3
Characteristics
Shared media
Broadcast & Collision Domains
CSMA/CD
Coaxial or twisted cable
10mbps – 1 gbps
Token Ring
802.5
Devices connect to center MAU
Token-passing access method
Transmission speeds of 4-16mpbs
Active monitor and beaconing
FDDI
802.8
Token-passing access method
Dual counter rotating ring – fault tolerance
100mbps over fiber-optic
Long distance at high speed
* CDDI works over UTP
Bandwidth
Data Rate
Size of pipe
Amount of data
Page 17 of 89
CISSP CBK Review
Coaxial
Copper core surrounded by shielding layer
More resistant to EMI
10base2 = ThinNet (RG58), 10base5 = ThickNet (RG11/RG8)
10base2 segments can be up to 185 meters
10base5 segments can be up to 500 meters
Can use baseband method (one channel) or broadband (multiple channel)
50ohms cable used for digital signaling and 75ohms for analog signaling and high speed
data.
Twisted Pair Cable
STP = Shielded Twisted Pair
UTP = Unshielded Twisted Pair
UTP
Category
CAT 1
CAT 2
CAT 3
Characteristics
CAT 4
CAT 5
CAT 6
CAT 7
Voice Grade
Up to 4mbps
10 mbps ethernet
4mbps token
16 mpbs
100 mbps for
100-base TX and
FDDI
155mbps
1gbps
Usage
Not recommended for network use.
Mainframe and mini connections.
10 base-T networks
Token ring networks
FDDI & ATM installations. New LANS
Net network installations
Net network installations
Fiber Optics
Uses a type of glass carrying light waves
Glass core surrounded by protective cladding, encased in outer jacket
Not affected by EMI, no attenuation
Very hard to tap into, the most secure type of cabling.
Common Cable problems
Noise Caused by surrounding devices or characteristics of the environment
Attenuation Loss of signal as it travels. The affect of attenuation increases at higher
frequencies.
Crosstalk UTP is susceptible to crosstalk which is caused when electrical signals on one
wire spill over to another wire.
Plenum space is the space between the ceiling and the next floor. Often used for wiring
and cabling.
TYPES OF TRANSMISSION
Data transmission can happen in different ways (analog or digital), use different
controlling schemes (synchronous or asynchronous) and can only use one channel on a
wire (baseband) or several channels (broadband).
Page 18 of 89
CISSP CBK Review
Analog Signals
Continually varying, Modulation Combining with carrier signal of a specific frequency.
Digital Signals Are Discrete binary pulses.
Asynchronous
Two devices not synchronized in any way.
Usually used for smaller amounts of data
Usually includes start and stop delineation
Synchronous
Transfers data as a stream of bits instead of framing it in start and stop bits.
Synchronization can be via clocking mechanisms, or a signal in the data.
Usually used for higher volumes of data.
Baseband
Transmission accomplished by applying direct current to a cable. Uses full cable for its
transmission. Ethernet is baseband.
Broadband
Divides cable into channels so that different types of data can be transmitted at the
same time. CATV is broadband. Other broadband types include T1, T3, ISDN, ATM, DSL
and wireless.
Unicast From source to one computer.
Multicast From source to a specific set of systems. NIC pics up packets with a specific
multicast address.
Broadcast From source to all computers on a subnet.
Network Topology
The physical arrangement of computers and devices is the “Network Topology”
Ring Topology
Series of devices connected by unidirectional transmission links.
Form a closed loop, no central hub
Must provide redundancy or risk single points of failure
Bus Topology
In a simple bus topology, a single cable runs the entire length of the network.
Each packet is looked at by all nodes.
Traditional Ethernet uses bus topologies.
Star Topology
Page 19 of 89
CISSP CBK Review
All nodes connect to a dedicated central hub or switch
Hub is a potential single point of failure
Less cabling used and no termination issues
Most LANs are in a physical star topology
Mesh Topology
All systems and resources are connected to each other in some way
Greater degree of complexity
Greater degree of redundancy
The internet is a good example of a partial mesh.
LAN Media Access Technologies
Token Passing
Only the computer that has the token can put frames onto the wire. This media access
technology is used by Token Ring & FDDI and is defined in the 802.5 standard.
Token passing networks are deterministic meaning it is possible to calculate the
maximum time that will pass before a station can transmit. This makes token ring
networks ideal for applications where delay must be predictable, such as factory
automation.
(Carrier Sense Multiple Access)
There are two flavors are CSMA, CSMA/CA (Collision avoidance) and CSMA/CD (Collision
detection).
A transmission is called a “carrier”. If a computer is transmitting frames, it is performing
a carrier activity.
With CSMA/CD, computers listen to the wire for the absence of a carrier tone. If two
computers sense this absence and transmit at the same time, contention and a collision
can take place. All stations will execute a “back off” algorithm (Random retry timer).
With CSMA/CA, each computer signals the intent to transmit before they actually do so,
such as WLAN.
Collision Domains
“The more devices there are on a contention based network, the more likely collisions
are which increases latency. A collision domain is a group of resources that are
competing for the same shared communication medium”.
One subnet will be on the same broadcast and collision domain if it is not separated by
routers or bridges.
PROTOCOLS
Address Resolution Protocol ARP
Page 20 of 89
CISSP CBK Review
The data link layer works with MAC addresses, not IP addresses. ARP resolves IP
addresses to MAC addresses. ARP broadcasts a frame requesting the MAC address that
corresponds to the destination IP address. The computer that has that IP address
responds with its MAC address.
“ARP table poisoning” is altering the ARP cache so that an attacker receives packets
intended for another destination.
Reverse Address Resolution Protocol RARP
Diskless workstations know their hardware address, but not the IP address. It
broadcasts the MAC address information and the RARP server responds with an I/P
address.
BOOTP is similar to RARP but provides more functionality including name server and
gateway address.
Internet Control Message Protocol ICMP
ICMP delivers messages, reports errors, reports routing information and tests
connectivity.
PING is the most common – sends out ICMP ECHO frames and receives ICMP REPLY
frames back.
NETWORKING DEVICES
Repeaters
Repeats and amplifies signal between cable segments
Works at the physical layer
Also known as line conditioners
Bridges
Uses to connect different LAN segments
Works at the data link layer and therefore works with MAC addresses.
Divides overburdened networks into smaller segments for better use of bandwidth and
traffic control
Beware of “broadcast storms” – using bridges to echo broadcast packets.
A bridge forwards data to all other network segments if the MAC address of the
destination computer is not on the local network segment.
There are three types of bridge
Local Connects two or more LAN segments.
Remote Can connect two or more LANS over a long distance with telecommunications
between them.
Translator Connects LANs of different types and protocols.
Summary of the functions bridges provide
Segment a large network into smaller, more controllable pieces
Use filtering based on MAC address
Page 21 of 89
CISSP CBK Review
Join differently types of network while retaining same broadcast domain
Isolate collision domains within the same broadcast domain
Some bridges translate between protocol types.
Routers vs Bridges
Routers work at the network layer and are based on IP address. Bridges work at the
data link layer and filter frames based on MAC addresses.
Routers will not usually pass broadcast information.
Bridges will pass broadcast information.
Spanning tree algorithm is a bridge algorithm.
If source routing is used, the packets themselves have the information within them to
tell the bridge where they should go.
Hubs
Hubs are used to connect multiple LAN devices into a concentrator. Hubs can be
considered as multiport repeaters and operate at the physical layer.
Routers
Routers work at the network layer. A router has two or more interfaces and a routing
table to get packets to their destination. Routers can filter traffic based on access control
lists (ACLs) and fragment packets when necessary.
Routers discover information about routers and changes that take place in a network
through its routing protocols (RIP, BGP and OSPF).
The following outlines the stages that take place when a router receives a packet
A frame is received on one of the router’s interfaces.
Destination i/p address is retrieved from the datagram
The router looks at the routing table to see which port matches the destination
If the router has no information on the destination, it sends an ICMP error to the
sending computer.
The router decrements the TTL. If the MTU is diferent than the destination requires, it
fragments the packet.
Router changes the header information on the frame so that it can go to the next correct
router.
Frame is sent to the router’s output queue.
Routing environments are based on autonomous systems. The autonomous systems are
connected to each other through routers and routing protocols.
Routing takes place within an autonomous system through internal protocols like OSPF
and RIP.
Routing takes place between autonomous systems through exterior protocols like BGP.
Switches
Switches combine the functionality of a repeater and the functionality of a bridge. Any
device connected to one port communicates to any device on another port with it’s own
virtual private link.
Page 22 of 89
CISSP CBK Review
“A switch is a multiport bridging device and each port provides dedicated bandwidth to
the device attached to it”
Basic switches work at layer 2 and forward traffic based on MAC address. Today, there
are layer 3 and layer 4 switches with more enhanced functionality. There are referred to
as “multilayered switches”.
Virtual LANS (VLANS) are also an important part of switching networks. A switch only
sends a packet to the port where the destination MAC address is located, so offer more
protection against network sniffers.
VLAN
VLANs (Virtual LANs) allow administrators to logically seperate and group users. VLANs
also allow administrators to apply different security practices to different groups.
Brouter
Hybrid device combining the functionality of a bridge and a router. A brouter can bridge
multiple protocols and route packets based on some of these protocols.
Gateways
Almost all gateways work at the application layer because they need to see a majority of
the information within a frame and not just the address and routing information that a
router or bridge requires.
A popular type of gateway is an email gateway. The mail gateway will usually convert
email into standard X.400 and pass it on to the destination mail server.
A network connecting to a backbone (Ethernet --> FDDI for example) would need a LAN
gateway.
Summary of Main Devices
Device
Repeater
Bridge
Layer
Phsyical
Data Link
Router
Network
Brouter
Network &
Data Link
Data Link &
Higher
Application
Switch
Gateway
Functionality
Amplifies signal and extends networks
Forwards packets. Filters packets based on MAC
address. Forwards broadcast but not collision traffic.
Filters based on IP address. Seperates or connects
LANs, creating internetworks.
Bridges multiple protocols and routes some of them.
Private virtual link between devices. Allows for VLANs.
Impedes sniffing and reduces contention.
Connects different types of network. Protocol and
format translation.
PBX
A Private Branch Exchange (PBX) is a telephone switch located on the company’s
property. A PBX can interface with several types of device and provides a number of
Page 23 of 89
CISSP CBK Review
telephone services. Data is multiplexed onto a dedicated line connected to the telephone
company’s central office.
PBXs have the following issues
Often have modems attached for vendor maintenance.
Come shipped with default system passwords.
Vulnerable to brute force attacks.
ATM Switches
Most commonly used in WANs but started to be seen in LANs. Use a cell-relay
technology.
FIREWALLS
Firewalls are used to restrict access from one network to another network. A firewall is a
device that supports and enforces the company’s network security policy.
Many times companies setup firewalls to construct a “DMZ” or “buffer zone” which is a
network segment located between protected and unprotected networks. Usually, two
firewalls are used to construct a DMZ
LAN <-- firewall <--- DMZ <---- firewall <----- router <----- .o( Internet )o.
Packet Filtering
Packet filtering firewalls use Access Control Lists to determine which packets can and
cannot pass through. The filtering is based on network layer information, the device
cannot look further into the packet itself. A packet filtering router is also called a
screening router. Packet filtering usually takes place at the network or transport layer.
Pros
Scalable
High Performance
Application Independant
Cons
Does not look into packet past the header info
Lower security relative to other options
Does not keep track of connection state
Used in first generation firstwalls.
Packet filtering firewalls are often called “first generation firewalls”.
Stateful Packer Filtering
Stateful filtering keeps track of which packets went where until the connection is closed.
To accomplish this, the firewall maintains a state table.
A packet filtering firewall may have the rule to deny UPD on port 25, while a stateful
packet filtering firewall can say “allow those packets through if they are in response to
an outgoing request”.
Frames are analysed at all communication layers.
High degree of security without the performance hit of proxy firewalls.
Scalable and transparent to users.
Page 24 of 89
CISSP CBK Review
Provides data for tracking connectionless protocols like UDP and RPC
Used in third generation firewall applications.
Proxy Firewalls
A “proxy” is a middleman. A proxy firewall accepts messages entering or leaving the
network and checks it for malicious information and if ok, passes it on to the destination.
A proxy firewall breaks the communication channel – there is no direct communication
to internal computers.
Outside scanners will only see the proxy server. Packets are repackaged as they pass
through the proxy firewall. Outbound packets will only have the I/P addrss of the firewall
which means that a proxy server will be the only one with a valid I/P address- the
servers behind it can all use private address ranges.
A dual homed firewall has two NICs and forwarding turned off. There are two types of
proxies
Application and circuit proxies
Proxy firewalls are considered second-generation firewalls and are usually used with a
dual-homed host.
Application Level Inspects entire packets and makes access decisions based on actual
content. Understands the different protocols and usually works for just one service or
protocol.
Circuit-Level Creates a circuit between client computer and server. Makes access
decisions based on source and destination.
Pros
Looks at information within the packet, right up to the application layer.
Better security than packet filtering
Aware of protocols, services and commands being used.
Cons
Limited to what applications it can support
Can degrade network performance
Poor scalability
Breaks client/server model.
Dual-Homed Host Firewalls
Single computer with separate NICs to each network
Used to divide internal trusted network and external untrusted network
Must disable forwarding
Usually used with proxy software
Users can easily and accidentally enable forwarding.
Application level vs Circuit Level proxy firewalls
Application Level
Page 25 of 89
CISSP CBK Review
Transfers a copy of each approved packet from one network to another.
Different proxy required for each service.
Hides network information from external attackers.
Hides internal computer information and addresses.
More intricate control than circuit level proxy firewalls
Reduces network performance
Circuit-Level
Provides a circuit between the source and destination
Does not require a proxy for each service
Does not provide the detailed control that the application level proxy does.
Security for a wider range of protocols.
SOCKS proxy server characteristics
Circuit-level proxy
Requires clients to be integrated with SOCKS client software.
Mainly used for outbound internet access and VPN
Can be resource intensive
Authentication and encryption are similar to VPN, but socks is not considered a
bidirectional VPN.
Firewall Generations
1st generation are Packet filtering firewalls.
2nd generation are application (proxy) firewalls
3rd generation are stateful packet firewalls
4th generation are dynamic filtering
5th generation are kernel proxy
FIREWALL ARCHITECTURE
Bastion Host
A bastion host can be thought of as the foundation for the firewall software to operate
on. It is the machine that will be accessed by all entities trying to access or leave the
network.
