CISSP CBK Review THIS STUDY GUIDE WAS GREATLY IMPROVED BY HENRY GUZMAN IN JANUARY 2005 THANKS FOR YOUR CONTRIBUTION January 2006: Thanks to Intensified for his correction about CSMA/CA being used on WLAN and NOT CSMA/CD as it was specified. Good catch!! Access Control Telecommunications & Network Security Security Management Practices Application and System Development Cryptography Security Architecture and Models Operations Security BCP and DRP Law, Investigation, and Ethics Physical Security Access Control Access control protects the systems and resources from unauthorized access, and, usually determines the level of authorization. Subject - Entity requiring access to an object – user or process. (Active). Object - Entity to which access is requested – file, process. (Passive). Access control consists of the following primary areas Identification Authentication Authorization Accountability The last three of these are largely comprised of ‘logical access controls’. Identification Biometrics Very sophisticated and accurate, but expensive. Type 1 error Rejection on authorized individuals – false reject rate(FRR) Type 2 error Acceptance of individual that should be rejected (FAR) CER Crossover error rate – point at which false acceptance equals false rejection – expressed as a percentage. Important measurement of biometric system’s accuracy. The lower the better. Other barriers to widespread adoption of biometrics include user acceptance, enrollment time and throughput. Page 1 of 89 CISSP CBK Review Collected biometric images are stored in a corpus. Page 2 of 89 CISSP CBK Review Effectiveness versus Acceptance of biometric devices Order of Effectiveness Palm scan Hand geometry Iris scan Retina pattern Fingerprint Voice verification Facial Recognition Signature Dynamics Keystroke Dynamics Order of Acceptance Iris scan Keystroke dynamics Signature dynamics Voice verification Facial recognition Fingerprint Palm scan Hand Geometry Retina Pattern Authentication The three general types of authentication are Something a person knows. Something a person has. Something a person is. Strong authentication requires two of these three (two-factor authentication). Passwords Passwords are the most commonly used, but also considered one of the weakest. A cognitive passwords is information only you should know, like your mother’s maiden name. One-time Passwords There are two types of one-time password – synchronous and asynchronous. One-time passwords are usually generated by a token device that communicates with an authentication service. Synchronous – Token device synchronizes with authentication server via a time based or event based synchronization. Token device and auth server share the same secret key. Asynchronous – Uses a challenge-response scheme to communication with the authentication server. Other authentication mechanisms Private key – digitally signing a message. Passphrase – transformed into a virtual password Memory card – holds information but does not process it. ATM card. Smart card – capability of processing information. Authorization The system knows who you are (authentication) and must now decide if you can carry out the requested actions. This is where authorization comes into play. Access criteria is the crux of authorization Page 3 of 89 CISSP CBK Review Access criteria types can be broken up into Roles Groups Physical or logical (network) location Time of day Transaction type All access criteria should default to “no access”. Need to know principle Management’s job is to determine the “need to know”. Administrator job is to configure access control and security mechanisms to fullfil the need to know requirements. Single Sign-on Mechanisms Scripting Batch files containing logic details. Insecure. High maintenance recording and maintaining scripts. Kerberos Kerberos is a single sign-on system that uses symmetric key cryptography (DES) and end to end encryption. Kerberos eliminates the need for transmitting passwords over the network. In order to implement Kerberos, all software in use me be Kerberos compatible or, “kerberized”. The components of Kerberos are KDC Key distribution center. Holds user’s and services’ keys. The foundation of kerberos is the client and server’s trust in the KDC. The KDC actually consists of a ticket granting service and authentication server. Principals Entities requiring KDC services – users, apps or services. The KDC and each principal share a secret key. Ticket Tickets are created by the KDC and given to a principle when that principle needs to authenticate to another principle. Realm A “realm” is the set of components and principles that the KDC provides services for. AS Authentication service – this is part of the KDC. Kerberos Authentication Process The client trusts the KDC and the services trust the KDC due to their secret keys. An overview of the process when a client wan’t to use a service via Kerberos is The client sends its user id and the name of the requested service to the KDC. The KDC provides a session key for the client and service to use. One is encrypted with the user secret key and the other with the service secret key. Page 4 of 89 CISSP CBK Review The KDC generates a service ticket containing both session keys. This ticket is sent back to the client. The user enters their password and if the password is correct, the client converts it into the necessary key to decrypt the client session key in the ticket. The client decrypts the client portion of the ticket to get the session key and sends the ticket on to the service. The service uses its own private key to decrypt the session key. The user and service are now authenticated to each other and communicate with encrypted data via the session key. Secret key Shared between KDC and a principle. Session key Shared between two principles. Kerberos weakness Kerberos has a number of weaknesses that can make it vulnerable to attack. Some of these are The KDC is a single point of failure. The secret keys are temporarily stored on user’s workstations, in memory, etc. Session keys are decrypted and reside on user’s workstations. Vulnerable to password guessing. Does not protect network traffic. When a user changes password, the KDC database needs to be updated with a new corresponding secret key. Replay attacks can be used against Kerberos. Sesame Secure European System for Applications in a Multiuser Environment. Sesame is a single sign-on system designed to address some of the kerberos weaknesses. It uses public key cryptography for distribution of secret keys and supports MD5 and CRC32 hashing. Still vulnerable to password guessing. Sesame uses the Needham-Schroeder protocol. Thin Clients No local processing. Thin clients for the user to login to the network just to be able to use the computer. Kryptoknight Kryptoknight is another single sign-on protocol similar to Kerberos. The main difference is that there is a peer-to-peer relationship among parties and the KDC. ACCESS CONTROL MODELS An access control model is a framework that dictates how subjects access objects. There are three main types of access control model mandatory access control, discretionary access control and role-based access control. Discretionary (DAC) The creator of a file is the ‘owner’ and can grant ownership to others. Access control is at the discretion of the owner. Most common implementation is through access control lists. Discretionary access control is required for the Orange Book “C” Level. Mandatory (MAC) Much more structured. Is based on security labels and classifications. Access decisions are based on clearance level of the data and clearance Page 5 of 89 CISSP CBK Review level of the user, and, classification of the object. Rules are made by management, configured by the administrators and enforced by the operating system. Mandatory access control is required for the Orange Book “B” Level. Role-Based (RBAC) Continually administered set of controls by role within organization. Access rights assigned to roles – not directly to users. Roles are tighter controlled than groups - a user can only have one role. Can use different types of RBAC Role-based Role within organization. Task-based Specific task assigned to the user. Lattice-based Upper and Lower bounds Access Control Techniques and Technologies Once a company decides on the access control model to use, the technologies and techniques to implement that model need to be determined Role-based Can be used with MAC – Labels assigned to roles. Or with nondiscretionary controls such as NT Groups. Rule-based Example - Router or firewall rules – user cannot change. Restricted interfaces Menus and shells –ATM machine Database views Physically constrained interfaces. Access Control Matrix Table of subjects and objects indicating access. Capability Tables Specifies the access a certain subject has to specific objects. Corresponds to a row in the access control matrix. Bound to subject. Access Control Lists Bound to object. List of subjects authorized to access a specific object, and, the level of access/authorization. Content-dependant Database views are a good example – access is based on the data content itself. Context-dependant Access is based on location, time of day, previous access history, etc. Access Control Administration Access control administration is either centralized, decentralized or a hybrid of the two. Examples of centralized access control technologies include RADIUS Remote Authentication Dial-In User Service. Usually used for dialup. Access server requests user login credentials and forwards to a backend RADIUS server. Can use callback for additional security. Page 6 of 89 CISSP CBK Review TACACS (Terminal Access Controller Access Control System). There are several types of TACACS TACACS Combines its authentication and authorization processes. Passwords are static. XTACACS Separates authentication, authorization and accounting processes. TACACS+ XTACACS with two-factor user authentication. Supports token authentication. Security Domain A security domain is defined as a “realm of trust”. Subjects and objects share common security policies and procedures and are managed by the same system. Also used within operating systems and applications to protect system files or processes. It can also be defined as the complete set of resources available to a user. Access Control Methods There are three broad categories of access control layers Administrative Technical Physical Administrative controls Policies and procedures Guidelines + standards + baselines Personnel controls Hiring, firing, promotions, transfers, separation of duties, rotation of duties, forced vacation. Supervisory structures Clear lines of reporting. Awareness Training Security Testing Drills, penetration testing, queries to employees, interviews, reviews. Physical controls Network segregation. Perimeter security. Computer controls. Work area separation. Data backups. Cabling. Technical (Logical) Controls System Access – See previous access control mechanisms. Network architecture – Logical controls can provide segregation and protection of an environment. I/P address ranges, subnets, routing between networks, etc. Network Access – Logical network access controls – routers, switches, NICs, bridges. Page 7 of 89 CISSP CBK Review Encryption and Protocols Control Zone – Technical and physical control. Surrounds and protects network devices that emit electrical signals. TEMPEST related. Access Control Types Each control method can also perform different functionality. The functionality types are Preventative Detective Corrective Deterrent Recovery Compensating For example Preventative-Administrative Policies and procedures, effective hiring practices, background checks, data classification, security awareness training. Preventative-Physical Biometrics, badges, swipe cards, guards, dogs, motion detectors, fences, mantraps, locks and alarms. Preventative-Technical Passwords, biometrics, smart cards, encryption, call-back systems, database views, antivirus software, ACLs, firewalls, IDS Auditing Accountability Auditing capabilities ensure that users are held accountable for their actions, verify that policies are enforced, deter improper actions and are an investigative tool. There are 3 main types of audit tool Audit reduction Variance detection Attack-signature detection Audit data must be protected from unauthorized viewing and modification. Access Control Practices The following tasks should be carried out regularly Deny access to undefined or anonymous accounts Page 8 of 89 CISSP CBK Review Limit and monitor administration accounts Suspend access after a number of failed logins Remove accounts as soon as someone leaves an organization. Format Access Control Models Bell LaPadula The Bell LaPadula model is built on state machine concepts and focuses on confidentiality. The objective of this model is to ensure that the initial state is always secure and that transitions always result in a secure state. Bell LaPadula defines a secure state through 3 multilevel properties Simple Security Policy No read up – a lower level subject cannot read a higher level object. Protecting confidentiality. Security * (star) property No write down – do not allow confidential information to be written to a local level, where a lower level subject will be able to view it. Discretionary Security Property Uses a discretionary access control matrix to manage exceptions. Biba Model The Biba model is lattice based and focuses on integrity more than confidentiality. Biba specifies the following three axioms Simple Integrity Axiom No read down. A higher level subject cannot read information from a lower level. This prevents higher level reports and data being corrupted by lower level (and less trustworthy) information. Integration * (Star) Axiom No write up. A subject cannot write data above its security level – higher level data might be compromised by lower level, less trustworthy data. A subject at one integrity level cannot invoke a subject at a higher integrity level Clark-Wilson Model was developed after the Biba model and ensures integrity. The ClarkWilson Model utilizes separation of duties to ensure that authorized users do not make unauthorized changes to data. In this way task are divided into different parts and different subjects each do different parts. Often times subjects under the Clark-Wilson Model cannot access data directly, but must instead go through a program or other third party, which helps to ensure the subject has the proper classification. This model has emphasis on internal and external consistency. Clark-Wilson uses well formed transactions, separation of duties and the labeling of subjects and objects with programs to maintain integrity. Security properties are partly defined through five certification rules, suggesting the check that should be conducted so that the security policy is consistent with the application requirements. CDI – Constrained Data Item A data item whose integrity must be preserved. IVPS – Initial Verification Procedures Confirm that all CDIs are in a valid integrity state when the IVP is run. TP – Transformation Procedure Manipulates the CDIs through a well-formed transaction, which transforms a CDI from one valid integrity state to another. Page 9 of 89 CISSP CBK Review UDI – Unconstrained Data Item Data items outside of the control area such as input information. Any TP that takes a UDI as input must either convert the UDI into a CDI or reject the UDI and perform no transaction at all. Unauthorized disclosure of information There are several ways in which information can be inadvertently disclosed. The follow items are related to information disclosure Object Reuse Reassigning media to a subject when media might still contain some residual information. Make sure media is cleaned. Degaussing works best. Object reuse controls are required for TCSEC B2 and above. Emanation Picking up radiation emitted by devices. Can use TEMPEST technology to block. TEMPEST is very expensive, some alternatives are White Noise – Uniform spectrum of random electrical signals used to disguise real data. Zones – Control zones. Access Control Monitoring Keeping track of who attempts to access specific resources, access control monitoring is an important detective mechanism usually carried out by intrusion detection systems Intrusion Detection Systems (IDS) Network Based IDS Monitors network, or a segment of the network (passive). Known as NIDS. Placement of sensors is a critical part of configuring a network based IDS. Place a sensor on the outside firewall to detect attacks and inside the firewall to detect invasions. Another factor to consider is that the network traffic should never exceed the IDS threshold, or the IDS may just start to drop packets. Host-Based Monitors a specific system, such as your critical servers. Intrusion detection systems have two main methods of operation Knowledge / Signature based This type of IDS looks for known attacks and is therefore weak vs new attacks. There are less false alarms. This type of IDS may also fail to detect “slow” attacks extended over a long period of time. Behavior based / Statistical IDS This type of IDS detects deviations from expected behavior of users and systems. May use expert systems. Detects new attacks and doesn’t rely on a database of signatures to be updated, but, can cause more false positives. Relational Database Security Relational database security is a growing area of concern. The following are areas relating to database technology and security Page 10 of 89 CISSP CBK Review Schema Description of the database and its tables. Usually written using a DDL. Cardinality Number of rows in a table. Degree Number of columns in a table. Domain The set of all allowable values an attribute can take. Entity Integrity & Referential Integrity View - Virtual table defined from other tables that is used to restrict access, hide attributes and provide content-dependant access. Views help implement least privilege and need to know