Screened Host
Many times a screened host is a bastion host that communicates with a border router
and the internal network. Inbound traffic is filtered by packet filtering on the router and
then sent to the screened host firewall.
Screened Subnet
Adds another layer of security over the screened host firewall – the bastion host housing
the firewall is screened between two routers. This architecture sets up a DMZ between
the two routers.
Shoulds of firewalls
Firewalls should
Page 26 of 89
CISSP CBK Review
Default to deny
Block external packets inbound with internal addresses (Spoofing)
Block outbound packets with external source addresses (Zombies)
High security firewalls should reassemble packet fragments before sending them on to
their destination.
Many firewalls will deny packets with source routing information.
Networking Services
Network Operating Systems (NOS)
Short list of some of the services that NOS systems (NT, W2K, Linux) provide that most
single user (W95, W98) systems do not
Directory services
Internetworking, routing and WAN support
Support for dial-up users
Clustering functionality
File & print services
Management and administration tools
Fault tolerance
A redirector connects local computer to resources of the network – the local computer
may not even be aware of this.
DNS
Networks are split up into “zones”
DNS server is said to be authoritative for the zone it serves.
Directory Services
A directory service is a database containing a hierarchy of users, computers, printers
and attributes of each. The directory is used mainly for lookup purposes – to allow users
to break down resources. Most directory services are built on the X.500 model or use
LDAP to access the directory database.
Intranets and Extranets
Private I/P address ranges are
10.0.0.0 172.16.0.0
192.168.0.0
10.255.255.255
172.31.255.255
192.168.255.255
Class A
16 * Class B
256 * Class C
Network Address Translation
Network address translation forms a gateway between a network and the internet or
another network. The gateway performs transparent routing and address translation.
Some attributes of this process are
Hides true internal I/P address information from the outside world.
The NAT device needs to remember the internal IP address and port to send the
messages back to.
Page 27 of 89
CISSP CBK Review
Metropolitan Area Network (MAN)
A MAN is usually a backbone that connects businesses to WANS, the internet and other
businesses. A majority of today’s MANs are Synchronous Optical Network (SONET) or
FDDI rings provided by local telephone companies.
Wide Area Network (WAN)
WAN technologies are used when communication needs to take place over a larger
geographical area.
There are several technologies in the WAN arena, several of which are discussed below.
The SONET (Synchronous Optical Network) gives all the world’s carriers the ability to
interconnect.
ATM encapsulates data in fixed cells and can be used to deliver data over SONET. The
fixed size provides better performance and reduced overhead.
A quick snapshot at telecom history
Copper lnes carrying analog information
T1 lines carrying up to 24 conversations
T3 lines carrying up to 28 T1 lines
Fiber optics and the SONET network
ATM over SONET
Types and speed of standard leased lines
DS0 Single 64k channel on a T1 facilities
DS1 1.544mbps on a T1 (2.108 on a E1 in Europe)
DS3 44.756mbps on a T3 facility.
Dedicated Links
Leased line or “point to point” link.
Expensive, but secure
T-Carriers
Dedicated lines that carry voice or data over trunk lines.
Most common are T1 @ 1.544mbps and T3 @ 45mbps
Multiplexing through TDM (Time division multiplexing)
S/WAN
Secure WAN, initiative of RSA security who worked with firewall and protocol vendors to
build secure firewall-to-fireall connections through the internet.
S/WAN is based on VPNs that are created with IPSEC.
xDSL types
ADSL More bandwidth down than up.
Page 28 of 89
CISSP CBK Review
SDSL 1.544mbps down and up. Limited to 10,000 feet from exchange.
HDSL High-rate digital subscriber line. 1.544mbps each way.
VDSL Very high data rate dsl – 13 to 52mbs downstream and 1.5 to 2.3 upstream.
Limited to 1,000 – 4,500 feet from exchange.
Packet Switching vs Circuit Switching
 Circuit Switching
Constant Traffic
Fixed delays
Connection-oriented
Sensitive to loss of connection
Voice oriented
Packet Switching
Bursty Traffic
Variable delays
Connectionless
Sensitive to loss of data
Data Oriented
WAN Technologies
CSU/DSU
Channel service unit / data service unit required when digital equipment will be used to
connect a LAN network to a WAN network
Necessary because the frames are so different between LAN and WAN equipment.
DSU converts signals from routers, bridges, etc into signals that can be transmitted over
the telephone company’s digital lines
CSU connects the network directly to the telephone company lines.
Provides an interface for DTE and DCE devices such as the router and the carrier’s
switch.
Switching
There are two main types of switching, circuit switching and packet switching
Circuit Switching
Connection oriented virtual links (ISDN, telephone call)
Traffic travels in a predictable and constant manner
Fixed delays
Usually carries voice oriented data
Packet Switching
Packets can use many different dynamic paths to get to the same destination
Supports traffic that is bursty
Variable delays
Usually carries data-oriented information.
Internet, X.25 and Frame Relay are all packet switching networks.
Frame Relay
Frame relay is a WAN protocol that operates at the data link layer. Frame Relay uses
packet switching technology as an alternative to expensive dedicated lines.
Page 29 of 89
CISSP CBK Review
Companies that pay more to ensure a higher level of bandwidth availability pay a
“committed information rate” or CIR.
Virtual Circuits
Frame relay forwards frames across virtual circuits. These can be permanent meaning
they are programming in advance, or switching means it is built when needed an then
torn down.
The PVC (Permanent Virtual Circuit) works like a private line for a customer with a CIR.
A PVC is programmed to ensure bandwidth availability.
X.25
X.25 is an older WAN technology that defined how networks and devices establish and
maintain connections. X.25 is a switching technology.
Data is divided into 128 bytes and encapsulated in HDLC frames (High-level Data Link
Control).
X.25 is slower than frame relay or ATM due to heavy error checking and correction that
is not necessary on more modern networks.
ATM – Asynchronous Transfer Mode
ATM is another switching technology that uses a cell-switching method instead of packet
switching. Like frame relay, ATM is connection-oriented. Cell switching means that data
is segmented into fixed size cells (53 bytes).
Like Frame Relay, ATM can set up PVCs and SVCs.
SMDS – Switched Multimegabit Data Service
High speed packet switched technology used to enable customers to extend their LANs
across MANs and WANs. Protocol is connectionless and can provide bandwidth on
demand.
SDLC – Synchronous Data Link Control
Base on networks that use leased lines with permanent physical connections. SDLC is
used mainly for communication to IBM hosts within the SNA architecture.
HDLC – High Level Data Link Control
Bit-oriented link layer protocol used for transmission over synchronous lines, HDLC is an
extension of SDLC. HDLC provides high throughput because it supports full duplex.
HSSI – High Speed Serial Interface
Interface used to connect multiplexers and routers to high speed services like ATM and
Frame Relay.
Page 30 of 89
CISSP CBK Review
These interfaces define the electrical and physical interfaces to be used by DTE/DCE
devices, thus it works at the physical layer. Developed by CISCO and T3Plus Networking.
Multi-Service Access
Multi-service acess technologies combine different types of communication categories
(voice, data and video) over one transmission line.
VOIP can be affectd by latency due to internet being packet oriented switching
technology vs circuit switcing. This is referred to as “jittering”.
H.323
Standard that deals with video, audio and data packet-based transmissions where
multiple users can be involved wth the data exchange. H.323 terminals are connected to
gateways or the gateways are connected to PSTN.
Packet switching technologies include X.25, LAPB, FRAME RELAY, ATM and SMDS.
REMOTE ACCESS
Remote access covers technologies that enable remove and home users to access
networks.
Dial-up and RAS
Remote access is usually gained by connecting to a network access server (NAS). NAS
acts as a gateway and end point for a PPP connection.
ISDN
Integrated services digital network. ISDN breaks the telephone line into different
channels and transmits data in a digital form vs the old analog method. There are 3
types of ISDN implementation
BRI Basic Rate Interface Operates over existing copper lines in the local lopp and
provides digital voice and data channels. Uses two B channels and 1 D channel.
PRI Primary Rate Interface 23 B channels and one D channel operating at 64k.
Equivalent to a T1.
BISDN Broadband ISDN. Mainly used with backbones over ATM/SONET.
B channels enable data to be transferred.
D channel provides for call setup, error control, caller id and more.
ISDN is a circuit switching point-to-point protocol.
Page 31 of 89
CISSP CBK Review
DSL – Digital Subscriber Line
Uses existing phone lines
Have to be within a 2.5 mail radius of the provider’s equipment.
Cable Modems
High speed internet access through coaxial and fibre lines.
Bandwidth shares between users in a local area.
Security concerns Network sniffers on shared medium.
VPN – VIRTUAL PRIVATE NETWORKS
A virtual private network is a secure private connection through a public network or
otherwise unsecured environment. VPNs are often used to provide a connection between
two routers.
Tunneling Protocols
VPNs use tunneling protocols to create a virtual path across a network. There are three
main tunneling protocols used in VPN connections PPTP, L2TP and IPSEC
PPTP
Point to point tunneling protocol. Encapsulation protocol based on PPP. PPTP works at
the data link layer and encrypts and encapsulates packets.
There are a few weaknesses with PPTP. Negotiation information is exchanged in clear
text and can be easily snooped. PPTP is a Microsoft developed protocol.
Designed for client/server connectivity
Sets up a single point-to-point connection between two computers
Works at the data link layer
Transmits only over I/P networks
L2F
Layer 2 Forwarding
Created before L2TP by Cisco
Merged with PPTP to create L2TP
Provides mutual authentication, but no encryption.
L2TP
Layer 2 Tunneling Protocol. L2TP combines L2F with PPTP.
PPTP can only run on top if I/P. L2TP can use other protocols such as IPX and SNA
PPTP is an encryption protocol, L2TP is not. L2TP is often used in conjunction with IPSEC
for security.
Page 32 of 89
CISSP CBK Review
L2TP supports TACACS+ and RADIUS, PPTP does not.
IPSEC
Handles multiple connections at the same time
Provides secure authentication and encryption
Supports only IP networks
Focuses on LAN-LAN communication
Works at network layer --> Security on top of I/P
Can work in tunnel mode where both header and payload are encrypted, or transport
mode where only the payload is encrypted.
PPP
PPP encapsulates messages and transmits them through an IP network over a serial line.
PPP supports different authentication methods such as Password Authentication Protocol
(PAP), Challenge Handshake Authentication Protocol (CHAP) and Extensible
Authentication Protocol (EAP).
PAP, CHAP, EAP
PAP Least secure of the three options as credentials are sent in clear text. Also
vulnerable to reply attacks.
CHAP Uses a challenge/response mechanism instead of sending a username and
password. Client sends host a logon request and the host returns a random “challenge”
value. The challenge is encrypted with the user password and returned to the host. The
server performs the same encryption and determines whether or not there was a match.
CHAP is not vulnerable to “man in the middle” attacks because it continues this
challenge/response activity throughout the connection.
EAP Extensible Authentication Protocol. EAP is not a specific mechanism like PAP or
CHAP but is more of a framework to allow many different types of authentication
mechanism. EAP extends the authentication possibilities to other methods like one-time
passwords, token cards, biometrics and future mechanisms.
Network and Resource Availability
Some general guidelines are
Watch out for single points of failure
Use ISDN or modem backup for WANs
Use UPS’ and RAID (striping and/or mirroring)
Clustering provides for fault tolerance, load balancing and failover.
Page 33 of 89
CISSP CBK Review
RAID types
Raid#
Level
0
Name
Striping
Level
1
Mirroring
Level
2
Hamming Code
Parity
Level
3
Byte Level
Parity
Level
4
Level
5
Block Level
Parity
Interleave
Parity
Level
6
Level
7
Second Parity
Data
Level
10
Level
15
Level 1 + Level
0
Level 5 + Level
1
Description
Data is striped over several drives, but there is no
redundant drive. Used for performance enhancement. If
one drive fails, the whole volume is unusable.
Data is written to two drives at once. If one fails, the
other has the same data. This is an expensive option as
each drive has another whole drive with the same
information.
Data is striped over all drives at bit level. This array
uses 39 drives, 32 for data and 7 for parity. Not used in
practice.
Data is striped over all drives, parity is held on just one
drive. If a drive fails, it can be reconstructed from the
parity drive.
Same as level 3 except data is striped in disk sector
units rather than blocks of bits or bytes.
Data is written to disk sector units across all drives.
Parity is written to all drives. There is no single point of
failure because parity is written to all drives. Uses XOR
algorithm.
Similar to level 5 but with added fault tolerance –
second set of parity data written to all drives.
Variation of RAID 5 where the array functions as a
single virtual disk in the hardware.
Data is striped across multiple RAID1 pairs.
Two complete RAID5 systems are mirrored for additional
fault tolerance.
WIRELESS TECHNOLOGIES
IEEE 802.16 deals with wireless MANs
IEEE 802.11 deals with wireless LANs
Higher frequency can carry more data, but a shorter distance
WLANS work in the 2.4 & 5ghz unlicensed bands and there are two IEEE standards,
802.11a and 802.11b
802.11a works in the 5ghz range and provides up to 54mbps
802.11b is in the 2.4ghz range and providers up to 11mbps
802.11g works in the 2.4ghz range and providers up to 54mbps
801.11 uses Wireless Application Protocol (WAP). WAP uses WML (Wireless Markup
Language) and WMLScript to present web based material. WAP has its own session and
transaction protocols and a transport layer security protocol called WTLS (Wireless
Transport Layer Security).
Page 34 of 89
CISSP CBK Review
A WAP gateway is required to translate WAP protocols to the internet. Encrypted data
from a wireless device comes in with WTLS but must be converted into SSL or TLS by
the gateway. For a second or two, the WTLS data will be decrypted for conversion into
SSL – this is referred to as the gap in the wap.
Wireless Technology
IEEE 802.11 refers to a family of specifications for wireless LANs. The current 802.11
standard all use CSMA/CA.
802.11 Original wireless LAN standard. 1 or 2mpbs speed in the 2.4ghz band using DSS
or FHSS.
802.11b 11mpbs (steps-down to 5.5, 2 or 1mpbs based on signal strength). Uses only
DSSS. Also known as Wi-Fi.
802.11a Up to 54mbs in the 5ghz range. Uses orthogonal FDM.
802.11g 20mbps to 54mpbs in the 5ghz range.
802.11e Draft standard to provide QOS features and multimedia support.