principles. To protect against “inference attacks”, databases may have a minimum query set size and prohibit query of “all but one” tuples. Highly secure systems may also employ context dependant access control where the tuples a user can read are based on those already read. Threats The main categories of threat to access control mechanisms are Dictionary attack. Brute force attack. Spoofing at login – fake login screen to capture details. A “trusted path” can mitigate login spoofing. The following measures are used to compensate for internal and external access violations Backups RAID Fault tolerance Business continuity planning Insurance Top TELECOMMUNICATIONS & NETWORK SECURITY Open Systems Interconnect (OSI) model Developed early 1980s and introduced in 1984 OSI Model Application Presentation Session Transport Network Data Link Physical TCP/IP Model | | Application |____________ <--> Host to Host <--> Internet Layer. | | Network Access Layer. Page 11 of 89 CISSP CBK Review “Each protocol at a specific OSI layer communicates with a protocol that operates at the same OSI layer on another computer. This happens through encapsulation” The protocols, technologies and computers that operate within the OSI model are called open systems. Application Layer The application layer works closest to the user and handled message exchanges, terminal sessions, etc. The application does not include the actual applications, but the protocols (APIs) that support the applications. Examples of protocols running in the application layer include SMTP, HTTP, LPD, FTP, WWW, Telnet, TFTP Presentation Layer The presentation layer received data from the application layer and puts it into a format that all computers using the OSI model can understand. The presentation layer is not concerned with the meaning of data, but the correct syntax and format. The presentation layer can often be considered a “translator”. This layer also handles encryption and compression. ASCII, JPEG, TIF, GIF, Encryption, Compression, MIDI, MPEG Session Layer When two computers need to communication, or transfer information, a connection session needs to be set up between them. The session layer is responsible for establishing a connection, maintaining it during data transfer and releasing it when done. The session layer works in 3 phases Connection establishment Data Transfer Connection release Common protocols at the session layer are SSL, NFS, SQL, RPC Transport Layer When two computers are going to communicate, they must first agree on how much information each will send at a time, how to determine if data was lost in order to retransmit and other parameters. The computers agree on these parameters through a process at the transport layer, OSI layer 4. Page 12 of 89 CISSP CBK Review The transport layer helps provide more reliable data transfer, error correction and flow control. It assembles data into a stream for transmitting over the network, and handled multiplexing if necessary. The transport layer also handles the teardown of virtual circuits and the multiplexing of upper layer applications. TCP, UDP, SPX Network Layer The main responsibility of the network layer is to insert information into the packet’s header so that it can be properly routed. Routing protocols build and maintain their tables at this layer. The protocols at this layer do not ensure packet delivery – they rely on the transport layer for that. Protocols operating at this level include IP, ICMP, RIP (Routing information protocol), OSPF (Open shortest path first), BGP (Border gateway protocol) and Internet group management protocol (IGMP) Most routers also run in the network layer. Data Link Layer As data travels down the ISO stack it comes to a point where it needs to be translated into LAN or WAN binary format for line transmission. This happens at the data link layer. The data link layer is where the operating system knows what format the data frame must be in to transmit over Token Ring, Ethernet, FDDI, ATM, etc. Network cards bridge the data link and physical layer. The data link layer actually consists of two sub layers Media Access Control (MAC) Logical Link Control (LLC) Protocols operating in the data link layer include SLIP, PPP, RARP, L2F, L2TP, ISDN ARP Bridges operate in the data link layer. Physical Layer The physical layer converts bits into voltage for transmission. This layer controls synchronization, data rates, line noise and physical medium access. Protocols operating in the physical layer include Page 13 of 89 CISSP CBK Review RS232, SONET, HSSI, X.21 Repeaters operating in the physical layer. OSI Security Services and Mechanisms OSI defines 6 basic security services to secure OSI communications Authentication Access Control Data confidentiality Data integrity Non-repudiation Logging and Monitoring In addition, the OSI model defines 8 security mechanisms. A security mechanism is a control that is implemented in order to provide the 6 basic security services Encipherment Digital Signatures Access Control Data Integrity Authentication Traffic Padding Routing Control Notarization TCP/IP I/P is a network layer protocol and provides datagram routine services. Two main protocols work at the transport layer, TCP and UDP. TCP Handshake 1. Host -------- SYN ---------> <----- SYN/ACK -----> --------- ACK --------> Host B The TCP/IP model has 4 layers Application Host to host Internet Network Access The TCP/IP model layers correspond to the ISO model layers as follows Application Host to Host Internet Network Access Application, presentation, session. Transport Network Data Link, Physical The Host-to-host layer handles Page 14 of 89 CISSP CBK Review TCP UDP - Virtual Circuit, sequenced, slower, more reliable - “Best effort”, connectionless. Internet layer I/P ARP RARP ICMP - No guarantee of delivery, delivery in sequence or only once. - I/P to MAC - MAC to I/P Protocol Numbers The I/P header contains a protocol field. Some common protocols are - ICMP – IGMP 6 - TCP 17 – UDP Data Structures Within the I/P protocol suite, when an application formats data for sending over the network, it is a message. At the transport layer, TCP works on the data and it is now a segmenti. The segment is passed to the network layer. The network layer adds addressing and routine and the bundle is now called a datagram. The datagram is passed off to the data link layer which frames the datagram with a header & trailer. It is now called a frame. TCP Application Layer Transport Layer Network Layer Data Link Layer UDP Message Packet Datagram Frame Message Segment Datagram Frame General Classes of Network Abuse Class A Unauthorized access of restricted network services. Also called “login abuse”. Refers to legitimate users accessing network services that should be restricted to them. Class B Unauthorized use of a network for non-business purposes. Class C Eavesdropping Class D DOS and other disruptions Page 15 of 89 CISSP CBK Review Class E Network Intrusion. Refers to the use of unauthorized access to break into the network from the outside. Classic cases are spoofing, piggybacking and backdoor exploitation. Class F Probing. An active variation of eavesdropping. Additional Attacks SYN attacks, Buffer Overflow, Teardrop attack and Smurf. Common Session Hi-jacking attacks IP Spoofing attacks. TCP sequence number attacks. Other fragmentation attacks – using fragmented packets to hide true contact. NETWORKING LAN Media Access Technologies Most of the differences between LAN and WAN take place at the data link layer “Two LANs connected by a router is an internetwork, not a bigger LAN. Each LAN has its own addressing scheme and broadcast and communication mechanisms. If they are connected by different data link technologies such a frame relay of X.25 then we are looking at a WAN” Ethernet Usually a bus or star topology IEEE 802.3 standard Shared media – all devices take turns and detect collisions Uses broadcast and collision domains CSMA/CD access method (Carrier Sense Multiple Access with Collision Detection) Uses coaxial or twisted pair. Common Implementations 10base2 ThinNet. Uses coaxial cable. Max length of 185 meters and provides up to 10mbs throughput. Uses BNC connectors. 10base5 ThickNet. Uses thicket coaxial cable. Longer cable segments and less interference. 10baseT Twisted-pair copper wiring. RJ45 connectors, usually in a star topology with a hub or switch. Fast Ethernet Regular ethernet running at 100mbps over twister pair wiring. Ethernet Types Table Type Cabling 10base2, ThinNet Co-Axial Speed 10mbps Page 16 of 89 CISSP CBK Review 10base5, ThickNet 10base-T 100base-FX, Fast 1000base-T Co-Axial UTP UTP UTP 10mbps 10mbps 100mbps 1,000mbps Token Ring 802.5 standard, originally developed by IBM Signal travels in a logical ring Each computer is connected to a hub called a Multistation Access Unit (MAU) 16mbps capacity Active Monitor – removes frames that are continually circulating Beaconing – attempts to work around errors. FDDI – 802.8 Fiber Distributed Data Interface Developed by ANSI High speed token-passing media access technology Speed of 100mbvps – usually used as a backbone network using fiber optics. Fault tolerance – second counterrotating ring. Can be used up to 100kms, so popular in MANs CDDI (copper distributed data interface) is a version that can be used locally. 802.8 standard. CABLING LAN Media Ethernet Standard 802.3 Characteristics Shared media Broadcast & Collision Domains CSMA/CD Coaxial or twisted cable 10mbps – 1 gbps Token Ring 802.5 Devices connect to center MAU Token-passing access method Transmission speeds of 4-16mpbs Active monitor and beaconing FDDI 802.8 Token-passing access method Dual counter rotating ring – fault tolerance 100mbps over fiber-optic Long distance at high speed * CDDI works over UTP Bandwidth Data Rate Size of pipe Amount of data Page 17 of 89 CISSP CBK Review Coaxial Copper core surrounded by shielding layer More resistant to EMI 10base2 = ThinNet (RG58), 10base5 = ThickNet (RG11/RG8) 10base2 segments can be up to 185 meters 10base5 segments can be up to 500 meters Can use baseband method (one channel) or broadband (multiple channel) 50ohms cable used for digital signaling and 75ohms for analog signaling and high speed data. Twisted Pair Cable STP = Shielded Twisted Pair UTP = Unshielded Twisted Pair UTP Category CAT 1 CAT 2 CAT 3 Characteristics CAT 4 CAT 5 CAT 6 CAT 7 Voice Grade Up to 4mbps 10 mbps ethernet 4mbps token 16 mpbs 100 mbps for 100-base TX and FDDI 155mbps 1gbps Usage Not recommended for network use. Mainframe and mini connections. 10 base-T networks Token ring networks FDDI & ATM installations. New LANS Net network installations Net network installations Fiber Optics Uses a type of glass carrying light waves Glass core surrounded by protective cladding, encased in outer jacket Not affected by EMI, no attenuation Very hard to tap into, the most secure type of cabling. Common Cable problems Noise Caused by surrounding devices or characteristics of the environment Attenuation Loss of signal as it travels. The affect of attenuation increases at higher frequencies. Crosstalk UTP is susceptible to crosstalk which is caused when electrical signals on one wire spill over to another wire. Plenum space is the space between the ceiling and the next floor. Often used for wiring and cabling. TYPES OF TRANSMISSION Data transmission can happen in different ways (analog or digital), use different controlling schemes (synchronous or asynchronous) and can only use one channel on a wire (baseband) or several channels (broadband). Page 18 of 89 CISSP CBK Review Analog Signals Continually varying, Modulation Combining with carrier signal of a specific frequency. Digital Signals Are Discrete binary pulses. Asynchronous Two devices not synchronized in any way. Usually used for smaller amounts of data Usually includes start and stop delineation Synchronous Transfers data as a stream of bits instead of framing it in start and stop bits. Synchronization can be via clocking mechanisms, or a signal in the data. Usually used for higher volumes of data. Baseband Transmission accomplished by applying direct current to a cable. Uses full cable for its transmission. Ethernet is baseband. Broadband Divides cable into channels so that different types of data can be transmitted at the same time. CATV is broadband. Other broadband types include T1, T3, ISDN, ATM, DSL and wireless. Unicast From source to one computer. Multicast From source to a specific set of systems. NIC pics up packets with a specific multicast address. Broadcast From source to all computers on a subnet. Network Topology The physical arrangement of computers and devices is the “Network Topology” Ring Topology Series of devices connected by unidirectional transmission links. Form a closed loop, no central hub Must provide redundancy or risk single points of failure Bus Topology In a simple bus topology, a single cable runs the entire length of the network. Each packet is looked at by all nodes. Traditional Ethernet uses bus topologies. Star Topology Page 19 of 89 CISSP CBK Review All nodes connect to a dedicated central hub or switch Hub is a potential single point of failure Less cabling used and no termination issues Most LANs are in a physical star topology Mesh Topology All systems and resources are connected to each other in some way Greater degree of complexity Greater degree of redundancy The internet is a good example of a partial mesh. LAN Media Access Technologies Token Passing Only the computer that has the token can put frames onto the wire. This media access technology is used by Token Ring & FDDI and is defined in the 802.5 standard. Token passing networks are deterministic meaning it is possible to calculate the maximum time that will pass before a station can transmit. This makes token ring networks ideal for applications where delay must be predictable, such as factory automation. (Carrier Sense Multiple Access) There are two flavors are CSMA, CSMA/CA (Collision avoidance) and CSMA/CD (Collision detection). A transmission is called a “carrier”. If a computer is transmitting frames, it is performing a carrier activity. With CSMA/CD, computers listen to the wire for the absence of a carrier tone. If two computers sense this absence and transmit at the same time, contention and a collision can take place. All stations will execute a “back off” algorithm (Random retry timer). With CSMA/CA, each computer signals the intent to transmit before they actually do so, such as WLAN. Collision Domains “The more devices there are on a contention based network, the more likely collisions are which increases latency. A collision domain is a group of resources that are competing for the same shared communication medium”. One subnet will be on the same broadcast and collision domain if it is not separated by routers or bridges. PROTOCOLS Address Resolution Protocol ARP Page 20 of 89 CISSP CBK Review The data link layer works with MAC addresses, not IP addresses. ARP resolves IP addresses to MAC addresses. ARP broadcasts a frame requesting the MAC address that corresponds to the destination IP address. The computer that has that IP address responds with its MAC address. “ARP table poisoning” is altering the ARP cache so that an attacker receives packets intended for another destination. Reverse Address Resolution Protocol RARP Diskless workstations know their hardware address, but not the IP address. It broadcasts the MAC address information and the RARP server responds with an I/P address. BOOTP is similar to RARP but provides more functionality including name server and gateway address. Internet Control Message Protocol ICMP ICMP delivers messages, reports errors, reports routing information and tests connectivity. PING is the most common – sends out ICMP ECHO frames and receives ICMP REPLY frames back. NETWORKING DEVICES Repeaters Repeats and amplifies signal between cable segments Works at the physical layer Also known as line conditioners Bridges Uses to connect different LAN segments Works at the data link layer and therefore works with MAC addresses. Divides overburdened networks into smaller segments for better use of bandwidth and traffic control Beware of “broadcast storms” – using bridges to echo broadcast packets. A bridge forwards data to all other network segments if the MAC address of the destination computer is not on the local network segment. There are three types of bridge Local Connects two or more LAN segments. Remote Can connect two or more LANS over a long distance with telecommunications between them. Translator Connects LANs of different types and protocols. Summary of the functions bridges provide Segment a large network into smaller, more controllable pieces Use filtering based on MAC address Page 21 of 89 CISSP CBK Review Join differently types of network while retaining same broadcast domain Isolate collision domains within the same broadcast domain Some bridges translate between protocol types. Routers vs Bridges Routers work at the network layer and are based on IP address. Bridges work at the data link layer and filter frames based on MAC addresses. Routers will not usually pass broadcast information. Bridges will pass broadcast information. Spanning tree algorithm is a bridge algorithm. If source routing is used, the packets themselves have the information within them to tell the bridge where they should go. Hubs Hubs are used to connect multiple LAN devices into a concentrator. Hubs can be considered as multiport repeaters and operate at the physical layer. Routers Routers work at the network layer. A router has two or more interfaces and a routing table to get packets to their destination. Routers can filter traffic based on access control lists (ACLs) and fragment packets when necessary. Routers discover information about routers and changes that take place in a network through its routing protocols (RIP, BGP and OSPF). The following outlines the stages that take place when a router receives a packet A frame is received on one of the router’s interfaces. Destination i/p address is retrieved from the datagram The router looks at the routing table to see which port matches the destination If the router has no information on the destination, it sends an ICMP error to the sending computer. The router decrements the TTL. If the MTU is diferent than the destination requires, it fragments the packet. Router changes the header information on the frame so that it can go to the next correct router. Frame is sent to the router’s output queue. Routing environments are based on autonomous systems. The autonomous systems are connected to each other through routers and routing protocols. Routing takes place within an autonomous system through internal protocols like OSPF and RIP. Routing takes place between autonomous systems through exterior protocols like BGP. Switches Switches combine the functionality of a repeater and the functionality of a bridge. Any device connected to one port communicates to any device on another port with it’s own virtual private link. Page 22 of 89 CISSP CBK Review “A switch is a multiport bridging device and each port provides dedicated bandwidth to the device attached to it” Basic switches work at layer 2 and forward traffic based on MAC address. Today, there are layer 3 and layer 4 switches with more enhanced functionality. There are referred to as “multilayered switches”. Virtual LANS (VLANS) are also an important part of switching networks. A switch only sends a packet to the port where the destination MAC address is located, so offer more protection against network sniffers. VLAN VLANs (Virtual LANs) allow administrators to logically seperate and group users. VLANs also allow administrators to apply different security practices to different groups. Brouter Hybrid device combining the functionality of a bridge and a router. A brouter can bridge multiple protocols and route packets based on some of these protocols. Gateways Almost all gateways work at the application layer because they need to see a majority of the information within a frame and not just the address and routing information that a router or bridge requires. A popular type of gateway is an email gateway. The mail gateway will usually convert email into standard X.400 and pass it on to the destination mail server. A network connecting to a backbone (Ethernet --> FDDI for example) would need a LAN gateway. Summary of Main Devices Device Repeater Bridge Layer Phsyical Data Link Router Network Brouter Network & Data Link Data Link & Higher Application Switch Gateway Functionality Amplifies signal and extends networks Forwards packets. Filters packets based on MAC address. Forwards broadcast but not collision traffic. Filters based on IP address. Seperates or connects LANs, creating internetworks. Bridges multiple protocols and routes some of them. Private virtual link between devices. Allows for VLANs. Impedes sniffing and reduces contention. Connects different types of network. Protocol and format translation. PBX A Private Branch Exchange (PBX) is a telephone switch located on the company’s property. A PBX can interface with several types of device and provides a number of Page 23 of 89 CISSP CBK Review telephone services. Data is multiplexed onto a dedicated line connected to the telephone company’s central office. PBXs have the following issues Often have modems attached for vendor maintenance. Come shipped with default system passwords. Vulnerable to brute force attacks. ATM Switches Most commonly used in WANs but started to be seen in LANs. Use a cell-relay technology. FIREWALLS Firewalls are used to restrict access from one network to another network. A firewall is a device that supports and enforces the company’s network security policy. Many times companies setup firewalls to construct a “DMZ” or “buffer zone” which is a network segment located between protected and unprotected networks. Usually, two firewalls are used to construct a DMZ LAN <-- firewall <--- DMZ <---- firewall <----- router <----- .o( Internet )o. Packet Filtering Packet filtering firewalls use Access Control Lists to determine which packets can and cannot pass through. The filtering is based on network layer information, the device cannot look further into the packet itself. A packet filtering router is also called a screening router. Packet filtering usually takes place at the network or transport layer. Pros Scalable High Performance Application Independant Cons Does not look into packet past the header info Lower security relative to other options Does not keep track of connection state Used in first generation firstwalls. Packet filtering firewalls are often called “first generation firewalls”. Stateful Packer Filtering Stateful filtering keeps track of which packets went where until the connection is closed. To accomplish this, the firewall maintains a state table. A packet filtering firewall may have the rule to deny UPD on port 25, while a stateful packet filtering firewall can say “allow those packets through if they are in response to an outgoing request”. Frames are analysed at all communication layers. High degree of security without the performance hit of proxy firewalls. Scalable and transparent to users. Page 24 of 89 CISSP CBK Review Provides data for tracking connectionless protocols like UDP and RPC Used in third generation firewall applications. Proxy Firewalls A “proxy” is a middleman. A proxy firewall accepts messages entering or leaving the network and checks it for malicious information and if ok, passes it on to the destination. A proxy firewall breaks the communication channel – there is no direct communication to internal computers. Outside scanners will only see the proxy server. Packets are repackaged as they pass through the proxy firewall. Outbound packets will only have the I/P addrss of the firewall which means that a proxy server will be the only one with a valid I/P address- the servers behind it can all use private address ranges. A dual homed firewall has two NICs and forwarding turned off. There are two types of proxies Application and circuit proxies Proxy firewalls are considered second-generation firewalls and are usually used with a dual-homed host. Application Level Inspects entire packets and makes access decisions based on actual content. Understands the different protocols and usually works for just one service or protocol. Circuit-Level Creates a circuit between client computer and server. Makes access decisions based on source and destination. Pros Looks at information within the packet, right up to the application layer. Better security than packet filtering Aware of protocols, services and commands being used. Cons Limited to what applications it can support Can degrade network performance Poor scalability Breaks client/server model. Dual-Homed Host Firewalls Single computer with separate NICs to each network Used to divide internal trusted network and external untrusted network Must disable forwarding Usually used with proxy software Users can easily and accidentally enable forwarding. Application level vs Circuit Level proxy firewalls Application Level Page 25 of 89 CISSP CBK Review Transfers a copy of each approved packet from one network to another. Different proxy required for each service. Hides network information from external attackers. Hides internal computer information and addresses. More intricate control than circuit level proxy firewalls Reduces network performance Circuit-Level Provides a circuit between the source and destination Does not require a proxy for each service Does not provide the detailed control that the application level proxy does. Security for a wider range of protocols. SOCKS proxy server characteristics Circuit-level proxy Requires clients to be integrated with SOCKS client software. Mainly used for outbound internet access and VPN Can be resource intensive Authentication and encryption are similar to VPN, but socks is not considered a bidirectional VPN. Firewall Generations 1st generation are Packet filtering firewalls. 2nd generation are application (proxy) firewalls 3rd generation are stateful packet firewalls 4th generation are dynamic filtering 5th generation are kernel proxy FIREWALL ARCHITECTURE Bastion Host A bastion host can be thought of as the foundation for the firewall software to operate on. It is the machine that will be accessed by all entities trying to access or leave the network. Screened Host Many times a screened host is a bastion host that communicates with a border router and the internal network. Inbound traffic is filtered by packet filtering on the router and then sent to the screened host firewall. Screened Subnet Adds another layer of security over the screened host firewall – the bastion host housing the firewall is screened between two routers. This architecture sets up a DMZ between the two routers. Shoulds of firewalls Firewalls should Page 26 of 89 CISSP CBK Review Default to deny Block external packets inbound with internal addresses (Spoofing) Block outbound packets with external source addresses (Zombies) High security firewalls should reassemble packet fragments before sending them on to their destination. Many firewalls will deny packets with source routing information. Networking Services Network Operating Systems (NOS) Short list of some of the services that NOS systems (NT, W2K, Linux) provide that most single user (W95, W98) systems do not Directory services Internetworking, routing and WAN support Support for dial-up users Clustering functionality File & print services Management and administration tools Fault tolerance A redirector connects local computer to resources of the network – the local computer may not even be aware of this. DNS Networks are split up into “zones” DNS server is said to be authoritative for the zone it serves. Directory Services A directory service is a database containing a hierarchy of users, computers, printers and attributes of each. The directory is used mainly for lookup purposes – to allow users to break down resources. Most directory services are built on the X.500 model or use LDAP to access the directory database. Intranets and Extranets Private I/P address ranges are 10.0.0.0 172.16.0.0 192.168.0.0 10.255.255.255 172.31.255.255 192.168.255.255 Class A 16 * Class B 256 * Class C Network Address Translation Network address translation forms a gateway between a network and the internet or another network. The gateway performs transparent routing and address translation. Some attributes of this process are Hides true internal I/P address information from the outside world. The NAT device needs to remember the internal IP address and port to send the messages back to. Page 27 of 89 CISSP CBK Review Metropolitan Area Network (MAN) A MAN is usually a backbone that connects businesses to WANS, the internet and other businesses. A majority of today’s MANs are Synchronous Optical Network (SONET) or FDDI rings provided by local telephone companies. Wide Area Network (WAN) WAN technologies are used when communication needs to take place over a larger geographical area. There are several technologies in the WAN arena, several of which are discussed below. The SONET (Synchronous Optical Network) gives all the world’s carriers the ability to interconnect. ATM encapsulates data in fixed cells and can be used to deliver data over SONET. The fixed size provides better performance and reduced overhead. A quick snapshot at telecom history Copper lnes carrying analog information T1 lines carrying up to 24 conversations T3 lines carrying up to 28 T1 lines Fiber optics and the SONET network ATM over SONET Types and speed of standard leased lines DS0 Single 64k channel on a T1 facilities DS1 1.544mbps on a T1 (2.108 on a E1 in Europe) DS3 44.756mbps on a T3 facility. Dedicated Links Leased line or “point to point” link. Expensive, but secure T-Carriers Dedicated lines that carry voice or data over trunk lines. Most common are T1 @ 1.544mbps and T3 @ 45mbps Multiplexing through TDM (Time division multiplexing) S/WAN Secure WAN, initiative of RSA security who worked with firewall and protocol vendors to build secure firewall-to-fireall connections through the internet. S/WAN is based on VPNs that are created with IPSEC. xDSL types ADSL More bandwidth down than up. Page 28 of 89 CISSP CBK Review SDSL 1.544mbps down and up. Limited to 10,000 feet from exchange. HDSL High-rate digital subscriber line. 1.544mbps each way. VDSL Very high data rate dsl – 13 to 52mbs downstream and 1.5 to 2.3 upstream. Limited to 1,000 – 4,500 feet from exchange. Packet Switching vs Circuit Switching Circuit Switching Constant Traffic Fixed delays Connection-oriented Sensitive to loss of connection Voice oriented Packet Switching Bursty Traffic Variable delays Connectionless Sensitive to loss of data Data Oriented WAN Technologies CSU/DSU Channel service unit / data service unit required when digital equipment will be used to connect a LAN network to a WAN network Necessary because the frames are so different between LAN and WAN equipment. DSU converts signals from routers, bridges, etc into signals that can be transmitted over the telephone company’s digital lines CSU connects the network directly to the telephone company lines. Provides an interface for DTE and DCE devices such as the router and the carrier’s switch. Switching There are two main types of switching, circuit switching and packet switching Circuit Switching Connection oriented virtual links (ISDN, telephone call) Traffic travels in a predictable and constant manner Fixed delays Usually carries voice oriented data Packet Switching Packets can use many different dynamic paths to get to the same destination Supports traffic that is bursty Variable delays Usually carries data-oriented information. Internet, X.25 and Frame Relay are all packet switching networks. Frame Relay Frame relay is a WAN protocol that operates at the data link layer. Frame Relay uses packet switching technology as an alternative to expensive dedicated lines. Page 29 of 89 CISSP CBK Review Companies that pay more to ensure a higher level of bandwidth availability pay a “committed information rate” or CIR. Virtual Circuits Frame relay forwards frames across virtual circuits. These can be permanent meaning they are programming in advance, or switching means it is built when needed an then torn down. The PVC (Permanent Virtual Circuit) works like a private line for a customer with a CIR. A PVC is programmed to ensure bandwidth availability. X.25 X.25 is an older WAN technology that defined how networks and devices establish and maintain connections. X.25 is a switching technology. Data is divided into 128 bytes and encapsulated in HDLC frames (High-level Data Link Control). X.25 is slower than frame relay or ATM due to heavy error checking and correction that is not necessary on more modern networks. ATM – Asynchronous Transfer Mode ATM is another switching technology that uses a cell-switching method instead of packet switching. Like frame relay, ATM is connection-oriented. Cell switching means that data is segmented into fixed size cells (53 bytes). Like Frame Relay, ATM can set up PVCs and SVCs. SMDS – Switched Multimegabit Data Service High speed packet switched technology used to enable customers to extend their LANs across MANs and WANs. Protocol is connectionless and can provide bandwidth on demand. SDLC – Synchronous Data Link Control Base on networks that use leased lines with permanent physical connections. SDLC is used mainly for communication to IBM hosts within the SNA architecture. HDLC – High Level Data Link Control Bit-oriented link layer protocol used for transmission over synchronous lines, HDLC is an extension of SDLC. HDLC provides high throughput because it supports full duplex. HSSI – High Speed Serial Interface Interface used to connect multiplexers and routers to high speed services like ATM and Frame Relay. Page 30 of 89 CISSP CBK Review These interfaces define the electrical and physical interfaces to be used by DTE/DCE devices, thus it works at the physical layer. Developed by CISCO and T3Plus Networking. Multi-Service Access Multi-service acess technologies combine different types of communication categories (voice, data and video) over one transmission line. VOIP can be affectd by latency due to internet being packet oriented switching technology vs circuit switcing. This is referred to as “jittering”. H.323 Standard that deals with video, audio and data packet-based transmissions where multiple users can be involved wth the data exchange. H.323 terminals are connected to gateways or the gateways are connected to PSTN. Packet switching technologies include X.25, LAPB, FRAME RELAY, ATM and SMDS. REMOTE ACCESS Remote access covers technologies that enable remove and home users to access networks. Dial-up and RAS Remote access is usually gained by connecting to a network access server (NAS). NAS acts as a gateway and end point for a PPP connection. ISDN Integrated services digital network. ISDN breaks the telephone line into different channels and transmits data in a digital form vs the old analog method. There are 3 types of ISDN implementation BRI Basic Rate Interface Operates over existing copper lines in the local lopp and provides digital voice and data channels. Uses two B channels and 1 D channel. PRI Primary Rate Interface 23 B channels and one D channel operating at 64k. Equivalent to a T1. BISDN Broadband ISDN. Mainly used with backbones over ATM/SONET. B channels enable data to be transferred. D channel provides for call setup, error control, caller id and more. ISDN is a circuit switching point-to-point protocol. Page 31 of 89 CISSP CBK Review DSL – Digital Subscriber Line Uses existing phone lines Have to be within a 2.5 mail radius of the provider’s equipment. Cable Modems High speed internet access through coaxial and fibre lines. Bandwidth shares between users in a local area. Security concerns Network sniffers on shared medium. VPN – VIRTUAL PRIVATE NETWORKS A virtual private