802.11i IEEE standard that replaces WEP security with AES encryption and many other
stronger security features
Spread Spectrum Technology
Spread Spectrum Technology broadcasts signals over a range of frequencies. Receiving
device must know the correct frequency of the spread spectrum signal being broadcast.
Two spread spectrum technologies currently exist
Direct-Sequence Spread Spectrum (DSSS) Redundant bit pattern for each bit to be
transmitted – spread over a wide frequency. Because it is spread over the spectrum, the
number of discrete channels in the 2.4ghz band is small.
Frequency-Hopping Spread Spectrum (FHSS) Uses a narrow band carrier that
continually changes frequency in a known pattern. Source and destination devices must
be synchronized to be on the same frequency at the same time.
Both of the above appear as line noise to a non spread-spectrum device.
AD-HOC mode Access is Peer to peer.
Infrastructure mode Access is via an access point (wireless hub).
Wireless Application Protocol (WAP)
Wireless application protocol is a set of technologies related to HTML but tailored to
small screens. The most noticeable is HDML Handheld device markup language.
WAP has 5 layers Application, session, transaction, security and transport
Page 35 of 89
CISSP CBK Review
Application Layer
Microbrowser, WML (Wireless Markup Language), WMLScript and Wireless Telephony
Applications (WTA)
Session Layer
Contains the Wireless Session Protocol (WSP) which is similar to HTTP. WSP facilitates
transfer of content between WAP clients and gateway. WSP provides a connectionoriented mode and a connectionless mode.
Transaction Layer
Providers the Wireless Transaction Protocol (WTP). Similar functionality to TCP/TP.
Reliable request and response transactions and supports unguaranteed and guaranteed
psuh
The transaction layer provides transaction services to WAP and handled
acknowledgements.
Security Layer
The security layer contains WTLS (Wireless Transport Layer Security). WTLS is based on
TLS (similar to SSL) and can be invoked in a manner similar to HTTPS. WTLS provides
data integrity, privacy, authentication and DOS protection.
Transport Layer
The transport layer suports the Wireless Datagram Protocol (WDP) which provides an
interface to bearers of transportation. The transport layer supports CDPD, GSM, CDMA,
TDMA, SMS and Flex.
Wired Equivalent Privacy (WEP) Encryption
WEP is an option in 802.11b. It uses a 40-bit shared key, RC4 pseudorandom number
generator and a 24 bit initialization vector. WEP works in the following manner
Checksum of message computed and appended to the message.
Shared secret key and initialization vector are fed to the RC4 algorithm to produce a
keystream.
The keystream is XORed with the msg and checksum and produces ciphertext.
The initialization vector is appended to the ciphertext message and the message is sent
to the recipient.
The recipient who has the same secret key generates the same keystream with the IV.
The generated keystream is XORed with the ciphertext to yield the original message.
WEP is not considered secure due to the 40-bit encryption, static keys, and published
methods to break the encryption.
top
Page 36 of 89
CISSP CBK Review
top
SECURITY MANAGEMENT PRACTICES
Security management includes Risk management, security practices and security
education.
Security management practices focuses on the continual protection of company assets.
Management support is one of the most important pieces of a security program.
Three types of control are used to achieve management’s goals.
1. Administrative Policies, procedures, guidelines, awareness training, personnel
screening, system activity monitoring, change control and configuration
management.
2. Technical Logical access control mechanisms, password & resource
management, identification and authentication, security devices, network
configuration.
3. Physical Physical access control, locking systems, removing unnecessary media,
guards, environmental control, perimeter security.
Management (the information owner) creates security directives and classifies data. The
security team implements and enforces the directives.
Security Definitions
Some commonly used security definitions are
Vulnerability Software, hardware of procedural weakness that may provide an attacker
the open door he is looking for. Absence or weakness of a safeguard.
Threat Any potential danger to information or systems.
Risk Likelihood of a threat agent taking advantage of a vulnerability.
Exposure An instance of being exposed to losses from a threat agent.
Countermeasure Hardware, software or procedure that eliminates a vulnerability, or,
reduces the risk of a threat agent being able to exploit it. Is also called a safeguard.
Risk Management
Risk Analysis is a method of identifying risks and assessing the possible damage that
could be caused in order to justify security safeguards.
Risk management addresses 3 fundamental questions
1. Identify assets – What am I trying to protect?
2. Identify threats – What am I trying to protect against?
3. Calculating risks – How much time, effort & money am I willing to spend on
adequate protection.
Page 37 of 89
CISSP CBK Review
The following issues should be considered when assigning value to information
safeguards
Cost to acquire and develop
Cost to maintain and protect
Value to owners and users
Value to adversaries
Value of intellectual property
Price that others would pay for the asset
Cost to replace if lost
Operational and productivity affected if asset is lost.
Liability issues if assets are compromised.
Usefulness of the asset.
There are 4 basic elements to risk management
1.
2.
3.
4.
Quantitative risk analysis
Qualitative risk analysis
Asset valuation process
Safeguard selection
Quantitative risk analysis
Estimate value of assets to be protected.
Identify each threat and corresponding risk
Estimate loss potential of each risk
Estimate possible frequency of threat
Recognize and recommend remedial measures
Quantitive risk analysis involves the following definitions and calculations
SLE – Single loss expectancy Dollar amount of potential loss to an organization if a
specific threat too place.
EF – Exposure factor Percentage of loss a realized threat could have of an asset.
Asset value * Exposure factor (EF) = SLE
ARO – Annualized rate of occurrence Estimated possibility of a specific threat taking
place in a one year timeframe.
ALE – Annualized loss expectancy
Single loss expectancy (SLE) * Annualized rate of occurrance (ARO) = ALE
Safeguard value (ALE before safeguard) – (ALE after safeguard) – (Annual cost of
safeguard) = Safeguard value to the company.
Residual Risk Amount of risk remaining after a safeguard is implemented
threats * vulnerability * asset value = total risk.
(threats *vulnerability * asset value) * control gap = residual risk.
Page 38 of 89
CISSP CBK Review
Asset Resource, process, product, infrastructure and any other object that an
organization has determined should be protected.
Qualitative risk analysis
Walk through different scenarios and rank seriousness of threats or sensitivity of assets.
Techniques include judgment, intuition and experience.
Some methods are Delphi, brainstorming, story boarding, focus groups, surveys,
questionnaires, one-on-one meetings and interviews.
Handling Risk
Transferring
Rejecting
Reducing
Accepting
Insurance
Deny or ignore the risk.
Implementing countermeasures.
Live with the risk.
Policies, Procedures, Standards and Guidelines
Security Policy General statement produced by senior management.
Issue specific
System specific
For example, email, PDA.
Approved software lists, database standards.
Standards Specify how hardware and software are to be used. Usually mandatory.
Baseline Minimum level of security necessary throughout the organization. Standards
are usually developed from baselines.
Guidelines Recommended actions and operational guides. Not mandatory. Provide
direction in policy grey areas.
Procedures Detailed step by step actions to achieve the tasks necessary for compliance
with standards. Standards as also known as “practices”.
To be effective, each of these needs high visibily, which can be helped be awareness
training, manuals, presentations, legal banners. Can also help with due care and
diligence issues.
Data Classification
The primary purpose of data classification is to indicate the level of confidentiality,
integrity and availability that is required for each type of information.
Classifications
Commercial
Confidential
Private
Sensitive
Public
Military
Top Secret
Secret
Confidential
Sensitive but unclassified
Public
Page 39 of 89
CISSP CBK Review
(Note Commercial ‘confidential’ information is exempt from FOAI).
Layers of Responsibility
Data Owner Senior management, ultimately responsible for protection and use of data.
Determines data classification.
Data Custodian Responsibility for maintenance and protection of data. Usually IT
department. Makes backups, performs restores, etc.
User Any individual who routinely uses the data for work related purposes. Also
considered “consumer” of the data.
The necessary pieces that fit together for effective security management practices are
Data classification
Operational activities
Safeguard selection
Separation of duties
Management security responsibilities
Guidelines and procedures
Risk assessment
Policies and standards
Security awareness.
The three pillars of security awareness training are Awareness, Training, Education.
Confidentiality
Integrity
Availability
Disclosure
Alteration
Destruction
Separation of Duties
“The principle of separation of duties is that an organization should carefully separate
duties, so that people involved with checking for inappropriate use are not also capable
of making such inappropriate use. No person should be responsible for completing a task
involving sensitive, valuable or critical information from beginning to end. Likewise, a
single person must not be responsible for approving their own work”.
Some examples of things that should be separated are
 development / production
 security / audit
 account payable / accounts receivable
 encryption key management / changing of keys
5 general procedures to implement change control
1.
2.
3.
4.
5.
Applying to introduce a change
Cataloging the intended change
Scheduling the change
Implementing the change
Reporting the change to appropriate parties
Page 40 of 89
CISSP CBK Review
TOP
Application and System Development
Database Management
“Database access control can be restricted by only allowing roles”
Database Models
Relational Database Model Uses attributes (columns) and tuples (rows) to contain
and organize information. Presents information in the form of tables.
Hierarchical Data Model Combines records and fields that are related in a logical tree
structure. Used for mapping one-to-many relationships.
Distributed Data Model Data stored in more than one database, but logically
connected.
Relational Database Components
Most databases contain the following core functionalities




Data Definition Language (DDL)
Data Manipulation Language (DML)
Query Language (QL)
Report Generator.
DDL defines the structure and schema of a database.
Data Dictionary The data dictionary is a central repository of data elements and their
relationships. The Data Dictionary includes definitions of views, data sources,
relationships, tables, indexes, etc. When new tables, new views or new schema are
added, the data dictionary is updated to reflect this.
Integrity
Can run into concurrency problems. Record locking prevents this.
Database software performs two main types of integrity services
1. Semantic Integrity Makes sure that structural and semantic rules are enforced.
2. Referential Integrity No record can contain a reference to a primary key of a nonexisting record or NULL value. Database must also not contain unmatched foreign
key values.
Database Security Issues
Two main database security issues are aggregation and inference
Aggregation
Page 41 of 89
CISSP CBK Review
is figuring out complete information you don’t have access to by using components of
that information you do have access to. The combined information has a sensitivity
that is greater than the sum of the parts.
Queries could be tracked and restricted based on context-dependant classification
used to check what data the users has already accessed.
Inference
Inference is similar to aggregation and involves the ability to derive information that is
not explicitly available from information that is available. For example, a clerk does not
have access to troop movements but does have access to food and tent deployment.
Again, context-dependant classification rules can help prevent anything that looks like
inference.
Database security looks at the contents of the file rather than the file itself as an
operating system could. This is content-dependant access control increases
processing overhead but provides more granular control.
Polyinstantiation
Polyinstantiation enables a relation to contain multiple tuples with the same primary key but
at different security classifications.
System Development
Security management is an important aspect of project management.
The following is a typical list of lifecycle phases
Project initiation
Functional design, analysis and planning
System design specifications
Software development
Installation / Implementation
Operational Maintenance
Disposal.
System Design Specifications
Informational, functional and behavioral model information goes into the software design
as requirements. What comes out of the design is data, architectural and procedural
design.
Installation / Implementation
Certification is the process of reviewing and evaluating security controls and is usually
a task assigned to an outside independent reviewer.
Accreditation is the formal acceptance of the system by key management and in
implicit acceptance of risk. Once management accepts the residual risk, they should
issue a formal accreditation statement.
Verification – does the product match the specification?
Validation – Fitness or worth of a software product for its operational mission.
Page 42 of 89
CISSP CBK Review
”Verification is doing the job right, Validation is doing the right job”
System Life Cycle Phases
Project Initiation
Concept of project definition
Proposal and initial study
Functional design analysis and planning
Requirements uncovered and defined
System environment specifications determined
System design specifications
Functionality design review
Functionality broken down
Detailed planning put into place
Code design
Software development
Developing and programming software
Installation
Product installation and implementation
Testing and Auditing
Maintenance Support
Product changes, fixes and minor modifications
Revision and Replacement
Modifying the product with revisions, or, replacing it completely.
WaterFall Model
The steps of a typical waterfall model are
System feasibility
Software plans and requirements
Product design
Detailed design
Code
Integration
Implementation
Operations and Maintenance
Spiral Model
Angular dimensions represent progress made in completing the phases.
Radial dimension represents cumulative project costs.
The model states that each cycle of the spiral involves the same series of steps for each
part of the project. The spiral model is actually a meta-model that incorporates a
number of the software development models. This model depicts a spiral that
incorporates the various phases of software development
Cost Estimation Models
Basic COCOMO model estimates development effort and cost as a function of the
number of source instructions
MM = 2.4KDSI (MM = Man months, KDSI = K developed source instructions)
TDEV = 2.5mm
Maintenance
Page 43 of 89
CISSP CBK Review
Maintenance phases can be divided into 3 sub-phases
Request control
Change control
Release control
Configuration management and Change Control
Configuration management is the process of controlling the life cycle of an application
and documenting the necessary change control activities. Configuration management is
used to manage changes and new versions of software products. BS7799 addresses
configuration management.
The following definitions are associated with Configuration Management
Configuration Item (CI) Component whose state is to be recorded.
Version A recorded specific state of a configuration item.
Configuration Collection of component configuration items that comprise a
configuration item in some stage of its evolution. Can be recursive.
Building Assembling a version of a configuration item from component configuration
items.
 Build List
 Software Library
Software Capability Maturity Model (CMM)
The Software CMM is based on the premise that the quality of a software product is a
direct function of the quality of its associated development and maintenance processors.
5 maturity levels are
Level 1 Initiating
Level 2 Repeatable
Level 3 Defined
Level 4 Managed
Level 5 Optimizing
Good people in place. Processes performed ad-hoc.
Project management processes in place.
Engineering processes and organizational support.
Product and process quantitatively controlled.
Continued process improvements. Institutionalized.
The software CMM is a component that supports the concept of continuous process
improvement. This concept is embodied in the SEI process improvement IDEAL model
Initiate
Diagnose
Establish
Action
Leverage
|
|
| = IDEAL!
|
|
Application Program Security Methodology
Object-Oriented Concepts
A shared potion of an object is the interface. The private portion of an object facilitates
data hiding.
Abstraction is the capability to suppress unnecessary details so that the important,
inherent properties can be examined and reviewed.
Page 44 of 89
CISSP CBK Review
Polymorphism An object’s response to a message is defined by the class to which the
object belongs. Different objects can respond to the same input in different ways.