network is a secure private connection through a public network or otherwise unsecured environment. VPNs are often used to provide a connection between two routers. Tunneling Protocols VPNs use tunneling protocols to create a virtual path across a network. There are three main tunneling protocols used in VPN connections PPTP, L2TP and IPSEC PPTP Point to point tunneling protocol. Encapsulation protocol based on PPP. PPTP works at the data link layer and encrypts and encapsulates packets. There are a few weaknesses with PPTP. Negotiation information is exchanged in clear text and can be easily snooped. PPTP is a Microsoft developed protocol. Designed for client/server connectivity Sets up a single point-to-point connection between two computers Works at the data link layer Transmits only over I/P networks L2F Layer 2 Forwarding Created before L2TP by Cisco Merged with PPTP to create L2TP Provides mutual authentication, but no encryption. L2TP Layer 2 Tunneling Protocol. L2TP combines L2F with PPTP. PPTP can only run on top if I/P. L2TP can use other protocols such as IPX and SNA PPTP is an encryption protocol, L2TP is not. L2TP is often used in conjunction with IPSEC for security. Page 32 of 89 CISSP CBK Review L2TP supports TACACS+ and RADIUS, PPTP does not. IPSEC Handles multiple connections at the same time Provides secure authentication and encryption Supports only IP networks Focuses on LAN-LAN communication Works at network layer --> Security on top of I/P Can work in tunnel mode where both header and payload are encrypted, or transport mode where only the payload is encrypted. PPP PPP encapsulates messages and transmits them through an IP network over a serial line. PPP supports different authentication methods such as Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP) and Extensible Authentication Protocol (EAP). PAP, CHAP, EAP PAP Least secure of the three options as credentials are sent in clear text. Also vulnerable to reply attacks. CHAP Uses a challenge/response mechanism instead of sending a username and password. Client sends host a logon request and the host returns a random “challenge” value. The challenge is encrypted with the user password and returned to the host. The server performs the same encryption and determines whether or not there was a match. CHAP is not vulnerable to “man in the middle” attacks because it continues this challenge/response activity throughout the connection. EAP Extensible Authentication Protocol. EAP is not a specific mechanism like PAP or CHAP but is more of a framework to allow many different types of authentication mechanism. EAP extends the authentication possibilities to other methods like one-time passwords, token cards, biometrics and future mechanisms. Network and Resource Availability Some general guidelines are Watch out for single points of failure Use ISDN or modem backup for WANs Use UPS’ and RAID (striping and/or mirroring) Clustering provides for fault tolerance, load balancing and failover. Page 33 of 89 CISSP CBK Review RAID types Raid# Level 0 Name Striping Level 1 Mirroring Level 2 Hamming Code Parity Level 3 Byte Level Parity Level 4 Level 5 Block Level Parity Interleave Parity Level 6 Level 7 Second Parity Data Level 10 Level 15 Level 1 + Level 0 Level 5 + Level 1 Description Data is striped over several drives, but there is no redundant drive. Used for performance enhancement. If one drive fails, the whole volume is unusable. Data is written to two drives at once. If one fails, the other has the same data. This is an expensive option as each drive has another whole drive with the same information. Data is striped over all drives at bit level. This array uses 39 drives, 32 for data and 7 for parity. Not used in practice. Data is striped over all drives, parity is held on just one drive. If a drive fails, it can be reconstructed from the parity drive. Same as level 3 except data is striped in disk sector units rather than blocks of bits or bytes. Data is written to disk sector units across all drives. Parity is written to all drives. There is no single point of failure because parity is written to all drives. Uses XOR algorithm. Similar to level 5 but with added fault tolerance – second set of parity data written to all drives. Variation of RAID 5 where the array functions as a single virtual disk in the hardware. Data is striped across multiple RAID1 pairs. Two complete RAID5 systems are mirrored for additional fault tolerance. WIRELESS TECHNOLOGIES IEEE 802.16 deals with wireless MANs IEEE 802.11 deals with wireless LANs Higher frequency can carry more data, but a shorter distance WLANS work in the 2.4 & 5ghz unlicensed bands and there are two IEEE standards, 802.11a and 802.11b 802.11a works in the 5ghz range and provides up to 54mbps 802.11b is in the 2.4ghz range and providers up to 11mbps 802.11g works in the 2.4ghz range and providers up to 54mbps 801.11 uses Wireless Application Protocol (WAP). WAP uses WML (Wireless Markup Language) and WMLScript to present web based material. WAP has its own session and transaction protocols and a transport layer security protocol called WTLS (Wireless Transport Layer Security). Page 34 of 89 CISSP CBK Review A WAP gateway is required to translate WAP protocols to the internet. Encrypted data from a wireless device comes in with WTLS but must be converted into SSL or TLS by the gateway. For a second or two, the WTLS data will be decrypted for conversion into SSL – this is referred to as the gap in the wap. Wireless Technology IEEE 802.11 refers to a family of specifications for wireless LANs. The current 802.11 standard all use CSMA/CA. 802.11 Original wireless LAN standard. 1 or 2mpbs speed in the 2.4ghz band using DSS or FHSS. 802.11b 11mpbs (steps-down to 5.5, 2 or 1mpbs based on signal strength). Uses only DSSS. Also known as Wi-Fi. 802.11a Up to 54mbs in the 5ghz range. Uses orthogonal FDM. 802.11g 20mbps to 54mpbs in the 5ghz range. 802.11e Draft standard to provide QOS features and multimedia support. 802.11i IEEE standard that replaces WEP security with AES encryption and many other stronger security features Spread Spectrum Technology Spread Spectrum Technology broadcasts signals over a range of frequencies. Receiving device must know the correct frequency of the spread spectrum signal being broadcast. Two spread spectrum technologies currently exist Direct-Sequence Spread Spectrum (DSSS) Redundant bit pattern for each bit to be transmitted – spread over a wide frequency. Because it is spread over the spectrum, the number of discrete channels in the 2.4ghz band is small. Frequency-Hopping Spread Spectrum (FHSS) Uses a narrow band carrier that continually changes frequency in a known pattern. Source and destination devices must be synchronized to be on the same frequency at the same time. Both of the above appear as line noise to a non spread-spectrum device. AD-HOC mode Access is Peer to peer. Infrastructure mode Access is via an access point (wireless hub). Wireless Application Protocol (WAP) Wireless application protocol is a set of technologies related to HTML but tailored to small screens. The most noticeable is HDML Handheld device markup language. WAP has 5 layers Application, session, transaction, security and transport Page 35 of 89 CISSP CBK Review Application Layer Microbrowser, WML (Wireless Markup Language), WMLScript and Wireless Telephony Applications (WTA) Session Layer Contains the Wireless Session Protocol (WSP) which is similar to HTTP. WSP facilitates transfer of content between WAP clients and gateway. WSP provides a connectionoriented mode and a connectionless mode. Transaction Layer Providers the Wireless Transaction Protocol (WTP). Similar functionality to TCP/TP. Reliable request and response transactions and supports unguaranteed and guaranteed psuh The transaction layer provides transaction services to WAP and handled acknowledgements. Security Layer The security layer contains WTLS (Wireless Transport Layer Security). WTLS is based on TLS (similar to SSL) and can be invoked in a manner similar to HTTPS. WTLS provides data integrity, privacy, authentication and DOS protection. Transport Layer The transport layer suports the Wireless Datagram Protocol (WDP) which provides an interface to bearers of transportation. The transport layer supports CDPD, GSM, CDMA, TDMA, SMS and Flex. Wired Equivalent Privacy (WEP) Encryption WEP is an option in 802.11b. It uses a 40-bit shared key, RC4 pseudorandom number generator and a 24 bit initialization vector. WEP works in the following manner Checksum of message computed and appended to the message. Shared secret key and initialization vector are fed to the RC4 algorithm to produce a keystream. The keystream is XORed with the msg and checksum and produces ciphertext. The initialization vector is appended to the ciphertext message and the message is sent to the recipient. The recipient who has the same secret key generates the same keystream with the IV. The generated keystream is XORed with the ciphertext to yield the original message. WEP is not considered secure due to the 40-bit encryption, static keys, and published methods to break the encryption. top Page 36 of 89 CISSP CBK Review top SECURITY MANAGEMENT PRACTICES Security management includes Risk management, security practices and security education. Security management practices focuses on the continual protection of company assets. Management support is one of the most important pieces of a security program. Three types of control are used to achieve management’s goals. 1. Administrative Policies, procedures, guidelines, awareness training, personnel screening, system activity monitoring, change control and configuration management. 2. Technical Logical access control mechanisms, password & resource management, identification and authentication, security devices, network configuration. 3. Physical Physical access control, locking systems, removing unnecessary media, guards, environmental control, perimeter security. Management (the information owner) creates security directives and classifies data. The security team implements and enforces the directives. Security Definitions Some commonly used security definitions are Vulnerability Software, hardware of procedural weakness that may provide an attacker the open door he is looking for. Absence or weakness of a safeguard. Threat Any potential danger to information or systems. Risk Likelihood of a threat agent taking advantage of a vulnerability. Exposure An instance of being exposed to losses from a threat agent. Countermeasure Hardware, software or procedure that eliminates a vulnerability, or, reduces the risk of a threat agent being able to exploit it. Is also called a safeguard. Risk Management Risk Analysis is a method of identifying risks and assessing the possible damage that could be caused in order to justify security safeguards. Risk management addresses 3 fundamental questions 1. Identify assets – What am I trying to protect? 2. Identify threats – What am I trying to protect against? 3. Calculating risks – How much time, effort & money am I willing to spend on adequate protection. Page 37 of 89 CISSP CBK Review The following issues should be considered when assigning value to information safeguards Cost to acquire and develop Cost to maintain and protect Value to owners and users Value to adversaries Value of intellectual property Price that others would pay for the asset Cost to replace if lost Operational and productivity affected if asset is lost. Liability issues if assets are compromised. Usefulness of the asset. There are 4 basic elements to risk management 1. 2. 3. 4. Quantitative risk analysis Qualitative risk analysis Asset valuation process Safeguard selection Quantitative risk analysis Estimate value of assets to be protected. Identify each threat and corresponding risk Estimate loss potential of each risk Estimate possible frequency of threat Recognize and recommend remedial measures Quantitive risk analysis involves the following definitions and calculations SLE – Single loss expectancy Dollar amount of potential loss to an organization if a specific threat too place. EF – Exposure factor Percentage of loss a realized threat could have of an asset. Asset value * Exposure factor (EF) = SLE ARO – Annualized rate of occurrence Estimated possibility of a specific threat taking place in a one year timeframe. ALE – Annualized loss expectancy Single loss expectancy (SLE) * Annualized rate of occurrance (ARO) = ALE Safeguard value (ALE before safeguard) – (ALE after safeguard) – (Annual cost of safeguard) = Safeguard value to the company. Residual Risk Amount of risk remaining after a safeguard is implemented threats * vulnerability * asset value = total risk. (threats *vulnerability * asset value) * control gap = residual risk. Page 38 of 89 CISSP CBK Review Asset Resource, process, product, infrastructure and any other object that an organization has determined should be protected. Qualitative risk analysis Walk through different scenarios and rank seriousness of threats or sensitivity of assets. Techniques include judgment, intuition and experience. Some methods are Delphi, brainstorming, story boarding, focus groups, surveys, questionnaires, one-on-one meetings and interviews. Handling Risk Transferring Rejecting Reducing Accepting Insurance Deny or ignore the risk. Implementing countermeasures. Live with the risk. Policies, Procedures, Standards and Guidelines Security Policy General statement produced by senior management. Issue specific System specific For example, email, PDA. Approved software lists, database standards. Standards Specify how hardware and software are to be used. Usually mandatory. Baseline Minimum level of security necessary throughout the organization. Standards are usually developed from baselines. Guidelines Recommended actions and operational guides. Not mandatory. Provide direction in policy grey areas. Procedures Detailed step by step actions to achieve the tasks necessary for compliance with standards. Standards as also known as “practices”. To be effective, each of these needs high visibily, which can be helped be awareness training, manuals, presentations, legal banners. Can also help with due care and diligence issues. Data Classification The primary purpose of data classification is to indicate the level of confidentiality, integrity and availability that is required for each type of information. Classifications Commercial Confidential Private Sensitive Public Military Top Secret Secret Confidential Sensitive but unclassified Public Page 39 of 89 CISSP CBK Review (Note Commercial ‘confidential’ information is exempt from FOAI). Layers of Responsibility Data Owner Senior management, ultimately responsible for protection and use of data. Determines data classification. Data Custodian Responsibility for maintenance and protection of data. Usually IT department. Makes backups, performs restores, etc. User Any individual who routinely uses the data for work related purposes. Also considered “consumer” of the data. The necessary pieces that fit together for effective security management practices are Data classification Operational activities Safeguard selection Separation of duties Management security responsibilities Guidelines and procedures Risk assessment Policies and standards Security awareness. The three pillars of security awareness training are Awareness, Training, Education. Confidentiality Integrity Availability Disclosure Alteration Destruction Separation of Duties “The principle of separation of duties is that an organization should carefully separate duties, so that people involved with checking for inappropriate use are not also capable of making such inappropriate use. No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work”. Some examples of things that should be separated are development / production security / audit account payable / accounts receivable encryption key management / changing of keys 5 general procedures to implement change control 1. 2. 3. 4. 5. Applying to introduce a change Cataloging the intended change Scheduling the change Implementing the change Reporting the change to appropriate parties Page 40 of 89 CISSP CBK Review TOP Application and System Development Database Management “Database access control can be restricted by only allowing roles” Database Models Relational Database Model Uses attributes (columns) and tuples (rows) to contain and organize information. Presents information in the form of tables. Hierarchical Data Model Combines records and fields that are related in a logical tree structure. Used for mapping one-to-many relationships. Distributed Data Model Data stored in more than one database, but logically connected. Relational Database Components Most databases contain the following core functionalities Data Definition Language (DDL) Data Manipulation Language (DML) Query Language (QL) Report Generator. DDL defines the structure and schema of a database. Data Dictionary The data dictionary is a central repository of data elements and their relationships. The Data Dictionary includes definitions of views, data sources, relationships, tables, indexes, etc. When new tables, new views or new schema are added, the data dictionary is updated to reflect this. Integrity Can run into concurrency problems. Record locking prevents this. Database software performs two main types of integrity services 1. Semantic Integrity Makes sure that structural and semantic rules are enforced. 