Encapsulation Hides internal data and operations not exposed via the interface.
Polyinstantiation Multiple distinct differences between data within objects to
discourage lower level subjects from learning information at a higher level of security.
Inheritance Shares properties and attributes with subclasses.
Cohesion and Coupling
Modules should be self contained and perform a single logical function with as little
external help as possible. This is cohesion and the goal for a module is to have high
cohesion.
Modules should not drastically affect the behavior of each other. This is low coupling.
ORBs and CORBAs
The OMA is the Object Management Architecture. ORB manages all communication
between components and enables them to interact in a heterogeneous and distributed
environment.
ORB is the middleware that established the client/server relationship between objects.
CORBA provides standard interface definitions between OMG compliant objects.
COM and DCOM
The component object model (COM) defines how components interact and provides an
architecture for simple IPC. DCOM is a distributed model based on COM. DCOM has a
library that takes care of session handling, synchronization, buffering, fault identification
and handling, and data format translation.
OLE – Object Linking and Embedding
OLE uses COM as its base and allows objects to be embedded within documents and for
linking different resources and objects.
The capability for one program to call another is called linking.
The capability to put a piece of data inside a foreign program or document is called
embedding.
DDE – Dynamic Data Exchange
DDE enables different applications to share data by providing IPC. DDE is a
communication mechanism that enables direct connection between two applications.
Distributed Computing Environment (DCE)
Page 45 of 89
CISSP CBK Review
DCE is a standard developed by the OSF – Open Software Foundation (also called “the
open group”). DCE is middleware providing RPC service, security services, directory
service, time service and distributed file support.
DCE is a layer of software that sits on top of the network layer.
** DCOM uses a globally unique identifier (GUID).
** DCE uses a universal unique identifier (UUID).
Expert Systems and Knowledge Based Systems
Expert systems usually consist of two parts, an inference engine and a knowledge base.
The inference engine handles the user interface, external files, scheduling and programaccessing capabilities.
The knowledge engine contains data pertaining to a specific problem or domain.
ANN = Artificial Neural Network.
Malicious Code (MALWARE)
Virus Infects applications. Main function is to reproduce. Macro viruses are easy to write
and office products are in wide use.
Worms Reproduce on their own with no need for a host application.
Logic Bomb Will execute certain code when a specific event happens.
Trojan Horse Program disguised as another program.
Attacks
SMURF Requires an attacker, a victim and an amplifying network. ICMP ECHO packets
are sent to the broadcast address of a large network with the return address spoofed to
be that of the victim. The target network will drown the victim with responses. A counter
against the smurf attack is to disable broadcast packets at the border router.
Fraggle Similar to SMURF but uses UDP instead of ICMP.
SYN Flood Repeated SYN packets that will not respond to the SYN/ACK packets.
Teardrop Send very small packets with invalid fragment offset causing the computer to
freeze or crash.
Top
Page 46 of 89
CISSP CBK Review
Top
CRYPTOGRAPHY
The papyrus around the staff is a “scytale” cipher.
Enigma Machine The crucial and secret part of the process (the key) was how the
operators advanced the rotors when encrypting and decrypting a message. (World War
II)
Cryptography Definitions
Cryptosytem A system that provides encryption and decryption
Key The secret piece of a well known encryption algorithm
Keyspace Range of values that can be used to construct a key.
Cryptography The science of encrypting written communication.
Cryptanalaysis The process of trying to decrypt encrypted data without the key.
Work Factor Estimate of the effort it would take an attacker to penetrate an encryption
method.
Cryptology Study of both cryptography and cryptanalysis.
Key Clustering When two (or more) different keys generate the same ciphertext from
the same plain text, this is known as “key clustering”.
Goals of CryptoSystems
Confidentiality – Unauthorized parties cannot access the information.
Authenticity – Validating the source of a message.
Integrity – Assurance that a message was not modified during transmission.
Non Repudiation – Sender cannot layer deny sending the message and the receiver
cannot deny receiving it.
Types of Ciphers
Substitution Uses a key to know how substitution should be carried out.
Transposition Permutation is used. Does not replace original text with different text –
text is moved around.
Simple substitution and transposition methods are vulnerable to “frequency analysis”
One time pad (Vernam)
 Running and Concealment Ciphers
Running Key Cipher Does not require a key or algorithms, but steps in the
physical world. For example, references to a book. The “key” in this situation is
“which book?”
Concealment Cipher A cipher that hides the message among garbage. For
example, have each word appear every 5th word in a sentence. “Buy gold” might
become “Product is a good buy, it has ten percent gold content”.
Government Involvement with Cryptography
Harry Truman created the NSA in 1952.
Page 47 of 89
CISSP CBK Review
In 1993, government introduced the Clipper chip, based on the Skipjack algorithms.
Each chip unit has a key which encrypts a copy of each user’s session key. Each chip
also has a unique serial number and a copy of the unit key is stored in a database under
this serial number. The transmitted message contains a Law Enforcement Access Field
(LEAF) whch contains the serial number of the chip that encrypted the message. The
unit key can be retrieved from the database, used to decrypt the session key which in
turn can be used to decrypt the message.
Weaknesses in the Clipper Chip include
SkipJack algorithm was never publicly scrutinized and tested
80 bit key is weak by current standards.
16 bit checksum can be defeated
The clipper chip ID tagged and identified every communication session.
Key Escrow
Unit key split in two and given to two different agencies to maintain. Officer needs a
court order to request the unit key.
Methods of Encryption
Cryptographic algorithms can use either symmetric keys (secret keys) or asymmetric
keys (public keys).
Symmetric Cryptography
Both parties use the same key for encryption and decryption
Each pair of users exchanging messages needs their own set of keys – key management
becomes a pain.
Initial key exchange needs to be out of band
Because the same keys are used for encryption and decryption, it does not provide
authentication and non-repudiation.
Fast and hard to break when a large key size is used.
The following algorithms all use Symmetric (Secret) Key Cryptography
Data Encryption Standard (DES)
Triple DES (3DES)
Blowfish
IDEA
RC4, RC5 and RC6
Asymmetric Cryptography
Each entity has different keys, a private key and a public key. The two keys are
mathematically related, but cannot be derived from one another.
A message can only be decrypted with the public key if it was encrypted with the private
key – provides authentication.
Page 48 of 89
CISSP CBK Review
If confidentiality is most important, the sender encrypts with the receiver’s public key
and the message can now only be read with the receiver’s private key. This is called a
secure message format.
If authentication is most important, the sender encrypts with his own private key. The
receiver knows it came from the sender because it can be decrypted with the sender’s
public key. This is known as open message format because anyone with the sender’s
public key can read it.
For a message to be A secure and signed format, the sender should encrypt with his
own private key and then again with the receiver’s public key.
Strengths of Asymmetric cryptography
Better key distribution than with symmetric systems.
Better scalability than symmetric systems
Can provide confidentiality, authentication and non-repudiation.
Weaknesses
Works much slower than symmetric systems.
Asymmetric key algorithms
 RSA
 Ecliptical Curve Cryptosystem (EC)
 Diffe-Hellman
 El-Gamal
 Digital Signature Standard (DSS)
Stream and Block Ciphers
There are 2 main types of symmetric algorithms stream and block ciphers
Block Cipher The message is divided into blocks and bits and the blocks are then put
through transposition, substitution and other functions. Block ciphers use confusion
and diffusion in their methods. The key dictates what S-boxes are used and in what
order.
Stream Cipher Entire message is treated as a stream of bits or bytes. Some stram
ciphers use a “keystream generator”. The key provides randomness to the keystream
that is applied to the plaintext.
A strong stream cipher algorithm has the following characteristics
Long periods of non-repeating patterns within keystreams.
Statistically unpredictable
Keystreams are not linearly related to the key.
Statistically unbiased – as many 0s as 1s.
Stream ciphers are more suited to hardware encryption because they operate a bit at a
time. Block ciphers are better suited to software based encryption.
Page 49 of 89
CISSP CBK Review
Symmetric Encryption Systems
DES (Data Encryption Standard)
DES is a block encryption algorithm using 64-bit blocks. It uses a 64 bit key 56 bits of
true key and 8 for parity. Characters ar eput through 16 rounds of transposition and
substitution.
Devised in 1972 as a derivation of the “Lucifer” system
DES Describes the DEA (Data Encryption Algorithm)
FIPS PUB 46-1 (1977) and ANSI X3.92 (1981)
64bit blocks, 56 bit key and
16 rounds of transformation
Uses confusion and diffusion for encrypting plain text.
Confusion Conceals statistical connection between ciphertext and plain text. Uses nonlinear substitution boxes (S-Boxes)
Diffusion Spreads the influence of a plain text character over many ciphertext
characters.
DES has 4 distinct modes of operation
Electronic Code Book (ECB) It is a block cipher Native encryption method for DES.
Electronic codebook literally operates like a code book. For a given block of plaintext and
a given key, the same set of ciphertext is always produced. ECB uses padding to round
up to a 64 bit block boundary. ECB is used for small amounts of data such as challengeresponse or key management. Not good for large amounts of data as patterns would
eventually show.
Cipher Block Chaining (CBC) In Cipher Block Chaining, the value of the previous
block processed is a part of the algorithm and key for the next block, so, patterns are
not revealed. This chaining effect means that a particular ciphertext block is dependant
on all the blocks that came before it, not just the current block.
Cipher Feedback Mode (CFB) It is a stream cipher. Previously generated ciphertext
is used as feedback into the key generation source to develop the next keystream. This
mode is used when encrypting individual characters is required.
Output Feedback Mode (OFB) Similar to CFB, but stream cipher functions by
generating a random stream of bits to be combined with the plaintext to create
ciphertext. Requires initialization vector. Ciphertext is fed back to the algorithm to form
a portion of the next input to encrypt the stream of bits.
Triple DES (3DES)
Encrypting plaintext with one DES key and then encrypting it with a second DES key is
no more secure than using a single DES key, therefore, Triple DES is used to obtain
stronger encryption
DES-EDE2 2 keys are used. Encrypt with 1, decrypt with 2 and then encrypt with 1
again.
Page 50 of 89
CISSP CBK Review
DES-EEE2 2 keys used. Encrypt with 1, encrypt with 2, encrypt with 1.
DES-EEE3 3 keys used. Encrypt with 1, encrypt with 2, encrypt with 3. Most secure, but
requires 3 keys.
Advanced Encryption Standard (AES)
Uses Rjindael block cipher, specifies three key sizes; 128, 192 or 256 bit. Choice of
key determines encryption level. AES is the government standard for encrypting SBU
information. Best suited for hardware encryption.
The number of rounds of transformation is a function of the key size used
256 bit – 14 rounds.
192 bit – 12 rounds.
128 bit – 10 rounds.
Symmetric Algorithms that provide bulk (data) Encryption services only
DES and 3DES
TwoFish
128 bit blocks in 16 rounds. Key lengths can be up to 256 bits.
BlowFish
A block cipher operating on 64 bit blocks with a key length of up to 448 bits. The blocks
go through 16 rounds of crypto functions.
IDEA
Ideas stands for International Data Encryption Algorithm. It operates on 64 bit blocks
and uses a 128 bit key. Performs 8 rounds on 16 bit sub-blocks. Each 64 bit block is
divided into 16 smaller blocks and each block has 8 rounds of mathematical functions
performed on it. IDEA is harder to crack than DES for the same keysize and is used in
PGP.
RC5
Block cipher of variable block length. Key can be 0-2048 bits, blocks can be 32, 64 or
128 bits and the number of rounds can be 0 – 255. Created by Ron Rivest and patented
by RSA data.
Asymmetric Encryption Algorithms
RSA
Defacto standard for public encryption. Invented by Ron Rivest, Adi Shamir and Leonard
Adleman. Developed at MIT. Security comes from the difficulty of factoring large
numbers. Public and private key are functions of a pair of large prime numbers. RSA is
used in many web browsers with SSL.
El-Gamal
Extends Diffie-Hellman to apply to encryption to digital signatures. Based on calculating
discrete logarithms in a finite field.
Elliptical Curve Cryptosystem (ECC)
Page 51 of 89
CISSP CBK Review
Provides much of the same functionality as RSA Digital signatures, secure key
distribution and encryption. ECC is very resource efficient – ideal for smaller devices.
ECC providers higher protection with smaller keys than RSA. An ECC key of 160 bits is
equivalent to a 1024-bit RSA key.
Public Key Cryptography
Public key cryptography uses asymmetric encryption for key encryption and secret key
encryption for data. We use an asymmetric algorithm to encrypt the secret key.
Diffie-Hellman Used for key distribution, NOT encryption and decryption. Subjects can
exchange session keys over a non-secure medium without exposing the keys.
Session-Key “Secret” key used for one data exchange only. Usually randomly
generated then encrypted using public cryptography.
Public Key Infrastructure (PKI)
PKI is an ISO authentication framework that uses public key cryptography and X.509
standard protocols.
PKI provides authentication, confidentiality, non-repudiation and message integrity.
The PKI infrastructure contains the pieces that will identify the user, distribute and
maintain keys, distribute and maintain certificates and allow certificate recovation.
Each individual taking part in PKI needs a digital signature signed by a CA. Some wellknown Certification Authorities are Entrust and VeriSign. Revocation is handled by the
certification revocation list (CRL).
PKI is made up of the following entities and functions
Certification Authorities
Registration Authorities
Certificate Repository
Certificate Revocation System
Key backup and recovery system
Automatic key update
Management of key histories
Cross-certification with other Cas
Time stamping
Client side software
LDAP is the standard format for accessing certification repositories. Availability and
Integrity of LDAP servers is a concern.
ISAKMP Internet Security Association and Key Management Protocol.
IKE ISAKMP, Secure Key Exchange Mechanism (SKEME) and Oakley, combined.
In general
ISAKMP defined the phases for establishing a secure relationship
SKEME describes a secure exchange mechanism
Oakley defined the modes of operation needed to establish a secure connection.
Page 52 of 89
CISSP CBK Review
Message Integrity
One-Way Hash
A one-way hash takes a variable length input and produces a fixed-length output, or
hash value. A hash value is also known as a message digest. If a sender only wants a
specific person to view the hash value sent with the message, the value would be
encrypted with a key. This is referred to as the message authentication code.
Basically, the MAC is a one-way hash value that is encrypted with a symmetric key.
Digital Signature
A digital signature is an encrypted hash value. A digital signature provides
authentication because the message digest is encrypted with the sender’s private key.