2. Referential Integrity No record can contain a reference to a primary key of a nonexisting record or NULL value. Database must also not contain unmatched foreign key values. Database Security Issues Two main database security issues are aggregation and inference Aggregation Page 41 of 89 CISSP CBK Review is figuring out complete information you don’t have access to by using components of that information you do have access to. The combined information has a sensitivity that is greater than the sum of the parts. Queries could be tracked and restricted based on context-dependant classification used to check what data the users has already accessed. Inference Inference is similar to aggregation and involves the ability to derive information that is not explicitly available from information that is available. For example, a clerk does not have access to troop movements but does have access to food and tent deployment. Again, context-dependant classification rules can help prevent anything that looks like inference. Database security looks at the contents of the file rather than the file itself as an operating system could. This is content-dependant access control increases processing overhead but provides more granular control. Polyinstantiation Polyinstantiation enables a relation to contain multiple tuples with the same primary key but at different security classifications. System Development Security management is an important aspect of project management. The following is a typical list of lifecycle phases Project initiation Functional design, analysis and planning System design specifications Software development Installation / Implementation Operational Maintenance Disposal. System Design Specifications Informational, functional and behavioral model information goes into the software design as requirements. What comes out of the design is data, architectural and procedural design. Installation / Implementation Certification is the process of reviewing and evaluating security controls and is usually a task assigned to an outside independent reviewer. Accreditation is the formal acceptance of the system by key management and in implicit acceptance of risk. Once management accepts the residual risk, they should issue a formal accreditation statement. Verification – does the product match the specification? Validation – Fitness or worth of a software product for its operational mission. Page 42 of 89 CISSP CBK Review ”Verification is doing the job right, Validation is doing the right job” System Life Cycle Phases Project Initiation Concept of project definition Proposal and initial study Functional design analysis and planning Requirements uncovered and defined System environment specifications determined System design specifications Functionality design review Functionality broken down Detailed planning put into place Code design Software development Developing and programming software Installation Product installation and implementation Testing and Auditing Maintenance Support Product changes, fixes and minor modifications Revision and Replacement Modifying the product with revisions, or, replacing it completely. WaterFall Model The steps of a typical waterfall model are System feasibility Software plans and requirements Product design Detailed design Code Integration Implementation Operations and Maintenance Spiral Model Angular dimensions represent progress made in completing the phases. Radial dimension represents cumulative project costs. The model states that each cycle of the spiral involves the same series of steps for each part of the project. The spiral model is actually a meta-model that incorporates a number of the software development models. This model depicts a spiral that incorporates the various phases of software development Cost Estimation Models Basic COCOMO model estimates development effort and cost as a function of the number of source instructions MM = 2.4KDSI (MM = Man months, KDSI = K developed source instructions) TDEV = 2.5mm Maintenance Page 43 of 89 CISSP CBK Review Maintenance phases can be divided into 3 sub-phases Request control Change control Release control Configuration management and Change Control Configuration management is the process of controlling the life cycle of an application and documenting the necessary change control activities. Configuration management is used to manage changes and new versions of software products. BS7799 addresses configuration management. The following definitions are associated with Configuration Management Configuration Item (CI) Component whose state is to be recorded. Version A recorded specific state of a configuration item. Configuration Collection of component configuration items that comprise a configuration item in some stage of its evolution. Can be recursive. Building Assembling a version of a configuration item from component configuration items. Build List Software Library Software Capability Maturity Model (CMM) The Software CMM is based on the premise that the quality of a software product is a direct function of the quality of its associated development and maintenance processors. 5 maturity levels are Level 1 Initiating Level 2 Repeatable Level 3 Defined Level 4 Managed Level 5 Optimizing Good people in place. Processes performed ad-hoc. Project management processes in place. Engineering processes and organizational support. Product and process quantitatively controlled. Continued process improvements. Institutionalized. The software CMM is a component that supports the concept of continuous process improvement. This concept is embodied in the SEI process improvement IDEAL model Initiate Diagnose Establish Action Leverage | | | = IDEAL! | | Application Program Security Methodology Object-Oriented Concepts A shared potion of an object is the interface. The private portion of an object facilitates data hiding. Abstraction is the capability to suppress unnecessary details so that the important, inherent properties can be examined and reviewed. Page 44 of 89 CISSP CBK Review Polymorphism An object’s response to a message is defined by the class to which the object belongs. Different objects can respond to the same input in different ways. Encapsulation Hides internal data and operations not exposed via the interface. Polyinstantiation Multiple distinct differences between data within objects to discourage lower level subjects from learning information at a higher level of security. Inheritance Shares properties and attributes with subclasses. Cohesion and Coupling Modules should be self contained and perform a single logical function with as little external help as possible. This is cohesion and the goal for a module is to have high cohesion. Modules should not drastically affect the behavior of each other. This is low coupling. ORBs and CORBAs The OMA is the Object Management Architecture. ORB manages all communication between components and enables them to interact in a heterogeneous and distributed environment. ORB is the middleware that established the client/server relationship between objects. CORBA provides standard interface definitions between OMG compliant objects. COM and DCOM The component object model (COM) defines how components interact and provides an architecture for simple IPC. DCOM is a distributed model based on COM. DCOM has a library that takes care of session handling, synchronization, buffering, fault identification and handling, and data format translation. OLE – Object Linking and Embedding OLE uses COM as its base and allows objects to be embedded within documents and for linking different resources and objects. The capability for one program to call another is called linking. The capability to put a piece of data inside a foreign program or document is called embedding. DDE – Dynamic Data Exchange DDE enables different applications to share data by providing IPC. DDE is a communication mechanism that enables direct connection between two applications. Distributed Computing Environment (DCE) Page 45 of 89 CISSP CBK Review DCE is a standard developed by the OSF – Open Software Foundation (also called “the open group”). DCE is middleware providing RPC service, security services, directory service, time service and distributed file support. DCE is a layer of software that sits on top of the network layer. ** DCOM uses a globally unique identifier (GUID). ** DCE uses a universal unique identifier (UUID). Expert Systems and Knowledge Based Systems Expert systems usually consist of two parts, an inference engine and a knowledge base. The inference engine handles the user interface, external files, scheduling and programaccessing capabilities. The knowledge engine contains data pertaining to a specific problem or domain. ANN = Artificial Neural Network. Malicious Code (MALWARE) Virus Infects applications. Main function is to reproduce. Macro viruses are easy to write and office products are in wide use. Worms Reproduce on their own with no need for a host application. Logic Bomb Will execute certain code when a specific event happens. Trojan Horse Program disguised as another program. Attacks SMURF Requires an attacker, a victim and an amplifying network. ICMP ECHO packets are sent to the broadcast address of a large network with the return address spoofed to be that of the victim. The target network will drown the victim with responses. A counter against the smurf attack is to disable broadcast packets at the border router. Fraggle Similar to SMURF but uses UDP instead of ICMP. SYN Flood Repeated SYN packets that will not respond to the SYN/ACK packets. Teardrop Send very small packets with invalid fragment offset causing the computer to freeze or crash. Top Page 46 of 89 CISSP CBK Review Top CRYPTOGRAPHY The papyrus around the staff is a “scytale” cipher. Enigma Machine The crucial and secret part of the process (the key) was how the operators advanced the rotors when encrypting and decrypting a message. (World War II) Cryptography Definitions Cryptosytem A system that provides encryption and decryption Key The secret piece of a well known encryption algorithm Keyspace Range of values that can be used to construct a key. Cryptography The science of encrypting written communication. Cryptanalaysis The process of trying to decrypt encrypted data without the key. Work Factor Estimate of the effort it would take an attacker to penetrate an encryption method. Cryptology Study of both cryptography and cryptanalysis. Key Clustering When two (or more) different keys generate the same ciphertext from the same plain text, this is known as “key clustering”. Goals of CryptoSystems Confidentiality – Unauthorized parties cannot access the information. Authenticity – Validating the source of a message. Integrity – Assurance that a message was not modified during transmission. Non Repudiation – Sender cannot layer deny sending the message and the receiver cannot deny receiving it. Types of Ciphers Substitution Uses a key to know how substitution should be carried out. Transposition Permutation is used. Does not replace original text with different text – text is moved around. Simple substitution and transposition methods are vulnerable to “frequency analysis” One time pad (Vernam) Running and Concealment Ciphers Running Key Cipher Does not require a key or algorithms, but steps in the physical world. For example, references to a book. The “key” in this situation is “which book?” Concealment Cipher A cipher that hides the message among garbage. For example, have each word appear every 5th word in a sentence. “Buy gold” might become “Product is a good buy, it has ten percent gold content”. Government Involvement with Cryptography Harry Truman created the NSA in 1952. Page 47 of 89 CISSP CBK Review In 1993, government introduced the Clipper chip, based on the Skipjack algorithms. Each chip unit has a key which encrypts a copy of each user’s session key. Each chip also has a unique serial number and a copy of the unit key is stored in a database under this serial number. The transmitted message contains a Law Enforcement Access Field (LEAF) whch contains the serial number of the chip that encrypted the message. The unit key can be retrieved from the database, used to decrypt the session key which in turn can be used to decrypt the message. Weaknesses in the Clipper Chip include SkipJack algorithm was never publicly scrutinized and tested 80 bit key is weak by current standards. 16 bit checksum can be defeated The clipper chip ID tagged and identified every communication session. Key Escrow Unit key split in two and given to two different agencies to maintain. Officer needs a court order to request the unit key. Methods of Encryption Cryptographic algorithms can use either symmetric keys (secret keys) or asymmetric keys (public keys). Symmetric Cryptography Both parties use the same key for encryption and decryption Each pair of users exchanging messages needs their own set of keys – key management becomes a pain. Initial key exchange needs to be out of band Because the same keys are used for encryption and decryption, it does not provide authentication and non-repudiation. Fast and hard to break when a large key size is used. The following algorithms all use Symmetric (Secret) Key Cryptography Data Encryption Standard (DES) Triple DES (3DES) Blowfish IDEA RC4, RC5 and RC6 Asymmetric Cryptography Each entity has different keys, a private key and a public key. The two keys are mathematically related, but cannot be derived from one another. A message can only be decrypted with the public key if it was encrypted with the private key – provides authentication. Page 48 of 89 CISSP CBK Review If confidentiality is most important, the sender encrypts with the receiver’s public key and the message can now only be read with the receiver’s private key. This is called a secure message format. If authentication is most important, the sender encrypts with his own private key. The receiver knows it came from the sender because it can be decrypted with the sender’s public key. This is known as open message format because anyone with the sender’s public key can read it. For a message to be A secure and signed format, the sender should encrypt with his own private key and then again with the receiver’s public key. Strengths of Asymmetric cryptography Better key distribution than with symmetric systems. Better scalability than symmetric systems Can provide confidentiality, authentication and non-repudiation. Weaknesses Works much slower than symmetric systems. Asymmetric key algorithms RSA Ecliptical Curve Cryptosystem (EC) Diffe-Hellman El-Gamal Digital Signature Standard (DSS) Stream and Block Ciphers There are 2 main types of symmetric algorithms stream and block ciphers Block Cipher The message is divided into blocks and bits and the blocks are then put through transposition, substitution and other functions. Block ciphers use confusion and diffusion in their methods. The key dictates what S-boxes are used and in what order. Stream Cipher Entire message is treated as a stream of bits or bytes. Some stram ciphers use a “keystream generator”. The key provides randomness to the keystream that is applied to the plaintext. A strong stream cipher algorithm has the following characteristics Long periods of non-repeating patterns within keystreams. Statistically unpredictable Keystreams are not linearly related to the key. Statistically unbiased – as many 0s as 1s. Stream ciphers are more suited to hardware encryption because they operate a bit at a time. Block ciphers are better suited to software based encryption. Page 49 of 89 CISSP CBK Review Symmetric Encryption Systems DES (Data Encryption Standard) DES is a block encryption algorithm using 64-bit blocks. It uses a 64 bit key 56 bits of true key and 8 for parity. Characters ar eput through 16 rounds of transposition and substitution. Devised in 1972 as a derivation of the “Lucifer” system DES Describes the DEA (Data Encryption Algorithm) FIPS PUB 46-1 (1977) and ANSI X3.92 (1981) 64bit blocks, 56 bit key and 16 rounds of transformation Uses confusion and diffusion for encrypting plain text. Confusion Conceals statistical connection between ciphertext and plain text. Uses nonlinear substitution boxes (S-Boxes) Diffusion Spreads the influence of a plain text character over many ciphertext characters. DES has 4 distinct modes of operation Electronic Code Book (ECB) It is a block cipher Native encryption method for DES. Electronic codebook literally operates like a code book. For a given block of plaintext and a given key, the same set of ciphertext is always produced. ECB uses padding to round up to a 64 bit block boundary. ECB is used for small amounts of data such as challengeresponse or key management. Not good for large amounts of data as patterns would eventually show. Cipher Block Chaining (CBC) In Cipher Block Chaining, the value of the previous block processed is a part of the algorithm and key for the next block, so, patterns are not revealed. This chaining effect means that a particular ciphertext block is dependant on all the blocks that came before it, not just the current block. Cipher Feedback Mode (CFB) It is a stream cipher. Previously generated ciphertext is used as feedback into the key generation source to develop the next keystream. This mode is used when encrypting individual characters is required. Output Feedback Mode (OFB) Similar to CFB, but stream cipher functions by generating a random stream of bits to be combined with the plaintext to create ciphertext. Requires initialization vector. Ciphertext is fed back to the algorithm to form a portion of the next input to encrypt the stream of bits. Triple DES (3DES) Encrypting plaintext with one DES key and then encrypting it with a second DES key is no more secure than using a single DES key, therefore, Triple DES is used to obtain stronger encryption DES-EDE2 2 keys are used. Encrypt with 1, decrypt with 2 and then encrypt with 1 again. Page 50 of 89 CISSP CBK Review DES-EEE2 2 keys used. Encrypt with 1, encrypt with 2, encrypt with 1. DES-EEE3 3 keys used. Encrypt with 1, encrypt with 2, encrypt with 3. Most secure, but requires 3 keys. Advanced Encryption Standard (AES) Uses Rjindael block cipher, specifies three key sizes; 128, 192 or 256 bit. Choice of key determines encryption level. AES is the government standard for encrypting SBU information. Best suited for hardware encryption. The number of rounds of transformation is a function of the key size used 256 bit – 14 rounds. 192 bit – 12 rounds. 