Overview/review
A message
A message
A message
A message
integrity.
can
can
can
can
be
be
be
be
encrypted, providing confidentiality.
hashed, providing integrity.
digitally signed, providing authentication and integrity.
encrypted and signed, providing confidentiality, authentication and
Digital Signature Standard – DSS
The Federal Government requires its departments to use the DSA & SHA. SHA creates a
160-bit output, which is then input to DSA, which signs the message.
The DSA (Digital Signature Algorithm) can only be used for signatures, not encryption.
Different Hashing Algorithms
Good hash functions should have the following characteristics
Computed on the entire message, not a part of it.
One-way function so that messages are not disclosed by their signatures.
Should be impossible, given a message and its hash value, to compute another message
with the same hash value.
Should be resistant to birthday attacks – should not be able to find two messages with
the same hash value (collision free).
Some common hashing algorithms include
MD2 128 bit hash, slower than MD4 and MD5
MD4 128 bit hash.
MD5 128 bit hash. More complex than MD4. Processes text in 512 bit blocks.
HAVAL Variable length hash. Haval is a modification of the MD5 algorithm with more
protection from common attacks against MD5. Processes text in 1024 bit blocks.
SHA 160-bit hash value. Used with DSA.
SHA-1 Updated version of SHA.
Attacks against one-way hash functions
Page 53 of 89
CISSP CBK Review
Birthday Attack Using collusions to reverse engineer hash values. Finding two
messages that produce the same hash value.
One-Time Pad
A one time pad, implemented correctly, is unbreakable as each pad is used only once. A
non-repeating set of bits are XORed with the message to produce ciphertext. The key is
the same size at the message and the sender and receiver must be perfectly in synch.
This encryption method is not practically used much.
Key Management
Key management causes one of the biggest headaches in encryption implementation.
RSA and Diffie Hellman are key exchange protocols.
General rules for keys and key management include
Key length should be enough to provide the necessary level of protection.
Keys should be stored and transmitted by secure means.
Keys should be extremely random and use full spectrum of the keyspace
Key lifetime should correspond with the sensitivity of the data it is protecting.
The more the key is used, the shorter its lifetime should be.
The key should be backed up or escrowed in case of emergencies.
The key should be properly destroyed once its lifetime comes to an end.
Link vs End to End Encryption
Advantages of end-to-end encryption
Protects information from start to finish
More flexibility for the user in choosing what gets encrypted and how
Higher granularity of encryption is available because each application or user can choose
a different key.
Each hop on the network does not need to have a key to decrypt each packet.
Disadvantages of end-to-end encryption
Headers, addresses and router information is not encrypted and therefore not protected.
Destination needs to have same encryption mechanisms to properly decrypt the
message.
Advantages of link (lower layer) encryption
All data is encrypted, including headers, addresses and routing information.
Users do not need to do anything to initiate it.
Disadvantages of link encryption
Each hop must have a key, making key distribution and management more complex.
Messages are decrypted at each hop, thus more points of vulnerability.
Page 54 of 89
CISSP CBK Review
Email Standards
Privacy Enchanced Email (PEM)
PEM is a series of message authentication and encryption procedures developed by
several governing groups. Primary features are
Messages are encrypted with DES in CBC mode.
Authentication is provided by MD2 or MD5
Public key management using RSA
X.509 standard for certification structure and format.
Message Security Protocol (MSP)
MSP is the military’s PEM. It was developed by the NSA and is an X.400 compatible
application layer protocol.
Pretty Good Privacy (PGP)
PGP uses RSA public key encryption for key management, IDEA for bulk encryption of
data and MD5 for authenticity. PGP does not use Certification Authorities but relies
instead on a “web of trust”.
Internet Security
“The web is not the internet. The web runs on top of the Internet.”
S-HTTP
Secure Hypertext Transport Protocol. In this protocol, the client and server agree on a
protection method and then the client sends the server its public key. The server
generates a session key, encrypts it with the client public key and sends it back. S-HTTP
maintains an option connection for the duration of the session.
SSL
SSL is similar to S-HTTP but protect the communication channel itself instead of
individual messages. The server sends a message to the client that a secure session is
required and the client sends its public key and security requirements back to the
server. The server compares the security parameters with its own to find a match and
then sends the client a digital certificate. If the client trusts the certificate, the process
continues. SSL keeps the communication path open.
MIME Multipurpose Internet Mail Extension
If a message or document contains a multimedia attachment, MIME dictates how that
portion of the message should be handled.
S/MIME
S/MIME is a standard for encrypting and digitally signing mail that contains attachments.
Page 55 of 89
CISSP CBK Review
SET – Secure Electronic Transaction
Security technology proposed by Visa and Mastercard for more secure online credit card
transactions. Suppliers never see the credit card information.
Cookies
Sometimes cookies can contain login and password information that is either not
encrypted or encrypted weakly. This is a vulnerability.
Secure Shell (SSH)
SSH functions as a type of tunneling mechanism that provides terminal like access to
remote computers.
IPSEC (Internet Protocol Security)
The IPSEC protocol is a method of setting up a secure channel for protected data
exchange between two devices. IPSEC is a widely accepted standard for secure network
layer transport. It is usually used to establish VPNs.
IPSEC uses two basic protocols Authentication Header (AH) and Enscapsulating security
Payload (ESP).
IPSEC works on one of two modes
Tunnel Model only the payload is encrypted.
Transport Mode payload, routing and header information are all encrypted.
Each device has one security association (SA) for each session connection, one for
inbound and one for outbound. The SA contains the configuration that the device needs
to know about. Each device has a security parameter index that keeps track of each
SA.
When a packet is received, the steps are
Identify appropriate SA, secret key and algorithm.
Calculate hash value of the packet to authenticate source and verify data integrity.
Authenticate the source.
Identify correct cryptographic algorithm (DES or 3DES) and secret key.
Decrypt the message.
ISAKMP Internet Security Associated and Key Management Protocol.
Cryptography Attacks
The following sections go over active attacks that can relate to cryptography
Ciphertext Only Attack Attacker has the ciphertext of several messages encrypted
using the same algorithm.
Page 56 of 89
CISSP CBK Review
Known Plaintext Attack Attacker has plaintext and ciphertext of one or more
messages. The goal is to discover the key used to encrypt the messages.
Chosen Plaintext Attack Attacker has plaintext and ciphertext and can choose the
plaintext that gets encrypted.
Chosen Ciphertext Attack Attacker can choose ciphertext to be decrypted and has
access to the decrypted plaintext.
Man-in-the-middle attack
Intercepting public key and replacing it with your own, and then intercepting subsequent
messages intended for someone else. Using digital signatures during session-key
exchange can circumvent man in the middle attacks.
Dictionary attack
Running dictionaries of words through one-way HASH functions to see if the hash value
matches what you have. Common method of cracking Unix passwords.
Replay attacks
When an attacker copies a ticket, breaks the encryption and tries to impersonate the
client by resubmitting the ticket at a later time. Kerberos is particularly vulnerable to
this type of attack.
Timestamps and sequence numbers are two common counter-measures to replay
vulnerabilities.
Wireless Security
Wireless Application Security (WAP)
WAP is a set of protocols that cover layer 7 to layer 3 of the ISO model. The WAP
protocol stack contains the following
Wireless
Wireless
Wireless
Wireless
Wireless
Wireless
Markup Language (WML)
Application Environment (WAE)
Session Protocol (WSP)
Transport Protocol (WTP)
Transport Layer Security Protocol (WTLS)
Datagram Protocol (WDP)
WTLS provides 3 classes of security
Class 1 Anonymous authentication. Neither client or server is certain of the identify of
the other.
Class 2 Server authentication.
Class 3 Two-way client and server authentication.
HDML Handheld device markup language is a simple alternative to WML.
Page 57 of 89
CISSP CBK Review
C-HTML Compact HTML, widely used in Japan.
Wired Equivalent Privacy
Secret key shared between clients and access points. Must have the shared key to
associate with the access point.
WEP uses the RC4 variable key-size stream cipher encryption algorithm. RC4 was
developed in 1987 by Ronald Rivest and operates in output feedback mode.
Security of the WEP algorithm is weak, in the native 40-bit and even the 128 bit
versions.
TOP
Security Architecture and Models
A security model is a statement that outlines the requirements necessary to properly
support a certain security policy.
“Security is best if it is built into the foundation of operating systems and applications”
Computer Architecture
CPU Contains ALU, Control Unit and primary storage.
Protection Rings Operating system concept. Inner rings have most privileges. Inner
rings can directly access outer rings, but not vice versa. A typical arrangement might be
Ring
Ring
Ring
Ring
0
1
2
3
Operating system & Kernel
Remaining parts of operating system
I/O drives and utilities
Applications and programs.
MITs MULTICS is an example of an operating system using this concept.
Operating Systems
Operating systems can be in one of several states
Ready
Ready to resume processing
Supervisory
Executing a highly privileged routine
Problem State Executing an application (working on a problem)
Wait State
Waiting for a specific event to complete or resource to become free.
An operating system implements security using many mechanisms, including
Protection Rings
Mapping Memory
Implementing virtual machines
Working in different states
Assigning trust levels to each process
Page 58 of 89
CISSP CBK Review
Process Vs Thread
A process is a program in execution with its own address space. Threads are pieces of
code executed within a process.
Memory Addressing Modes
Register Addresses registers within the CPU.
Direct Actual addresses. Usually limited to current memory page.
Absolute Address of all primary memory space. Can hit any memory address directly.
Indexed Adding contents of addresses in programs instruction to that of a memory
(index) register.
Implied Operations internal to the processor, such as clearing of a carry bit.
Indirect The address specified in the instruction contains the address where the actual
data can be found.
Processing Methods
Some methods to improve system performance at the hardware level are
Pipelining Overlapping the steps of different instructions to run close to concurrently.
CISC Complex Instruction Set Computer. In earlier technologies, the “fetch” cycle was
the slowest port. By packing instructions with several operations, number of fetches
were reduced.
RISC Reduced instruction set computer. Instructions are simple and require fewer clock
cycles.
Scalar Processor One instruction at a time.
Superscalar Processor Enabled concurrent execute of multiple instructions in some
pipeline stage.
Very Long Instruction Word (VLIW) Processor A single instruction specifies more
than one concurrent operation.
System (Security) Architecture
Some of the biggest questions in systems security architecture are
Where should the protection take place? User’s end? Where the data is stored?
Restricting user activities?
At which layers should mechanisms be implemented? Hardware, kernel, o/s, services or
program layers?
“The more complex a security mechanism becomes, the less assurance it provides” ->
Functionality and Assurance Compromise.
What system mechanisms need to be trusted? How can these entities interact in a
secure manner?
Some important terms and definitions relating to system architecture are
Page 59 of 89
CISSP CBK Review
Trusted Computer Base Combination of protection mechanisms within a system,
including hardware, software and firmware. Not every part of a system needs to be
trusted and therefore do not fall under the TCB.
Reference Monitor Abstract system concept that mediates all access the subjects have
to objects. This is a concept, not a component.
Security Kernel Hardware, firmware and software that fall under the TCB and
implement the reference monitor concept. The security kernel is the core of the TCB.
The security kernel must
Mediate all access to objects in the system.
Be protected from modification
Be verified as correct.
Domains Set of objects that a subject can access. Domains have to be identified,
separated and strictly enforced.
Resource Isolation Enables each subject and object to be uniquely identified,
permissions and rights to be assigned independently, accountability to be enforceable
and activities to be tracked precisely.
“Security policies that prevent information from flowing from a high security level to a
lower security level are multilevel security policies.”
“The execution and memory space assigned to each process is called a protection
domain.”
Virtual Machine Monitor Each “machine” runs at a different security level.
Security Model
“A model is a symbolic representation of a policy. It maps the desires of the policy into a set
of rules to be followed by a computer system.”
“Security policy provides the abstract goals, the security model defines the dos and donts to
achieve those goals”
Bell-LaPadula Model
Developed by the military in the 1970s to address leakage of classified information. Main
goal is confidentiality. A system using the Bell-LaPadula model would be classified as a
multi-level security system. The Bell-LaPadula is a state machine model, and could also
be categorized as an information flow model.
Simple Security Rule Cannot read data at a higher level.
Star (*) Property Cannot write data to a lower level.
Bell-LaPadula also uses a discretionary access control matrix to handle
exceptions. This may allow a trusted subject to violate the *-property, but not its
intent. IE, a low-sensitivity paragraph in a higher-level document being moved to a lowsensitivity document is ok, but might require an override of the * property.
Page 60 of 89
CISSP CBK Review
Criticisms of Bell-LaPadula
Only deals with confidentiality, not integrity.
Does not address access control management.
Does not address covert channels.
Does not address file sharing in more modern systems.
Secure state transition is not explicitly defined.
Only addresses multi-level security policy type.
Biba Model
The Biba model is also a state machine model and similar to Bell-LaPadula, except is
addresses data integrity rather than data confidentiality. The data integrity is
characterized by three goals
Protection from modification by unauthorized users.
Protection from unauthorized modification by authorized users.
Internally and externally consistent.
The following rules of the Biba model implement these goals
Simple Integrity Axiom No read down.
Star (*) Integrity Axiom No writing up.
Subjects at one level of integrity cannot invoke an object or subject at a higher level
of integrity.
Clark-Wilson Model
The Clark-Wilson model takes a different approach to protecting integrity. Users cannot
access objects directly, but must go through programs that control their access.
“Usually in an information flow model (Bell-LaPadula and Biba), information can flow from
one level to another until a restricted operation is attempted. At this point, the system
checks an access control matrix to see if the operation has been explicitly permitted”.
The Clark-Wilson model defines the following terms
Constrained Data Item (CDI) Data item whose integrity is to be protected.
Integrity Verification Procedure (IVP) Program that verifies integrity of CDI.
Transformation Procedure (TP)
Unconstrained Data Item Data outside of the control of the model. For example, input
data.
Information Flow Models
Each object is assigned a security class or value. Information is constrained to flow only
in the directions permitted by the security policy.
Page 61 of 89
CISSP CBK Review
Security Modes of Operation
The “mode of operation” defines the security conditions under which the system actually
functions
Dedicated Security Mode ALL users have the clearance and the “need to know” to all
the data within the system.
System-High Security Mode All users have clearance and authorization to access the
information in the system, but not necessarily a need to know.
Compartmented Security Mode All users have the clearance to all information on the
system but might not have need to know and formal access approval. Users can access
a compartment of data only.
Multilevel Security Mode Permits two or more classification levels of information to be
processed at the same time. Users do not have clearance for all of the information being
processed.
Limited Access Minimum user clearance is “not cleared” and the maximum data
classification is “sensitive but unclassified”.
Controlled Access Limited amount of trust placed on system hardware and software.
Trust – assurance of trust implies a much deeper knowledge of the building process, etc.
Systems Evaluation Method
The “Orange” Book
The US Dept of Defense developed TCSEC (Trusted Computer Systems Evaluation
Criteria) to provide a graded classification for computer system security. The graded
classification hierarchy is
A – Verified Protection
B – Mandatory Protection
C – Discretionary Protection
D – Minimal Security
The evaluation criteria involves 4 main area Security, Policy, Accountability and
Assistance and Testing, but these break down into 7 specific areas
Security policy – explicit, well defined, enforced by mechanisms in the system itself.
Identification – individual subjects must be uniquely identified in the system.
Labels – labels must be associated with individual objects.
Documentation – test, design and specification documentation. User guides and
manuals.
Accountability – audit data is captured and protected. Relies on identification.
Life Cycle Assurance – Software, hardware and firmware can be tested individually to
ensure that each enforces security policy.
Continuous Protection – Ongoing review and maintenance of the security.
Page 62 of 89
CISSP CBK Review
Products for evaluation under TCSEC are submitted to the National Computer Security
Center (NCSC). The Trusted Products Evalation Program (TPEP) puts successfully
evaluated products on the Evaluated Product List – EPL.
Orange Book TCSEC Ratings
Each division can have one or more numbered classes and each have a corresponding
set of requirements that must be met for a system to achieve that particular rating.
Classes are as follows
A1 Verified Design like B3, but the system documentation must support everything
(formal design).
B3 Security Domains Protect against covert timing channels; separate SysAdmin
and SecAdmin roles.
B2 Structured Protection Security policy clearly defined; subjects and devices
require labels and system must not allow covert (storage) channels; Trusted
Facility Management which means a separation of SysAdmin and SysOperator roles.
B1 Labeled Security each data object has a classification label and each subject has a
clearance label; system checks one against the other.
C2 Controlled Access Protection Identify individuals, auditing (especially of security
related events which must be protected), object reuse concept, strict logon, and
decision-making capability when subjects access objects.
C1 Discretionary Security Protection Users, groups, separation of identity, some
access control necessary.
Division D Minimal Protection
All systems that fail to meet the requirements of the higher divisions fall under this
category.
Division C Discretionary Protection
C1 - Discretionary Security Protection
Based on individuals and/or groups.
Identification and authorization of individual entities.
Protected execution domain for privileges processes.
Design, test and user documentation.
C2 - Controlled Access Protection
Security relevant events are audited.
Object reuse concept must be invoked (including memory)
Strict login procedures.
The C2 rating is the most reasonable class for commercial applications.
Division B - Mandatory Protection
Division B enforces mandatory protection by the use of security labels and the reference
monitor concept.
Page 63 of 89
CISSP CBK Review
B1 - Labeled Security
Each object must have a classification label and each user must have a clearance label.
Security labels are mandatory in class “B”
B2 - Structured Protection
System design and implementation are subject to a more thorough review and testing
process.
Well-defined interfaces between system layers.
Covert storage channels are addressed.
Trusted path required for login and authentication.
Separation of operator and administrator functions.
B3 - Security Domains
More granularity in each protection mechanism
Code not necessary to support the security policy is excluded from the system.
Reference monitor component must be small enough to be isolated and tested fully.
System fails to a secure state.
Division A Verified Protection
Formal methods are used to ensure that all subjects and objects are controlled.
A1 Verified Design
Feature and architectures are not much different than B3, the difference is in the
development process.
Assurance is higher because the formality in the way the system was designed and built
is much higher.
Stringent change and configuration management.
Summary of Ratings
D – Minimal Protection
C – Discretionary protection
C1 Discretionary Security Protection
C2 Controlled Access Protection
subjects and devices require labels
B – Mandatory Protection
B1 Labeled Security
classification and clearance labels
B2 Structured Protection
must not allow covert (storage) channels
B3 Structured Domains
A – Verified Protection
A1 Verified Design
The Red Book
TNI (Trusted Network Interpretation). The red book is an interpretation of the Orange
book for networks and network components. The Red Book TNI ratings are
None
C1 – Minimum
C2 – Fair
B2 – Good
Page 64 of 89
CISSP CBK Review
DITSCAP
Defense Information Technology Security Certification and Accreditation Process. Has 4
phases
Definition
Verification
Validation
Post Accreditation
NIACAP
National Information Assurance Certification and Accreditation Process. Has several
types of accreditation
Side Accreditation Applications and systems at a self-contained location.
Type Accreditation An application or system distributed to a number of different
locations.
System Accreditation Major application or general support system.
CIAP
Commercial Information Security Assessment Process – in development.
ITSEC – Information Technology Security Evaluation Criteria
This accreditation system is used in Europe. Two main elements of a system are
evaluated by ITSEC or TCSET Functionality and Assurance.
Two systems with the same functionality can have different assurance levels. ITSEC
separates these two elements and rates them separately. In ITSEC, F1 to F10 rate the
functionality and E0 through E6 rate the assurance
ITSEC
E0
F1 + E1
F2 + E2
F3 + E3
F4 + E4
F5 + E5
F5 + E6
F6
F7
F8
F9
F10
TCSEC
D0
C1
C2
B1
B2
B3
A1
High Integrity
High Availability
Data Integrity during communication
High Confidentiality (encryption)
Networks with high demands on confidentially and integrity.
Security products or systems are referred to as TOE – Target of Evaluation.
10 functionality classes – F
8 Assurance Levels
-Q
7 correctness levels
-E
Page 65 of 89
CISSP CBK Review
CTCPEC
Canadian Trusted Computer Product Evaluation Criteria
COMMON CRITERIA
International standard evaluation criteria, initiated by ISO in 1990 and started in 1993.
One specific set of classifications, internationally recognized. Evaluates a product against
a “protection profile” which is structured to address specific security problems.
A product is assigned an EAL – Evaluation Insurance Level – EAL1 – EAL7.
Similar to other criteria, the common criteria answers two basic questions
What does it do? (Functionality)
How sure are you? (Assurance)
The protection profile contains
Descriptive elements
Rationale
Functional Requirements
Development Assurance Requirements
Evaluation Assurance Requirements
Certification Technical evaluation of security components and their compliants for the
purpose of accreditation.
Accreditation Formal acceptance of the system’s overall adequacy by management.
Based partly on certification information.
SSE-CMM System Security Engineering, Capability Maturity Model
Based on the premise “If you can guarantee the quality of the processes that are used
by an organization, you can guarantee the quality of the products and services
generated by those processes.”
Two dimensions are used to measure the capability of an organization to perform
specific activities. The two dimensions are domain and capability.
Domain All the practices that collectively define security engineering.
Base practices Related base practices are grouped into Process Areas (PAs)
Capability Practices that indicate process management and institutionalization
capability. Generic Practices (GPs).
The GPs represent activities that should be performed as part of BPs.
In the domain dimension, SSE-CMM defined 11 security engineering process areas and
11 administrative process areas.
Threats
Some threats to security models and architectures are
Page 66 of 89
CISSP CBK Review
Covert Channels Information flow not controlled by the security mechanism.
Covert timing channel
Covert storage channel.
Addresses in TCSEC B2 and higher.
Back Doors Also known as maintenance hooks / trapdoors.
Timing Issues Also known as ‘asynchronous attack’. Deals with the timing different in
the sequence of steps a system uses to complete a task.
Time of Check vs Time of Use (TOC/TOU) – Also known as “race conditions”
Buffer Overflows “Smashing the stack”.
Each of these can lead to a violation of the system security policy.
Recovery Procedures
The system must recover/restart from an error in a secure state – maintenance mode
access only by privileged users from privileged terminals.
Failsafe Program execution terminated, system protected from compromise.
Failsoft (resilient) Non-critical processing is terminated.
Failover Switching to duplicate (hot) backup in real-time.
Cold start System cannot be restored to a known secure state.
top
Operations Security
Categories of Controls
Preventative Controls
Detective Controls
Corrective (Recovery) Controls
Additional categories include
Deterrent Controls
Application Controls
Transaction Controls
Input Controls
Processing Controls
Output Controls
Change Controls
Test Controls
Page 67 of 89
CISSP CBK Review
Orange Book Controls
The Orange Book defined two types of assurance operational assurance and life cycle
assurance.
Operational assurance requirements specified in the orange book are
System architecture
System integrity
Covert channel analysis
Trusted facility management
Trusted recovery
Life cycle assurance requirements specific in the orange book are
Security testing
Design specification and testing
Configuration management
Trusted distribution
Covert Channel Analysis
Involves covert storage channels and covert timing channels.
Covert Channel Requirements
B2 – Must perform covert channel analysis and protect against covert storage channels.
B3/A1 – Must protect against covert storage and covert timing channels. Must perform
covert channel analysis for both types.
Trusted Facility Management
Trusted facility management is defined as the assignment of a specific individual to
administer security related functions of a system. Trusted facility management is closely
related to concepts of least privilege, need to know and separation of duties.
B2 Systems must support separate operator and administrator roles.
B3/A1 System must clearly identify the functions of the security administrator to
perform the security related functions.
Two-man control Two operators review and approve the work of the other.
Dual Control Both operators are needed to complete a sensitive task.
Trusted Recovery
Trusted recovery ensures that security is not breached when a system crash or other
system failure (discontinuity) occurs.
Trusted recovery is required only at B3 and A1 levels.
Page 68 of 89
CISSP CBK Review
System Recovery The common criteria has a hierarchy of three recovery types
Manual recovery Sysadmin intervention required.
Automated recovery Recovery after a single failure is automatic.
Automated recovery without undue loss.
Configuration / Change control management
The primary goal of configuration management is to ensure that changes to the system
do not unintentionally diminish security.
Configuration management is a requirement for B2, B3 and A1 systems.
Five generally accepted procedures exist to implement and support the change control
process
Applying to introduce a change.
Cataloging the intended change.
Scheduling the change.
Implementing the change.
Reporting the change to the appropriate parties.
B2 or B3 Configuration management procedures must be enforced during development
and maintenance of a system.
A1 Configuration management procedures must be enforced during the entire systems
life-cycle.
Administrative Controls
These controls have more to do with human resources, personnel and policy than they
do with hardware or software controls.
Personnel security Background checks, mandatory vacations, etc.
Separation of duties.
Least privilege.
Need to know.
Change control / configuration management.
Record retention and documentation.
Operations Controls
Operations controls embody the day-to-day procedures used to protect computer
operations. The following are the most important aspects of operations controls
Resource protection Hardware / software / data.
Hardware controls Maintenance accounts, maintenance personnel, diagnostic ports,
hardware physical control.
Page 69 of 89
CISSP CBK Review
Software controls Anti-virus managements, software testing, software utilities, safe
software storage and backup controls.
Privileged Entity Controls System commands, special parameters.
Media Resource Protection Two areas media security controls and media viability
controls.
Physical access controls
Monitoring and Auditing
Problem identification and problem resolution are the primary goals of monitoring.
Top
Business Continuity Planning and Disaster Recovery Planning
Business Continuity Planning or contingency planning deals with providing methods and
procedures for dealing with outages and disasters to reduce the risk of financial loss.
The most critical piece overall is senior management support. BCP is the strategy to
minimize the effect of unexpected disturbances and to provide quick resumption of
business operations.
The 4
1.
2.
3.
4.
primary elements of BCP are
Scope plan initiation
Business impact Analysis (BIA) includes vulnerability assessment
Business continuity plan development, it includes
Plan approval and implementation
I. Scope and Plan initiation
Steps involved in the scope and plan initiation include creating an account of the work
required, listing the resources to be used and defining the management practices to be
employed.
A BCP committee should be formed and given the responsibility to create, implement and
test the plan.
The Business Impact Analysis (BIA) is a crucial first step in disaster recovery and
contingency planning. The goal is to see exactly how a business will be affected by
different threats. The purpose of a BIA is to create a document to be used to help
understand what impact a disruptive event would have on the business. The BIA may be
quantitative, (financial) or qualitative, (operational).
The business impact analysis has 3 primary goals
Criticality Prioritization Every critical business unit must be identified and prioritized.
Downtime Escalation Estimate the maximum tolerable downtime (MTD) that the
business can tolerate and still remain a viable company.
Page 70 of 89
CISSP CBK Review
Resource Requirements Identify resource requirements for the critical processes.
The BIA generally consists of these 4 steps
1.
2.
3.
4.
Gathering the needed assessment materials
The vulnerability assessment
Analyzing the information compiled
Documenting the results and presenting recommendations to management.
Business continuity plan development
Defining the continuity strategy
Documenting the continuity strategy
BCP Plan Approval and Implementation
Plan approval and implementation consists of
1. Approval by senior management.
2. Creating an awareness of the plan enterprise-wide.
3. Maintenance of the plan, including updating when needed.
(APPROVAL)
(AWARENESS)
(MAINTENANCE)
APPROVAL, AWARENESS and MAINTENANCE = IMPLEMENTATION!
Phases of Development
The phases of development for a DRP/BCP program should be







The 4
1.
2.
3.
4.
Initiation
Business impact analysis
Strategy development
Plan development
Implementation
Testing
Maintenance
primary elements of BCP are
Scope plan initiation
Business impact Analysis (BIA) includes vulnerability assessment
Business continuity plan development, it includes
Plan approval and implementation
Contingency Planning
There is a general 6 step approach to contingency planning
1. Identify critical business functions
2. Identify the resources and systems that support these critical functions.
3. Estimate potential disastersSelect planning strategies – how to recover the critical
resources and evaluate alternatives. A disaster recovery and contingency plan
usually consists of emergency response, recovery and resumption activities.
4. Implementing strategies.
5. Testing and revisiting the plan.
Page 71 of 89
CISSP CBK Review
Disaster Recovery Planning
A disaster recovery plan is a comprehensive statement of consistent actions to be taken
before, during, and after a disruptive event that causes a significant loss of information
system resources. DRP plans are the procedures for responding to an emergency or
disaster.
The primary objective of the DRP plan is to provide the capability to implement
critical processes at an alternate site in the event of a disaster and return back to the
primary site within a reasonable time to enable the company to minimize loss and by
executing rapid recovery procedures.