128 bit – 10 rounds. Symmetric Algorithms that provide bulk (data) Encryption services only DES and 3DES TwoFish 128 bit blocks in 16 rounds. Key lengths can be up to 256 bits. BlowFish A block cipher operating on 64 bit blocks with a key length of up to 448 bits. The blocks go through 16 rounds of crypto functions. IDEA Ideas stands for International Data Encryption Algorithm. It operates on 64 bit blocks and uses a 128 bit key. Performs 8 rounds on 16 bit sub-blocks. Each 64 bit block is divided into 16 smaller blocks and each block has 8 rounds of mathematical functions performed on it. IDEA is harder to crack than DES for the same keysize and is used in PGP. RC5 Block cipher of variable block length. Key can be 0-2048 bits, blocks can be 32, 64 or 128 bits and the number of rounds can be 0 – 255. Created by Ron Rivest and patented by RSA data. Asymmetric Encryption Algorithms RSA Defacto standard for public encryption. Invented by Ron Rivest, Adi Shamir and Leonard Adleman. Developed at MIT. Security comes from the difficulty of factoring large numbers. Public and private key are functions of a pair of large prime numbers. RSA is used in many web browsers with SSL. El-Gamal Extends Diffie-Hellman to apply to encryption to digital signatures. Based on calculating discrete logarithms in a finite field. Elliptical Curve Cryptosystem (ECC) Page 51 of 89 CISSP CBK Review Provides much of the same functionality as RSA Digital signatures, secure key distribution and encryption. ECC is very resource efficient – ideal for smaller devices. ECC providers higher protection with smaller keys than RSA. An ECC key of 160 bits is equivalent to a 1024-bit RSA key. Public Key Cryptography Public key cryptography uses asymmetric encryption for key encryption and secret key encryption for data. We use an asymmetric algorithm to encrypt the secret key. Diffie-Hellman Used for key distribution, NOT encryption and decryption. Subjects can exchange session keys over a non-secure medium without exposing the keys. Session-Key “Secret” key used for one data exchange only. Usually randomly generated then encrypted using public cryptography. Public Key Infrastructure (PKI) PKI is an ISO authentication framework that uses public key cryptography and X.509 standard protocols. PKI provides authentication, confidentiality, non-repudiation and message integrity. The PKI infrastructure contains the pieces that will identify the user, distribute and maintain keys, distribute and maintain certificates and allow certificate recovation. Each individual taking part in PKI needs a digital signature signed by a CA. Some wellknown Certification Authorities are Entrust and VeriSign. Revocation is handled by the certification revocation list (CRL). PKI is made up of the following entities and functions Certification Authorities Registration Authorities Certificate Repository Certificate Revocation System Key backup and recovery system Automatic key update Management of key histories Cross-certification with other Cas Time stamping Client side software LDAP is the standard format for accessing certification repositories. Availability and Integrity of LDAP servers is a concern. ISAKMP Internet Security Association and Key Management Protocol. IKE ISAKMP, Secure Key Exchange Mechanism (SKEME) and Oakley, combined. In general ISAKMP defined the phases for establishing a secure relationship SKEME describes a secure exchange mechanism Oakley defined the modes of operation needed to establish a secure connection. Page 52 of 89 CISSP CBK Review Message Integrity One-Way Hash A one-way hash takes a variable length input and produces a fixed-length output, or hash value. A hash value is also known as a message digest. If a sender only wants a specific person to view the hash value sent with the message, the value would be encrypted with a key. This is referred to as the message authentication code. Basically, the MAC is a one-way hash value that is encrypted with a symmetric key. Digital Signature A digital signature is an encrypted hash value. A digital signature provides authentication because the message digest is encrypted with the sender’s private key. Overview/review A message A message A message A message integrity. can can can can be be be be encrypted, providing confidentiality. hashed, providing integrity. digitally signed, providing authentication and integrity. encrypted and signed, providing confidentiality, authentication and Digital Signature Standard – DSS The Federal Government requires its departments to use the DSA & SHA. SHA creates a 160-bit output, which is then input to DSA, which signs the message. The DSA (Digital Signature Algorithm) can only be used for signatures, not encryption. Different Hashing Algorithms Good hash functions should have the following characteristics Computed on the entire message, not a part of it. One-way function so that messages are not disclosed by their signatures. Should be impossible, given a message and its hash value, to compute another message with the same hash value. Should be resistant to birthday attacks – should not be able to find two messages with the same hash value (collision free). Some common hashing algorithms include MD2 128 bit hash, slower than MD4 and MD5 MD4 128 bit hash. MD5 128 bit hash. More complex than MD4. Processes text in 512 bit blocks. HAVAL Variable length hash. Haval is a modification of the MD5 algorithm with more protection from common attacks against MD5. Processes text in 1024 bit blocks. SHA 160-bit hash value. Used with DSA. SHA-1 Updated version of SHA. Attacks against one-way hash functions Page 53 of 89 CISSP CBK Review Birthday Attack Using collusions to reverse engineer hash values. Finding two messages that produce the same hash value. One-Time Pad A one time pad, implemented correctly, is unbreakable as each pad is used only once. A non-repeating set of bits are XORed with the message to produce ciphertext. The key is the same size at the message and the sender and receiver must be perfectly in synch. This encryption method is not practically used much. Key Management Key management causes one of the biggest headaches in encryption implementation. RSA and Diffie Hellman are key exchange protocols. General rules for keys and key management include Key length should be enough to provide the necessary level of protection. Keys should be stored and transmitted by secure means. Keys should be extremely random and use full spectrum of the keyspace Key lifetime should correspond with the sensitivity of the data it is protecting. The more the key is used, the shorter its lifetime should be. The key should be backed up or escrowed in case of emergencies. The key should be properly destroyed once its lifetime comes to an end. Link vs End to End Encryption Advantages of end-to-end encryption Protects information from start to finish More flexibility for the user in choosing what gets encrypted and how Higher granularity of encryption is available because each application or user can choose a different key. Each hop on the network does not need to have a key to decrypt each packet. Disadvantages of end-to-end encryption Headers, addresses and router information is not encrypted and therefore not protected. Destination needs to have same encryption mechanisms to properly decrypt the message. Advantages of link (lower layer) encryption All data is encrypted, including headers, addresses and routing information. Users do not need to do anything to initiate it. Disadvantages of link encryption Each hop must have a key, making key distribution and management more complex. Messages are decrypted at each hop, thus more points of vulnerability. Page 54 of 89 CISSP CBK Review Email Standards Privacy Enchanced Email (PEM) PEM is a series of message authentication and encryption procedures developed by several governing groups. Primary features are Messages are encrypted with DES in CBC mode. Authentication is provided by MD2 or MD5 Public key management using RSA X.509 standard for certification structure and format. Message Security Protocol (MSP) MSP is the military’s PEM. It was developed by the NSA and is an X.400 compatible application layer protocol. Pretty Good Privacy (PGP) PGP uses RSA public key encryption for key management, IDEA for bulk encryption of data and MD5 for authenticity. PGP does not use Certification Authorities but relies instead on a “web of trust”. Internet Security “The web is not the internet. The web runs on top of the Internet.” S-HTTP Secure Hypertext Transport Protocol. In this protocol, the client and server agree on a protection method and then the client sends the server its public key. The server generates a session key, encrypts it with the client public key and sends it back. S-HTTP maintains an option connection for the duration of the session. SSL SSL is similar to S-HTTP but protect the communication channel itself instead of individual messages. The server sends a message to the client that a secure session is required and the client sends its public key and security requirements back to the server. The server compares the security parameters with its own to find a match and then sends the client a digital certificate. If the client trusts the certificate, the process continues. SSL keeps the communication path open. MIME Multipurpose Internet Mail Extension If a message or document contains a multimedia attachment, MIME dictates how that portion of the message should be handled. S/MIME S/MIME is a standard for encrypting and digitally signing mail that contains attachments. Page 55 of 89 CISSP CBK Review SET – Secure Electronic Transaction Security technology proposed by Visa and Mastercard for more secure online credit card transactions. Suppliers never see the credit card information. Cookies Sometimes cookies can contain login and password information that is either not encrypted or encrypted weakly. This is a vulnerability. Secure Shell (SSH) SSH functions as a type of tunneling mechanism that provides terminal like access to remote computers. IPSEC (Internet Protocol Security) The IPSEC protocol is a method of setting up a secure channel for protected data exchange between two devices. IPSEC is a widely accepted standard for secure network layer transport. It is usually used to establish VPNs. IPSEC uses two basic protocols Authentication Header (AH) and Enscapsulating security Payload (ESP). IPSEC works on one of two modes Tunnel Model only the payload is encrypted. Transport Mode payload, routing and header information are all encrypted. Each device has one security association (SA) for each session connection, one for inbound and one for outbound. The SA contains the configuration that the device needs to know about. Each device has a security parameter index that keeps track of each SA. When a packet is received, the steps are Identify appropriate SA, secret key and algorithm. Calculate hash value of the packet to authenticate source and verify data integrity. Authenticate the source. Identify correct cryptographic algorithm (DES or 3DES) and secret key. Decrypt the message. ISAKMP Internet Security Associated and Key Management Protocol. Cryptography Attacks The following sections go over active attacks that can relate to cryptography Ciphertext Only Attack Attacker has the ciphertext of several messages encrypted using the same algorithm. Page 56 of 89 CISSP CBK Review Known Plaintext Attack Attacker has plaintext and ciphertext of one or more messages. The goal is to discover the key used to encrypt the messages. Chosen Plaintext Attack Attacker has plaintext and ciphertext and can choose the plaintext that gets encrypted. Chosen Ciphertext Attack Attacker can choose ciphertext to be decrypted and has access to the decrypted plaintext. Man-in-the-middle attack Intercepting public key and replacing it with your own, and then intercepting subsequent messages intended for someone else. Using digital signatures during session-key exchange can circumvent man in the middle attacks. Dictionary attack Running dictionaries of words through one-way HASH functions to see if the hash value matches what you have. Common method of cracking Unix passwords. Replay attacks When an attacker copies a ticket, breaks the encryption and tries to impersonate the client by resubmitting the ticket at a later time. Kerberos is particularly vulnerable to this type of attack. Timestamps and sequence numbers are two common counter-measures to replay vulnerabilities. Wireless Security Wireless Application Security (WAP) WAP is a set of protocols that cover layer 7 to layer 3 of the ISO model. The WAP protocol stack contains the following Wireless Wireless Wireless Wireless Wireless Wireless Markup Language (WML) Application Environment (WAE) Session Protocol (WSP) Transport Protocol (WTP) Transport Layer Security Protocol (WTLS) Datagram Protocol (WDP) WTLS provides 3 classes of security Class 1 Anonymous authentication. Neither client or server is certain of the identify of the other. Class 2 Server authentication. Class 3 Two-way client and server authentication. HDML Handheld device markup language is a simple alternative to WML. Page 57 of 89 CISSP CBK Review C-HTML Compact HTML, widely used in Japan. Wired Equivalent Privacy Secret key shared between clients and access points. Must have the shared key to associate with the access point. WEP uses the RC4 variable key-size stream cipher encryption algorithm. RC4 was developed in 1987 by Ronald Rivest and operates in output feedback mode. Security of the WEP algorithm is weak, in the native 40-bit and even the 128 bit versions. TOP Security Architecture and Models A security model is a statement that outlines the requirements necessary to properly support a certain security policy. “Security is best if it is built into the foundation of operating systems and applications” Computer Architecture CPU Contains ALU, Control Unit and primary storage. Protection Rings Operating system concept. Inner rings have most privileges. Inner rings can directly access outer rings, but not vice versa. A typical arrangement might be Ring Ring Ring Ring 0 1 2 3 Operating system & Kernel Remaining parts of operating system I/O drives and utilities Applications and programs. MITs MULTICS is an example of an operating system using this concept. Operating Systems Operating systems can be in one of several states Ready Ready to resume processing Supervisory Executing a highly privileged routine Problem State Executing an application (working on a problem) Wait State Waiting for a specific event to complete or resource to become free. An operating system implements security using many mechanisms, including Protection Rings Mapping Memory Implementing virtual machines Working in different states Assigning trust levels to each process Page 58 of 89 CISSP CBK Review Process Vs Thread A process is a program in execution with its own address space. Threads are pieces of code executed within a process. Memory Addressing Modes Register Addresses registers within the CPU. Direct Actual addresses. Usually limited to current memory page. Absolute Address of all primary memory space. Can hit any memory address directly. Indexed Adding contents of addresses in programs instruction to that of a memory (index) register. Implied Operations internal to the processor, such as clearing of a carry bit. Indirect The address specified in the instruction contains the address where the actual data can be found. Processing Methods Some methods to improve system performance at the hardware level are Pipelining Overlapping the steps of different instructions to run close to concurrently. CISC Complex Instruction Set Computer. In earlier technologies, the “fetch” cycle was the slowest port. By packing instructions with several operations, number of fetches were reduced. RISC Reduced instruction set computer. Instructions are simple and require fewer clock cycles. Scalar Processor One instruction at a time. Superscalar Processor Enabled concurrent execute of multiple instructions in some pipeline stage. Very Long Instruction Word (VLIW) Processor A single instruction specifies more than one concurrent operation. System (Security) Architecture Some of the biggest questions in systems security architecture are Where should the protection take place? User’s end? Where the data is stored? Restricting user activities? At which layers should mechanisms be implemented? Hardware, kernel, o/s, services or program layers? “The more complex a security mechanism becomes, the less assurance it provides” -> Functionality and Assurance Compromise. What system mechanisms need to be trusted? How can these entities interact in a secure manner? Some important terms and definitions relating to system architecture are Page 59 of 89 CISSP CBK Review Trusted Computer Base Combination of protection mechanisms within a system, including hardware, software and firmware. Not every part of a system needs to be trusted and therefore do not fall under the TCB. Reference Monitor Abstract system concept that mediates all access the subjects have to objects. This is a concept, not a component. Security Kernel Hardware, firmware and software that fall under the TCB and implement the reference monitor concept. The security kernel is the core of the TCB. The security kernel must Mediate all access to objects in the system. Be protected from modification Be verified as correct. Domains Set of objects that a subject can access. Domains have to be identified, separated and strictly enforced. Resource Isolation Enables each subject and object to be uniquely identified, permissions and rights to be assigned independently, accountability to be enforceable and activities to be tracked precisely. “Security policies that prevent information from flowing from a high security level to a lower security level are multilevel security policies.” “The execution and memory space assigned to each process is called a protection domain.” Virtual Machine Monitor Each “machine” runs at a