The main goals of disaster recovery planning are to
 Improve responsiveness by the employees in different situations.
 Reduce confusion by providing written procedures and participation in drills
 Minimize decision-making during a crisis by having standard procedures to follow
 Protect the organization from major computer services or network outage.
 Guaranteeing the reliability of standby systems through testing and simulations
A company is not considered out of an emergency until it is back at the original
site operating under normal circumstances. The least critical systems should be
moved back first.
Data Processing Continuity Planning
 Reciprocal agreements
 Subscription Services
o Hot site
o Warm site
o Cold site
 Multiple centers
 Service bureaus
Other
Transaction redundancy
Electronic Vaulting Refers transferring files or transactions to a remote location through
communication lines where the original backup is stored. Moving backup tapes off-site is
also a form of electronic vaulting. Consists of
Remote Journaling Transmitting only the journal or transaction logs to the off-site
facility and not the actual files.
Database Shadowing Database shadowing is similar to remote journaling, but the
transactions are shadowed to multiple databases.
Disk Shadowing Mirrored disks for redundancy.
Disk Duplexing More than one disk controller is used. If one fails, another takes over.
Disaster Recovery Testing
Reasons for testing include


Inform management of the recovery capabilities of the enterprise.
Verify accuracy of the recovery procedures and identify deficiencies.
Page 72 of 89
CISSP CBK Review


Prepare and train the personnel to execute emergency duties.
Verify processing capability of the remote backup site.
Disaster recovery tests should be performed at least once a year!
A recovery team is used to get critical business functions running at the alternate site.
The salvage team is used to return the primary site to normal processing conditions.
Tests and Drills
There are a 5 different types of tests and drills that can take place, each with its own pros
and cons
Checklist Test (review only) Copies of the DR plan and continuity plan are distributed
to each functional area for review.
Structured Walk-Through Test Group comes together to walk through scenarios in
detail. (Conference room “talk-through”)
Simulation Test DR team or groups of employees come together to simulate a specific
scenario. A “real” walk-through drill. An enactment, stops short of actual recovery
procedures.
Parallel Test (functional test) Done to ensure that critical systems can perform
adequately at the off-site facility. The systems are moved to the alternate site and
processing takes place.
Full Interruption Test Original site is actually shut down and processing takes place at
the alternate site.
“Emergency response procedures are the prepared actions that are developed to help
people in a crisis situation better cope with the disruption. They are the first line of defense
when dealing with a crisis situation”
End User Environment
The first issue pertaining to users is how will they be notified of the disaster and who will tell
them where to go and when? A tree structure/call list is necessary for this.
Time-loss curves show the total impact over specific time periods.
Backup Alternatives
The hardware backup procedures should address on-site and off-site strategies. There are 3
main categories of disruption
Non-Disaster Disruption in service from device malfunction or user error.
Disaster Entire facility unusable for a day or longer.
Catastrophe Major disruption that destroys the facility altogether. Requires a short
term and long term solution.
Page 73 of 89
CISSP CBK Review
Off-site backup facility options are
Hot-Site Fully configured and ready to be operating within a few hours. Expensive but
the company has exclusive use.
Warm-Site Partially configured with some equipment, but not the actual computers.
Cold-Site Basic environment such as wiring, AC, plumbing is in place, but no
equipment. This is the least expensive option but has much longer recovery time.
Different Backup Types
Incremental All files changed since the last backup. Removes archive attribute.
Differential All files changed since the last full backup. Does not remove archive
attribute.
Full All files. Removes archive attribute.
Other backup strategies include
TOP
Law, Investigation and Ethics
Covers computer crimes, preserving evidence and conducting basic investigations.
Many computer crimes go unreported – difficult to estimate.
Two Categories
Crimes against the computer
Crimes using a computer
Most Common Crimes
Denial of Service (DoS)- hogging system resources to point of degraded service
Theft or passwords
Network Intrusions – unauthorized penetrations
Emanation Eavesdropping – interception of computer terminal images through use of
Radio Frequency (RF) Signals. U.S. Government developed Tempest to defeat this by
shielding RF.
Social Engineering – social skills to gain information
Illegal Content of Material - porn
Fraud – using computer to perpetuate crimes, i.e. auctions of non-existent merchandise
Software Piracy – illegal copying
Dumpster Diving – paper trails
Malicious Code – viruses and Trojan Horses
Spoofing of IP Addresses – inserting false IP to disguise original location
Information Warfare – attacking infrastructure of a Nation, including military and power
grid
Espionage
Destruction or alteration of information
Use of readily available Attack Scripts – Script Kiddies, unskilled users
Page 74 of 89
CISSP CBK Review
Masquerading – pretending to be someone else
Embezzlement – Illegally acquiring funds
Data-Diddling – modification of data
Terrorism
Examples of Crime –
DDoS of Yahoo, Amazon and ZDNet in Feb. 2000
Love Letter Worm in May of 2000
Kaiser – transmissions of personal client information to unintended recipients in Aug.
2000
Penetration of Microsoft, access to source code in Oct. 2000
Mitnik's attacks against telephone companies 1989, broke into Tsutomo Shimomurs Corp
in 1995 and was arrested
Wisconsin medical records in 1982
Morris internet worm DDoS Cornell Student in 1988
Germans working for the KGB accessed US Classified Systems – The Cuckoo’s Egg
Laws have been passed in many countries. International boundaries cause issues.
Being addressed by United Nations, Interpol, European Union and the G8.
Technology outpaces Law
Law enforcement relies on traditional laws against embezzlement, fraud, Denial of
Service, wiretapping and digital currency to prosecute.
Many types of legal systems in the world
Common Law – United States, United Kingdom, Australia and Canada
Islamic Law
Religious Law
Civil Law – France, Germany, Quebec
Common Law – United States
Three Branches of Government
Legislative – makes the statutory laws
Administrative – administrative laws
Judicial – common laws found in court decisions
Compilation of Statutory Law
Arranged in order of enactment or as statutory codes
In the U.S. held in Statutes at Large in the United States Code (U.S.C.)
Usually quoted “18 U.S.C § 1001 (1992)”
The Code Title Number
Abbreviation of the Code (U.S.C.)
Statutory section
Date of the edition
Title 18 of the 1992 Edition of the U.S.C. - contains Crimes and Criminal
Procedures. Many computer crimes are prosecuted under this title.
US Computer Fraud and Abuse Act – addresses fraud using government computers
can be found at 18 U.S.C. § 1030 (1986)
Other Titles Are
Title 12 – Banks and Banking
Title 15 – Commerce and Trade
Page 75 of 89
CISSP CBK Review
Title 26 – Internal Revenue Code
Title 49 - Transportation
Compilation of Administrative Law
Chronologically listed in administrative registers or by subject matter in administrative
codes. Federal Register (Fed. Reg.) and Code of the Federal Register (C.F.R.)
Referenced “12 C.F.R. § 100.4 (1992)
The Title Number Federal Register (C.F.R.)
Abbreviation of the Code (C.F.R.)
Section number
Year of publication
Compilation of Common Law - common law from court decisions
Common law is compiled as Case Reporters in chronological order and Case Digests by
Subject matter
Common Law System Categories – not to be confused with common law from court
decisions
Criminal Law – Violates government laws for the protection of the people. Financial
penalties and imprisonment
 Civil Law – wrong inflicted upon an individual or organization results in damage or
loss, no prison
 Administrative Law – standards of performance and conduct, financial penalties
and imprisonment
Intellectual Property Law
Patent – Provides owner legally enforceable right to exclude others for specified time
(U.S. 17 years)
Copyright – Protects original works of authorship, can be used for software and
databases
Trade Secret – Secures confidentiality of proprietary technical and business related
information
Company must meet requirements
Invested resources to develop the information
Valuable to the business
Valuable to competitor
Non-obvious information
Trademark – establishes word, name, symbol, color or sounds used to identify and
distinguish goods
Information Privacy Laws
Intent varies widely from country to country
European Union - has developed more protective laws for individual privacy
Transfer of data from EU to US is prohibited unless equivalent protections are in place
EU Principles Include
Data collected in accordance with law
Information cannot be disclosed without consent
Records should be accurate and up to date
Data should be used for the purpose it was collected
Individuals entitled to report of information kept about them
Transfer of data is prohibited unless equivalent protections are in place
Health Care Issues
Access controls do not provide sufficient granularity to implement least privilege rule
Page 76 of 89
CISSP CBK Review
Most off the shelf systems do not have adequate controls
Systems must be accessible to outside parties
Access to Internet creates potential problems
Criminal and civil penalties can be imposed
Public perception of large organizations misusing data
Health Care Should follow (based on E.U. principles)
Individual should have ability to monitor stored information about themselves, ability to
correct information
Data should be used for the purpose it was collected
Organization should provide safeguards to ensure data is used for the purpose it was
collected
Existence of private information should not be kept secret
HIPAA –
U.S. Kennedy-Kassenbaum Health Insurance portability and Accountability Act. HIPAA
effective August 21, 1996.
Addresses Health Care privacy in the U.S.
Still in draft form, required to be implemented soon.
Addresses
The rights of the individual has over information about them
Procedures for the execution of such rights
The uses and disclosures that should be authorized
Entity must have in place
Standard Safe Guards - must have appropriate administrative, technical and physical
safeguards
Implementation of Standard Safe Guards - A covered entity must protect health
care information from intentional or unintentional disclosure
Electronic Monitoring
Keystroke monitoring, e-mail monitoring, surveillance cameras, badges and magnetic card
keys all allow monitoring of individuals.
Key to monitoring Must be done in a lawful manner in a consistent fashion
E-mail monitoring
Inform users that all e-mail is being monitored by displaying log-on banner
Banner should state logging on to system consents user to being monitored.
Unauthorized access is prohibited. Subject to prosecution.
Ensure monitoring is uniformly applied
Explain acceptable use
Explain who can read e-mail and how long it is backed up
No guarantee of privacy
Enticement vs. Entrapment
Enticement occurs after individual has gained unlawful access to a system, then lured
to an attractive area “honey pot” in order to provide time to identify the individual
Entrapment encourages the commitment of a crime that the individual had no
intention of committing
Computer Security, Privacy and Crime Laws
1970 – US Fair Credit Reporting Act – consumer reporting agencies
1970 - US Racketeer Influenced and Corrupt Organization Ace – racketeers
influencing business
Page 77 of 89
CISSP CBK Review
1973 – US Code of Fair Information Practices – personal record keeping
1974 – US Privacy Act – applies to federal agencies
1980 Organization for Economic Cooperation and Development (OECD) – data
collection limitations
1984 – US Medical Computer Crime Act – illegal alteration of computerized
medical records
1984 – (Strengthened in 1986 and 1994) – First US Federal Computer Crime
Law – classified defense, felony for classified information
1986 (Amended 1996) – US Computer Fraud and Abuse Act – clarified 1984
law, Added three laws
use of federal interest computer to further intended fraud
altering or destroying information on federal interest computer that causes
$1,000 in loss or medical treatment
Trafficking in computer passwords if it affects commerce or allows access to
government computers
1986 Electronic Communications Privacy Act – prohibits eavesdropping
1987 – Computer Security Act – requires federal government to
Provide security-related training
Identify sensitive systems
Develop security plan for sensitive systems
Developed Sensitive But Unclassified (SBU) designation
Split responsibility between National Institute of Standards and Technology (NIST) and
National Security Agency (NSA)
NIST – commercial and SBU
NSA – cryptography and classified government and military applications
1990 United Kingdom Misuse Act – defines computer related crimes
1991 US Federal Sentencing Guidelines –
Unauthorized possession without the intent to profit is a crime
Address both individuals and organizations
Degree of punishment corresponds to level of due diligence
Invoke “prudent man” rule due care of Senior Officials – Civil Law
Place responsibility on Senior Management for prevention and detection programs up
to $290 Million - Civil Law
1992 OECD – Guidelines to serve as Total Security Framework – laws, policies,
procedures, training
1994 – US Communications Assistance for Law Enforcement Act – requires
communications carriers to make wiretaps possible
1994 - Computer Abuse Amendments Act –
Changed federal interest computer to a computer used in interstate commerce or
communications
Covers viruses and worms
Includes intentional damage as well as reckless disregard
Limited imprisonment for unintentional damage to one year
Provides civil action for compensatory damages
1995 Council Directive Law on Data Protection for the European Union –
declares EU is similar to OECD
1996 – US Economic and Protection of Proprietary Information Act – industrial
and corporate espionage
1996 U.S. Kennedy-Kassenbaum Health Insurance portability and
Accountability Act. HIPAA
1996 National Information Infrastructure Protection Act – amended the
computer fraud and abuse act patterned after the OECD.
Page 78 of 89
CISSP CBK Review
GAASSP – Generally Accepted Systems Security Principles
(Not laws but accepted principles of the OECD)
Computer security supports the business mission
Computer security is integral to sound management
Computer security should be cost effective
System Owners have responsibility outside of their organization
Computer security requires a comprehensive integrated approach
Computer security should be periodically reassessed
Computer security is constrained by societal factors
Gramm-Leach-Bliley
Gramm-Leach-Bliley (PL 106-102) was signed into law on 12 November 1999. Title V of
the law deals with Privacy. Title V Section 501 establishes policy for the protection of
nonpublic personal information.
Section 501 states, “It is the policy of the Congress that each financial institution has an
affirmative and continuing obligation to respect the privacy of its customers and to
protect the security and confidentiality of those customers' nonpublic personal
information.”
The law further states, financial regulatory agencies/authorities will “establish
appropriate standards for the financial institutions subject to their jurisdiction relating to
administrative, technical, and physical safeguards
to insure (sic) the security and confidentiality of customer records and
information;
to protect against any anticipated threats or hazards to the security or integrity
of such records; and
to protect against unauthorized access to or use of such records or information
which could result in substantial harm or inconvenience to any customer.”
Investigation
Also known as computer forensics – collecting information from and about computer
systems that is admissible in a court of law.
Computer Forensic Issues
Compressed timeframe for investigation
Information is intangible
Investigation may interfere with normal business operations
May find difficulty in gathering evidence
Co-mingling of live production data and evidence
Experts are required
Locations may be geographically in different jurisdictions
Differences in law and attitude
Many jurisdictions have expanded definitions of property to include electronic
information
Evidence
Gathering, control and preservation are critical
Subject to easy modification without a trace, must be carefully handled though its life
cycle.