different security level. Security Model “A model is a symbolic representation of a policy. It maps the desires of the policy into a set of rules to be followed by a computer system.” “Security policy provides the abstract goals, the security model defines the dos and donts to achieve those goals” Bell-LaPadula Model Developed by the military in the 1970s to address leakage of classified information. Main goal is confidentiality. A system using the Bell-LaPadula model would be classified as a multi-level security system. The Bell-LaPadula is a state machine model, and could also be categorized as an information flow model. Simple Security Rule Cannot read data at a higher level. Star (*) Property Cannot write data to a lower level. Bell-LaPadula also uses a discretionary access control matrix to handle exceptions. This may allow a trusted subject to violate the *-property, but not its intent. IE, a low-sensitivity paragraph in a higher-level document being moved to a lowsensitivity document is ok, but might require an override of the * property. Page 60 of 89 CISSP CBK Review Criticisms of Bell-LaPadula Only deals with confidentiality, not integrity. Does not address access control management. Does not address covert channels. Does not address file sharing in more modern systems. Secure state transition is not explicitly defined. Only addresses multi-level security policy type. Biba Model The Biba model is also a state machine model and similar to Bell-LaPadula, except is addresses data integrity rather than data confidentiality. The data integrity is characterized by three goals Protection from modification by unauthorized users. Protection from unauthorized modification by authorized users. Internally and externally consistent. The following rules of the Biba model implement these goals Simple Integrity Axiom No read down. Star (*) Integrity Axiom No writing up. Subjects at one level of integrity cannot invoke an object or subject at a higher level of integrity. Clark-Wilson Model The Clark-Wilson model takes a different approach to protecting integrity. Users cannot access objects directly, but must go through programs that control their access. “Usually in an information flow model (Bell-LaPadula and Biba), information can flow from one level to another until a restricted operation is attempted. At this point, the system checks an access control matrix to see if the operation has been explicitly permitted”. The Clark-Wilson model defines the following terms Constrained Data Item (CDI) Data item whose integrity is to be protected. Integrity Verification Procedure (IVP) Program that verifies integrity of CDI. Transformation Procedure (TP) Unconstrained Data Item Data outside of the control of the model. For example, input data. Information Flow Models Each object is assigned a security class or value. Information is constrained to flow only in the directions permitted by the security policy. Page 61 of 89 CISSP CBK Review Security Modes of Operation The “mode of operation” defines the security conditions under which the system actually functions Dedicated Security Mode ALL users have the clearance and the “need to know” to all the data within the system. System-High Security Mode All users have clearance and authorization to access the information in the system, but not necessarily a need to know. Compartmented Security Mode All users have the clearance to all information on the system but might not have need to know and formal access approval. Users can access a compartment of data only. Multilevel Security Mode Permits two or more classification levels of information to be processed at the same time. Users do not have clearance for all of the information being processed. Limited Access Minimum user clearance is “not cleared” and the maximum data classification is “sensitive but unclassified”. Controlled Access Limited amount of trust placed on system hardware and software. Trust – assurance of trust implies a much deeper knowledge of the building process, etc. Systems Evaluation Method The “Orange” Book The US Dept of Defense developed TCSEC (Trusted Computer Systems Evaluation Criteria) to provide a graded classification for computer system security. The graded classification hierarchy is A – Verified Protection B – Mandatory Protection C – Discretionary Protection D – Minimal Security The evaluation criteria involves 4 main area Security, Policy, Accountability and Assistance and Testing, but these break down into 7 specific areas Security policy – explicit, well defined, enforced by mechanisms in the system itself. Identification – individual subjects must be uniquely identified in the system. Labels – labels must be associated with individual objects. Documentation – test, design and specification documentation. User guides and manuals. Accountability – audit data is captured and protected. Relies on identification. Life Cycle Assurance – Software, hardware and firmware can be tested individually to ensure that each enforces security policy. Continuous Protection – Ongoing review and maintenance of the security. Page 62 of 89 CISSP CBK Review Products for evaluation under TCSEC are submitted to the National Computer Security Center (NCSC). The Trusted Products Evalation Program (TPEP) puts successfully evaluated products on the Evaluated Product List – EPL. Orange Book TCSEC Ratings Each division can have one or more numbered classes and each have a corresponding set of requirements that must be met for a system to achieve that particular rating. Classes are as follows A1 Verified Design like B3, but the system documentation must support everything (formal design). B3 Security Domains Protect against covert timing channels; separate SysAdmin and SecAdmin roles. B2 Structured Protection Security policy clearly defined; subjects and devices require labels and system must not allow covert (storage) channels; Trusted Facility Management which means a separation of SysAdmin and SysOperator roles. B1 Labeled Security each data object has a classification label and each subject has a clearance label; system checks one against the other. C2 Controlled Access Protection Identify individuals, auditing (especially of security related events which must be protected), object reuse concept, strict logon, and decision-making capability when subjects access objects. C1 Discretionary Security Protection Users, groups, separation of identity, some access control necessary. Division D Minimal Protection All systems that fail to meet the requirements of the higher divisions fall under this category. Division C Discretionary Protection C1 - Discretionary Security Protection Based on individuals and/or groups. Identification and authorization of individual entities. Protected execution domain for privileges processes. Design, test and user documentation. C2 - Controlled Access Protection Security relevant events are audited. Object reuse concept must be invoked (including memory) Strict login procedures. The C2 rating is the most reasonable class for commercial applications. Division B - Mandatory Protection Division B enforces mandatory protection by the use of security labels and the reference monitor concept. Page 63 of 89 CISSP CBK Review B1 - Labeled Security Each object must have a classification label and each user must have a clearance label. Security labels are mandatory in class “B” B2 - Structured Protection System design and implementation are subject to a more thorough review and testing process. Well-defined interfaces between system layers. Covert storage channels are addressed. Trusted path required for login and authentication. Separation of operator and administrator functions. B3 - Security Domains More granularity in each protection mechanism Code not necessary to support the security policy is excluded from the system. Reference monitor component must be small enough to be isolated and tested fully. System fails to a secure state. Division A Verified Protection Formal methods are used to ensure that all subjects and objects are controlled. A1 Verified Design Feature and architectures are not much different than B3, the difference is in the development process. Assurance is higher because the formality in the way the system was designed and built is much higher. Stringent change and configuration management. Summary of Ratings D – Minimal Protection C – Discretionary protection C1 Discretionary Security Protection C2 Controlled Access Protection subjects and devices require labels B – Mandatory Protection B1 Labeled Security classification and clearance labels B2 Structured Protection must not allow covert (storage) channels B3 Structured Domains A – Verified Protection A1 Verified Design The Red Book TNI (Trusted Network Interpretation). The red book is an interpretation of the Orange book for networks and network components. The Red Book TNI ratings are None C1 – Minimum C2 – Fair B2 – Good Page 64 of 89 CISSP CBK Review DITSCAP Defense Information Technology Security Certification and Accreditation Process. Has 4 phases Definition Verification Validation Post Accreditation NIACAP National Information Assurance Certification and Accreditation Process. Has several types of accreditation Side Accreditation Applications and systems at a self-contained location. Type Accreditation An application or system distributed to a number of different locations. System Accreditation Major application or general support system. CIAP Commercial Information Security Assessment Process – in development. ITSEC – Information Technology Security Evaluation Criteria This accreditation system is used in Europe. Two main elements of a system are evaluated by ITSEC or TCSET Functionality and Assurance. Two systems with the same functionality can have different assurance levels. ITSEC separates these two elements and rates them separately. In ITSEC, F1 to F10 rate the functionality and E0 through E6 rate the assurance ITSEC E0 F1 + E1 F2 + E2 F3 + E3 F4 + E4 F5 + E5 F5 + E6 F6 F7 F8 F9 F10 TCSEC D0 C1 C2 B1 B2 B3 A1 High Integrity High Availability Data Integrity during communication High Confidentiality (encryption) Networks with high demands on confidentially and integrity. Security products or systems are referred to as TOE – Target of Evaluation. 10 functionality classes – F 8 Assurance Levels -Q 7 correctness levels -E Page 65 of 89 CISSP CBK Review CTCPEC Canadian Trusted Computer Product Evaluation Criteria COMMON CRITERIA International standard evaluation criteria, initiated by ISO in 1990 and started in 1993. One specific set of classifications, internationally recognized. Evaluates a product against a “protection profile” which is structured to address specific security problems. A product is assigned an EAL – Evaluation Insurance Level – EAL1 – EAL7. Similar to other criteria, the common criteria answers two basic questions What does it do? (Functionality) How sure are you? (Assurance) The protection profile contains Descriptive elements Rationale Functional Requirements Development Assurance Requirements Evaluation Assurance Requirements Certification Technical evaluation of security components and their compliants for the purpose of accreditation. Accreditation Formal acceptance of the system’s overall adequacy by management. Based partly on certification information. SSE-CMM System Security Engineering, Capability Maturity Model Based on the premise “If you can guarantee the quality of the processes that are used by an organization, you can guarantee the quality of the products and services generated by those processes.” Two dimensions are used to measure the capability of an organization to perform specific activities. The two dimensions are domain and capability. Domain All the practices that collectively define security engineering. Base practices Related base practices are grouped into Process Areas (PAs) Capability Practices that indicate process management and institutionalization capability. Generic Practices (GPs). The GPs represent activities that should be performed as part of BPs. In the domain dimension, SSE-CMM defined 11 security engineering process areas and 11 administrative process areas. Threats Some threats to security models and architectures are Page 66 of 89 CISSP CBK Review Covert Channels Information flow not controlled by the security mechanism. Covert timing channel Covert storage channel. Addresses in TCSEC B2 and higher. Back Doors Also known as maintenance hooks / trapdoors. Timing Issues Also known as ‘asynchronous attack’. Deals with the timing different in the sequence of steps a system uses to complete a task. Time of Check vs Time of Use (TOC/TOU) – Also known as “race conditions” Buffer Overflows “Smashing the stack”. Each of these can lead to a violation of the system security policy. Recovery Procedures The system must recover/restart from an error in a secure state – maintenance mode access only by privileged users from privileged terminals. Failsafe Program execution terminated, system protected from compromise. Failsoft (resilient) Non-critical processing is terminated. Failover Switching to duplicate (hot) backup in real-time. Cold start System cannot be restored to a known secure state. top Operations Security Categories of Controls Preventative Controls Detective Controls Corrective (Recovery) Controls Additional categories include Deterrent Controls Application Controls Transaction Controls Input Controls Processing Controls Output Controls Change Controls Test Controls Page 67 of 89 CISSP CBK Review Orange Book Controls The Orange Book defined two types of assurance operational assurance and life cycle assurance. Operational assurance requirements specified in the orange book are System architecture System integrity Covert channel analysis Trusted facility management Trusted recovery Life cycle assurance requirements specific in the orange book are Security testing Design specification and testing Configuration management Trusted distribution Covert Channel Analysis Involves covert storage channels and covert timing channels. Covert Channel Requirements B2 – Must perform covert channel analysis and protect against covert storage channels. B3/A1 – Must protect against covert storage and covert timing channels. Must perform covert channel analysis for both types. Trusted Facility Management Trusted facility management is defined as the assignment of a specific individual to administer security related functions of a system. Trusted facility management is closely related to concepts of least privilege, need to know and separation of duties. B2 Systems must support separate operator and administrator roles. B3/A1 System must clearly identify the functions of the security administrator to perform the security related functions. Two-man control Two operators review and approve the work of the other. Dual Control Both operators are needed to complete a sensitive task. Trusted Recovery Trusted recovery ensures that security is not breached when a system crash or other system failure (discontinuity) occurs. Trusted recovery is required only at B3 and A1 levels. Page 68 of 89 CISSP CBK Review System Recovery The common criteria has a hierarchy of three recovery types Manual recovery Sysadmin intervention required. Automated recovery Recovery after a single failure is automatic. Automated recovery without undue loss. Configuration / Change control management The primary goal of configuration management is to ensure that changes to the system do not unintentionally diminish security. Configuration management is a requirement for B2, B3 and A1 systems. Five generally accepted procedures exist to implement and support the change control process Applying to introduce a change. Cataloging the intended change. Scheduling the change. Implementing the change. Reporting the change to the appropriate parties. B2 or B3 Configuration management procedures must be enforced during development and maintenance of a system. A1 Configuration management procedures must be enforced during the entire systems life-cycle. Administrative Controls These controls have more to do with human resources, personnel and policy than they do with hardware or software controls. Personnel security Background checks, mandatory vacations, etc. Separation of duties. Least privilege. Need to know. Change control / configuration management. Record retention and documentation. Operations Controls Operations controls embody the day-to-day procedures used to protect computer operations. The following are the most important aspects of operations controls Resource protection Hardware / software / data. Hardware controls Maintenance accounts, maintenance personnel, diagnostic ports, hardware physical control. Page 69 of 89 CISSP CBK Review Software controls Anti-virus managements, software testing, software utilities, safe software storage and backup controls. Privileged Entity Controls System commands, special parameters. Media Resource Protection Two areas media security controls and media viability controls. Physical access controls Monitoring and Auditing Problem identification and problem resolution are the primary goals of monitoring. Top Business Continuity Planning and Disaster Recovery Planning Business Continuity Planning or contingency planning deals with providing methods and procedures for dealing with outages and disasters to reduce the risk of financial loss. The most critical piece overall is senior management support. BCP is the strategy to minimize the effect of unexpected disturbances and to provide quick resumption of business operations. The 4 1. 2. 3. 