Chain of Command - must be followed
Chain of Command components
Location of evidence
Time evidence obtained
Identification of individual who discovered evidence
Page 79 of 89
CISSP CBK Review
Identification of individual who obtained evidence
Identification of individual who controlled/maintained possession of evidence
Evidence Life Cycle
Discovery and recognition
Protection
Recording
Collection
Collect all relevant storage media
Make image of hard disk before removing power
Print out screen
Avoid degaussing equipment
Identification (tagging and marking)
Preservation
Protect from magnetic erasure
Store in proper environment
Transportation
Presentation in court
Return to evidence owner
Evidence Admissibility
Evidence must meet stringent requirements.
Must be relevant, legally permissible, reliable, properly identified and preserved
Relevant – must be related to the crime, shows crime has been committed
Legally Permissible – obtained in lawful manner
Reliable – not been tampered or modified
Properly Identified – identified without changing or damaging evidence
Preservation – not subject to damage or destruction
Make backups, write protect, take digital signatures of files or disk sectors
Types of Evidence
Best Evidence – Original or primary evidence rather than a copy
Secondary evidence – a copy of evidence, or description of contents
Direct Evidence – proves or disproves a specific act based on witness testimony using
five senses
Conclusive Evidence – incontrovertible, overrides all evidence
Opinions Two Types
Expert – may offer opinion based on expertise and facts
Nonexpert – may testify only to the facts
Circumstantial – inference on other information
Hearsay – not based on first hand knowledge, not admissible in court, often computer
generated reports fall under this rule.
Exceptions to Hearsay Rule
Made during the regular conduct of business with witnesses
Made by a person with knowledge of records
Made by person with knowledge
Made at or near time of occurrence of act
In the custody of the witness on regular basis
Searching and Seizing Computers
U.S. D.O.J. Computer Crime and Intellectual Property Sections (CCIPS) has issued the
publication “Searching and Seizing Computers and Obtaining Evidence in Criminal
Investigations”.
Sites the following US Codes
Page 80 of 89
CISSP CBK Review
18 U.S.C. § 12510 - Definitions
18 U.S.C. § 1251 – interception and disclosure of wire, oral or electronic
communications
18 U.S.C. § 2701 – unlawful access to stored communications
18 U.S.C. § 2702 – disclosure of contents
18 U.S.C. § 2703 – requirements for governmental access
18 U.S.C. § 2705 – delayed notice
18 U.S.C. § 2711 – definitions
18 U.S.C. § 2000aa – searches and seizures by government officers and employees in
connection with the investigation of a crime
Export Issues with Technology
In July of 2000 U.S. relaxed its encryption export policy to certain countries.
American companies can export encryption to any end user.
Eliminated third day of waiting period when exporting
Conducting the Investigation
Corporate investigation should include Management, corporate security, Human
Resources, legal department and other appropriate staff.
May prompt retaliatory acts from the investigate, important to plan ahead
Committee should be set up before hand to address the following issues
Establishing liaison with law enforcement
Deciding when and if to bring in law enforcement (FBI and Secret Service)
Setting up means of reporting computer crimes
Establishing procedures for handling reports of computer crimes
Planning and conducting investigations
Involving senior management and corporate security, Human Resources, the legal dept.
Ensuring proper collection of evidence
U.S. Federal Requirements requires crimes to be reported.
U.S. government must obtain warrant to search for evidence under the 4 th amendment.
Must be probable cause.
Private individuals can conduct a search without a warrant.
Exigent Circumstances Doctrine – (Probable Cause) then do not need a warrant.
Good sources of evidence include
Telephone records
Video cameras
Audit trails
System logs
System backups
Witnesses
Results of surveillance
E-mails
MOM
Motive
Opportunity
Means
Interview
If interviewing do not give information away to suspect
Questions should be scripted
Don’t use original documents in the interview
Page 81 of 89
CISSP CBK Review
Liability
1991 US Federal Sentencing Guidelines
Unauthorized possession without the intent to profit is a crime
Address both individuals and organizations
Degree of punishment corresponds to level of due diligence
Invoke “prudent man” rule due care of Senior Officials – Civil Law
Place responsibility on Senior Management for prevention and detection programs up to
$290 Million
Due Care Requirements
Means to prevent computer resources from being used as a source of attack on another
organization
Relates to proximate causation – part of a chain that results in negative consequence
Backups
Scans for malicious code
Business Continuity and Disaster Recovery
Local and remote access control
Elimination of unauthorized insecure modems
Security polices and procedures
Ensuing Confidentiality, Integrity and Availability
Assessing responsibilities to third parties
Established incident response capability
Downstream liabilities When companies come together to work in an integrated
manner, special care must be taken to ensure that each party promises to provide the
necessary level of protection, liability and responsibility needed which should be clearly
defined in the contracts that each party signs.
Due Care Steps that are taken to show that a company has taken responsibility for the
activities that take place within the corporation and have taken the necessary steps to
help protect the company, its resources and employees.
Due Diligence Continual activities that make sure the protection mechanisms are
continually maintained and operational.
Prudent man rule To perform duties that prudent people would exercise in similar
circumstances.
Criteria for evaluating legal requirements
C – cost of implementing the control
L – estimated loss from exploitation
If – C < L, then a legal liability exists.
Incident Handling should address
What constitutes an incident
How should an incident be reported
To who should an incident be reported
When should management be informed of an incident
What action should be taken if an incident occurs
Who should handle the response to the incident
How much damage was caused by the incident
What data was damaged by the incident
Are recovery procedures required
Page 82 of 89
CISSP CBK Review
What type of follow up or review is required
Should additional safeguards be implemented
Establish a CIRT – Computer Incident Response Team
Ethics
Certified professionals are morally and legally held to a higher standard.
Should be included in organizational computing policy
ISC2 Code of Ethics
CISSPs Shall
Conduct themselves with highest standards of ethical, moral and legal behavior
Not commit any unlawful or unethical act that may impact the reputation of the
profession
Appropriately report unlawful behavior
Support efforts to promote prudent information security measures
Provide competent service to their employers and clients; avoid conflicts of interest
Execute responsibilities with highest standards
Not misuse information in which they come into contact with during their duties
Internet Activities Board (IAB)
“Internet Activity Should be treated as a privilege”
Unacceptable actions
Seeks to gain unauthorized access to resources of the Internet
Disrupts intended use of the internet
Wastes resources
Compromises privacy of others
Involves negligence in conduct of Internet Experiments
US Dept. Of Health, Education and Warfare
Fair information practices, individually identifiable information
No personal record keeping on systems that are secret
Way for person to find out what information is contained and how it is used
Way for person to prevent information from being used for other purposes than
originally intended
Organizations must ensure reliability of data
Phone Phreakers
Blue boxing - A device that simulates a tone that tricks the telephone company’s
system into thinking the user is authorized for long distance service, which enables him
to make the call.
Red boxes - Simulates the sound of coins being dropped into a payphone.
Black boxes - Manipulates the line voltage to receive a toll-free call.
TOP
DOMAIN 10 – PHYSICAL SECURITY
Physical security mechanisms include site design and layout, environmental
components, emergency response readiness, training, access control, intrusion
detection, power and fire protection.
Page 83 of 89
CISSP CBK Review
“The value of items to be protected can be deteremined by a critical path anaylsis”. The
critical path analysis lists all peices of an environment and how they interract. The CPA
should include power, data, water and sewer lines, A/C, generators and storm drains.
“The physical security domain addresses the threats, vulnerabilities and
countermeasures that can be utilized to physically protect an enterprises’ resources and
sensitive information”. These include personnel, facilities, data, equipment, support
systems and media.
There are seven major causes of physical loss
Temperate Sunlight, fire, freezing, heat.
Gases War gases, vapors, humidity, dry air, smoke, smog.
Liquids Water and chemicals
Organisms People, animals, viruses, bacteria
Projectiles Meteors, cars and trucks, bullets, tornados
Movement Collapse, shearing, shaking, earthquakes
Energy Anomalies Surges or power failures, static, radiation, magnets.
Some common physical controls are
Administrative
Facility selection or construction
Facility management
Personnel controls
Training
Emergency response and procedures
Technical
Access controls
Intrusion detection
Alarms
CCTV
HVAC
Power supply.
Fire detection
Physical
Fencing
Locks
Lighting
Facility construction
“Load” How much weight can be held by a building’s walls, floors & ceiling.
Raised floors need to be electrically grounded.
A/C Should have positive air pressure Pushes smoke out.
Water should have positive flow flows out of the builders, not in.
Page 84 of 89
CISSP CBK Review
MTBF Mean time between failure.
MTTR Mean time to repair.
Power Supply
There are 3 main methods to protecting against power problems UPS, Power line
conditioners and backup sources.
Definitions
Ground Pathway to earth to enable excess voltage to dissipate.
Noise Electromagnetic or frequency interference that disrupts power flow and can
cause fluctuations.
Transient Noise Short duration of power line disruption.
Clean Power Power that does not fluctuate.
EMI is created by the different between three wires Hot, Neutral & ground.
RFI is created by components of an electrical system. For example, electrical cables and
flourescent lighting.
Power Excess
Spike Momentary high voltage.
Surge Prolonged high voltage.
Power Loss
Fault Momentary power out.
Blackout Prolonged loss of power.
Power Degradation
Sag Momentary low voltage.
Brownout Prolonged supply below normal voltage.
EMI is the difference betwen the charges in the hot, neutral and ground wires
Common Noise Noise from radiation generated by the difference in hot and ground.
Traverse-mode Noise Noise from radiation generated by the difference between hot
and neutral wires.
RFI is generated by components of electrical systems.
Environmental Issues
Water, steam and gas must have proper shutoff values.
High Humidity Corrosion.
Page 85 of 89
CISSP CBK Review
Low Humidity Static.
The ideal level of humidity is between 45% and 60%.
A hygrometer measures humidity.
Ideal temperate for computing devices is 70 to 74%.
Magnetic media are affected from 100 degrees.
Disks are damaged at 150 degrees
Computer damaged equipment at 175 degrees.
Source ROTHKE, Ben, CISSP CBK Review presentation on domain 10.
Fire Prevention, Detection and Suppression
Fire detectors can be activated by
Smoke Photoelectric device detects change in electric current when there is a variation
in the light intensive.
Heat Rate-of-rise temporarate sensors and fixed temperature sensors. Fixed
temperature sensors have less false positives.
Flame Senses pulsation of flames or infrared energy associated with flames and
combustion.
Smoke Detectors
Detectors should be on and above suspended ceilings – smoke usually gathers there
first.
Detectors should be installed below raised floors because there are many types of wire
that could start an electrical fire.
Detectors should be located in enclosures and air ducts.
Fire Suppression
There are four main classes of fires
Class A Common combustibles such as wood, paper, laminated. Best fought with water
or soda acid.
Class B Liquid fires such as petroleum products and coolants. Best fought with Gas
(Halon), CO2, Soda Acid.
Class C Electrical equipment and wires. Best fought with Gas (Halon) or CO2.
Class D Combustible metals. Best fought with Dry Powder.
A fire needs heat, fuel and oxygen to burn. The different fire suppression methods do
the following
CO2 & Soda Acid
Water
Halon (or substitute)
Remove fuel and oxygen from the fire.
Lowers temperature
Interferes with chemical reaction between elements.
Page 86 of 89
CISSP CBK Review
Halon is no longer legal due to environmental issues, some replacements are
FM200
NAF-S-III
FE-13
Inergen
Argon
Argonite
Halon 1211 does not require the sophisticated pressurization system needed by Halon
1301 and tends to be used in self-pressurized portable extinguishers.
Water Sprinklers
“Sensors should be in place to shut down electrical power before water sprinklers
activate”
Wet Pipe Water in pipe. At a preset temperature (165), a link melts to release the
water. Water can freeze in the pipes in colder climates.
Dry Pipe Water is held back by a value until a specific temperature is reached, then a
time delay occurs before the water is released. This can give time for shutdown in a
false alarm, but not as fast response as wet pipe. Best in colder climates because water
cannot freeze in the pipes.
Preaction Combination of wet and dry pipe. Water is not held in the pipes – released
into the pipes when a specific temperature is reached. The water is not then released
right away – a link in the pipes has to melt to release the water. This type is most the
one most recommended for a computer room.
Deluge Same as dry pipe, except sprinkler heads are open. Large volume of water
releases in a short period of time. Not recommended for electrical equipment.
HVACR Heating, Ventilation, Air Conditioning, Refridgeration.
Administrative Controls
Emergency Response and procedures
Evacuation procedures
System shutdown
Training and drills
Integrate with disaster recovery plans
Documented procedures for different types of emergencies
Periodic equipment tests
Perimeter Security
The first line of defense is perimeter security. Preventing access to the facility deals with
Access control, surveillance, monitoring, intrusion detection and corrective actions.
Preset locks Usually used on doors. Latches and deadbolts.
Page 87 of 89
CISSP CBK Review
Cipher Locks Keypads, combination entry, swipe cards or both.
Options on Cipher locks can include
Door delay – alarm will trigger if door is open for too long.
Key Override – specific combination programmed for emergencies
Master Keying – enabled supervisor personnel to change access codes and other
features
Hostage Alarm – special code that does not ring alarm locally, but at the monitoring site
(police station or alarm company)
Device Locks Locks for specific devices such as cable locks for laptops, disk drive locks,
switch control, slot locks, port controls and cable traps.
Personnel Access Controls
A common problem is “piggybacking”.
Magnetic Cards Can be just a strip containing information, or “smart” cards requiring a
PIN number.
Wireless Proximity readers
User activated Card transmits values to the reader.
System Sensing Three main types of system sending cards
Transponders – Card and reader both have a receiver, transmitter and battery.
Passive Devices – Card uses power from the reader.
Field-Powered Devices – Card and reader contain a transmitter. Card has its own power
supply.
External Boundary Protection
Fencing
3 to 4 feet
Deters Casual Trespassers.
6 to 7 feet
Too high to climb easily.
8 ft + barbed wire Deter more determined intruders.
Lighting Critical access should be illuminated 8 feet high and 2 feet out.
Surveillance There are three main categories of surveillance
Patrol force and guards – costly, unreliable but provide judgement.
Dogs
Visual recording devices – CCTV.
Issues with guards are availability, reliability, training and cost.
Page 88 of 89
CISSP CBK Review
Surveillance techniques are used to watch for unusual behaviors, whereas detecting
devices are used to sense changes that take place in an environment. Monitoring live
events is preventative, recording events is detective.
TOP
Page 89 of 89