4. primary elements of BCP are Scope plan initiation Business impact Analysis (BIA) includes vulnerability assessment Business continuity plan development, it includes Plan approval and implementation I. Scope and Plan initiation Steps involved in the scope and plan initiation include creating an account of the work required, listing the resources to be used and defining the management practices to be employed. A BCP committee should be formed and given the responsibility to create, implement and test the plan. The Business Impact Analysis (BIA) is a crucial first step in disaster recovery and contingency planning. The goal is to see exactly how a business will be affected by different threats. The purpose of a BIA is to create a document to be used to help understand what impact a disruptive event would have on the business. The BIA may be quantitative, (financial) or qualitative, (operational). The business impact analysis has 3 primary goals Criticality Prioritization Every critical business unit must be identified and prioritized. Downtime Escalation Estimate the maximum tolerable downtime (MTD) that the business can tolerate and still remain a viable company. Page 70 of 89 CISSP CBK Review Resource Requirements Identify resource requirements for the critical processes. The BIA generally consists of these 4 steps 1. 2. 3. 4. Gathering the needed assessment materials The vulnerability assessment Analyzing the information compiled Documenting the results and presenting recommendations to management. Business continuity plan development Defining the continuity strategy Documenting the continuity strategy BCP Plan Approval and Implementation Plan approval and implementation consists of 1. Approval by senior management. 2. Creating an awareness of the plan enterprise-wide. 3. Maintenance of the plan, including updating when needed. (APPROVAL) (AWARENESS) (MAINTENANCE) APPROVAL, AWARENESS and MAINTENANCE = IMPLEMENTATION! Phases of Development The phases of development for a DRP/BCP program should be The 4 1. 2. 3. 4. Initiation Business impact analysis Strategy development Plan development Implementation Testing Maintenance primary elements of BCP are Scope plan initiation Business impact Analysis (BIA) includes vulnerability assessment Business continuity plan development, it includes Plan approval and implementation Contingency Planning There is a general 6 step approach to contingency planning 1. Identify critical business functions 2. Identify the resources and systems that support these critical functions. 3. Estimate potential disastersSelect planning strategies – how to recover the critical resources and evaluate alternatives. A disaster recovery and contingency plan usually consists of emergency response, recovery and resumption activities. 4. Implementing strategies. 5. Testing and revisiting the plan. Page 71 of 89 CISSP CBK Review Disaster Recovery Planning A disaster recovery plan is a comprehensive statement of consistent actions to be taken before, during, and after a disruptive event that causes a significant loss of information system resources. DRP plans are the procedures for responding to an emergency or disaster. The primary objective of the DRP plan is to provide the capability to implement critical processes at an alternate site in the event of a disaster and return back to the primary site within a reasonable time to enable the company to minimize loss and by executing rapid recovery procedures. The main goals of disaster recovery planning are to Improve responsiveness by the employees in different situations. Reduce confusion by providing written procedures and participation in drills Minimize decision-making during a crisis by having standard procedures to follow Protect the organization from major computer services or network outage. Guaranteeing the reliability of standby systems through testing and simulations A company is not considered out of an emergency until it is back at the original site operating under normal circumstances. The least critical systems should be moved back first. Data Processing Continuity Planning Reciprocal agreements Subscription Services o Hot site o Warm site o Cold site Multiple centers Service bureaus Other Transaction redundancy Electronic Vaulting Refers transferring files or transactions to a remote location through communication lines where the original backup is stored. Moving backup tapes off-site is also a form of electronic vaulting. Consists of Remote Journaling Transmitting only the journal or transaction logs to the off-site facility and not the actual files. Database Shadowing Database shadowing is similar to remote journaling, but the transactions are shadowed to multiple databases. Disk Shadowing Mirrored disks for redundancy. Disk Duplexing More than one disk controller is used. If one fails, another takes over. Disaster Recovery Testing Reasons for testing include Inform management of the recovery capabilities of the enterprise. Verify accuracy of the recovery procedures and identify deficiencies. Page 72 of 89 CISSP CBK Review Prepare and train the personnel to execute emergency duties. Verify processing capability of the remote backup site. Disaster recovery tests should be performed at least once a year! A recovery team is used to get critical business functions running at the alternate site. The salvage team is used to return the primary site to normal processing conditions. Tests and Drills There are a 5 different types of tests and drills that can take place, each with its own pros and cons Checklist Test (review only) Copies of the DR plan and continuity plan are distributed to each functional area for review. Structured Walk-Through Test Group comes together to walk through scenarios in detail. (Conference room “talk-through”) Simulation Test DR team or groups of employees come together to simulate a specific scenario. A “real” walk-through drill. An enactment, stops short of actual recovery procedures. Parallel Test (functional test) Done to ensure that critical systems can perform adequately at the off-site facility. The systems are moved to the alternate site and processing takes place. Full Interruption Test Original site is actually shut down and processing takes place at the alternate site. “Emergency response procedures are the prepared actions that are developed to help people in a crisis situation better cope with the disruption. They are the first line of defense when dealing with a crisis situation” End User Environment The first issue pertaining to users is how will they be notified of the disaster and who will tell them where to go and when? A tree structure/call list is necessary for this. Time-loss curves show the total impact over specific time periods. Backup Alternatives The hardware backup procedures should address on-site and off-site strategies. There are 3 main categories of disruption Non-Disaster Disruption in service from device malfunction or user error. Disaster Entire facility unusable for a day or longer. Catastrophe Major disruption that destroys the facility altogether. Requires a short term and long term solution. Page 73 of 89 CISSP CBK Review Off-site backup facility options are Hot-Site Fully configured and ready to be operating within a few hours. Expensive but the company has exclusive use. Warm-Site Partially configured with some equipment, but not the actual computers. Cold-Site Basic environment such as wiring, AC, plumbing is in place, but no equipment. This is the least expensive option but has much longer recovery time. Different Backup Types Incremental All files changed since the last backup. Removes archive attribute. Differential All files changed since the last full backup. Does not remove archive attribute. Full All files. Removes archive attribute. Other backup strategies include TOP Law, Investigation and Ethics Covers computer crimes, preserving evidence and conducting basic investigations. Many computer crimes go unreported – difficult to estimate. Two Categories Crimes against the computer Crimes using a computer Most Common Crimes Denial of Service (DoS)- hogging system resources to point of degraded service Theft or passwords Network Intrusions – unauthorized penetrations Emanation Eavesdropping – interception of computer terminal images through use of Radio Frequency (RF) Signals. U.S. Government developed Tempest to defeat this by shielding RF. Social Engineering – social skills to gain information Illegal Content of Material - porn Fraud – using computer to perpetuate crimes, i.e. auctions of non-existent merchandise Software Piracy – illegal copying Dumpster Diving – paper trails Malicious Code – viruses and Trojan Horses Spoofing of IP Addresses – inserting false IP to disguise original location Information Warfare – attacking infrastructure of a Nation, including military and power grid Espionage Destruction or alteration of information Use of readily available Attack Scripts – Script Kiddies, unskilled users Page 74 of 89 CISSP CBK Review Masquerading – pretending to be someone else Embezzlement – Illegally acquiring funds Data-Diddling – modification of data Terrorism Examples of Crime – DDoS of Yahoo, Amazon and ZDNet in Feb. 2000 Love Letter Worm in May of 2000 Kaiser – transmissions of personal client information to unintended recipients in Aug. 2000 Penetration of Microsoft, access to source code in Oct. 2000 Mitnik's attacks against telephone companies 1989, broke into Tsutomo Shimomurs Corp in 1995 and was arrested Wisconsin medical records in 1982 Morris internet worm DDoS Cornell Student in 1988 Germans working for the KGB accessed US Classified Systems – The Cuckoo’s Egg Laws have been passed in many countries. International boundaries cause issues. Being addressed by United Nations, Interpol, European Union and the G8. Technology outpaces Law Law enforcement relies on traditional laws against embezzlement, fraud, Denial of Service, wiretapping and digital currency to prosecute. Many types of legal systems in the world Common Law – United States, United Kingdom, Australia and Canada Islamic Law Religious Law Civil Law – France, Germany, Quebec Common Law – United States Three Branches of Government Legislative – makes the statutory laws Administrative – administrative laws Judicial – common laws found in court decisions Compilation of Statutory Law Arranged in order of enactment or as statutory codes In the U.S. held in Statutes at Large in the United States Code (U.S.C.) Usually quoted “18 U.S.C § 1001 (1992)” The Code Title Number Abbreviation of the Code (U.S.C.) Statutory section Date of the edition Title 18 of the 1992 Edition of the U.S.C. - contains Crimes and Criminal Procedures. Many computer crimes are prosecuted under this title. US Computer Fraud and Abuse Act – addresses fraud using government computers can be found at 18 U.S.C. § 1030 (1986) Other Titles Are Title 12 – Banks and Banking Title 15 – Commerce and Trade Page 75 of 89 CISSP CBK Review Title 26 – Internal Revenue Code Title 49 - Transportation Compilation of Administrative Law Chronologically listed in administrative registers or by subject matter in administrative codes. Federal Register (Fed. Reg.) and Code of the Federal Register (C.F.R.) Referenced “12 C.F.R. § 100.4 (1992) The Title Number Federal Register (C.F.R.) Abbreviation of the Code (C.F.R.) Section number Year of publication Compilation of Common Law - common law from court decisions Common law is compiled as Case Reporters in chronological order and Case Digests by Subject matter Common Law System Categories – not to be confused with common law from court decisions Criminal Law – Violates government laws for the protection of the people. Financial penalties and imprisonment Civil Law – wrong inflicted upon an individual or organization results in damage or loss, no prison Administrative Law – standards of performance and conduct, financial penalties and imprisonment Intellectual Property Law Patent – Provides owner legally enforceable right to exclude others for specified time (U.S. 17 years) Copyright – Protects original works of authorship, can be used for software and databases Trade Secret – Secures confidentiality of proprietary technical and business related information Company must meet requirements Invested resources to develop the information Valuable to the business Valuable to competitor Non-obvious information Trademark – establishes word, name, symbol, color or sounds used to identify and distinguish goods Information Privacy Laws Intent varies widely from country to country European Union - has developed more protective laws for individual privacy Transfer of data from EU to US is prohibited unless equivalent protections are in place EU Principles Include Data collected in accordance with law Information cannot be disclosed without consent Records should be accurate and up to date Data should be used for the purpose it was collected Individuals entitled to report of information kept about them Transfer of data is prohibited unless equivalent protections are in place Health Care Issues Access controls do not provide sufficient granularity to implement least privilege rule Page 76 of 89 CISSP CBK Review Most off the shelf systems do not have adequate controls Systems must be accessible to outside parties Access to Internet creates potential problems Criminal and civil penalties can be imposed Public perception of large organizations misusing data Health Care Should follow (based on E.U. principles) Individual should have ability to monitor stored information about themselves, ability to correct information Data should be used for the purpose it was collected Organization should provide safeguards to ensure data is used for the purpose it was collected Existence of private information should not be kept secret HIPAA – U.S. Kennedy-Kassenbaum Health Insurance portability and Accountability Act. HIPAA effective August 21, 1996. Addresses Health Care privacy in the U.S. Still in draft form, required to be implemented soon. Addresses The rights of the individual has over information about them Procedures for the execution of such rights The uses and disclosures that should be authorized Entity must have in place Standard Safe Guards - must have appropriate administrative, technical and physical safeguards Implementation of Standard Safe Guards - A covered entity must protect health care information from intentional or unintentional disclosure Electronic Monitoring Keystroke monitoring, e-mail monitoring, surveillance cameras, badges and magnetic card keys all allow monitoring of individuals. Key to monitoring Must be done in a lawful manner in a consistent fashion E-mail monitoring Inform users that all e-mail is being monitored by displaying log-on banner Banner should state logging on to system consents user to being monitored. Unauthorized access is prohibited. Subject to prosecution. Ensure monitoring is uniformly applied Explain acceptable use Explain who can read e-mail and how long it is backed up No guarantee of privacy Enticement vs. Entrapment Enticement occurs after individual has gained unlawful access to a system, then lured to an attractive area “honey pot” in order to provide time to identify the individual Entrapment encourages the commitment of a crime that the individual had no intention of committing Computer Security, Privacy and Crime Laws 1970 – US Fair Credit Reporting Act – consumer reporting agencies 1970 - US Racketeer Influenced and Corrupt Organization Ace – racketeers influencing business Page 77 of 89 CISSP CBK Review 1973 – US Code of Fair Information Practices – personal record keeping 1974 – US Privacy Act – applies to federal agencies 1980 Organization for Economic Cooperation and Development (OECD) – data collection limitations 1984 – US Medical Computer Crime Act – illegal alteration of computerized medical records 1984 – (Strengthened in 1986 and 1994) – First US Federal Computer Crime Law – classified defense, felony for classified information 1986 (Amended 1996) – US Computer Fraud and Abuse Act – clarified 1984 law, Added three laws use of federal interest computer to further intended fraud altering or destroying information on federal interest computer that causes $1,000 in loss or medical treatment Trafficking in computer passwords if it affects commerce or allows access to government computers 1986 Electronic Communications Privacy Act – prohibits eavesdropping 1987 – Computer Security Act – requires federal government to Provide security-related training Identify sensitive systems Develop security plan for sensitive systems Developed Sensitive But Unclassified (SBU) designation Split responsibility between National Institute of Standards and Technology (NIST) and National Security Agency (NSA) NIST – commercial and SBU NSA – cryptography and classified government and military applications 1990 United Kingdom Misuse Act – defines computer related crimes 1991 US Federal Sentencing Guidelines – Unauthorized possession without the intent to profit is a crime Address both individuals and organizations Degree of punishment corresponds to level of due diligence Invoke “prudent man” rule due care of Senior Officials – Civil Law Place responsibility on Senior Management for prevention and detection programs up to $290 Million - Civil Law 1992 OECD – Guidelines to serve as Total Security Framework – laws, policies, procedures, training 1994 – US Communications Assistance for Law Enforcement Act – requires communications carriers to make wiretaps possible 1994 - Computer Abuse Amendments Act – Changed federal interest computer to a computer used in interstate commerce or communications Covers viruses and worms Includes intentional damage as well as reckless disregard Limited imprisonment for unintentional damage to one year Provides civil action for compensatory damages 1995 Council Directive Law on Data Protection for the European Union – declares EU is similar to OECD 1996 – US Economic and Protection of Proprietary Information Act – industrial and corporate espionage 1996 U.S. Kennedy-Kassenbaum Health Insurance portability and Accountability Act. HIPAA 1996 National Information Infrastructure Protection Act – amended the computer fraud and abuse act patterned after the OECD. Page 78 of 89 CISSP CBK Review GAASSP – Generally Accepted Systems Security Principles (Not laws but accepted principles of the OECD) Computer security supports the business mission Computer security is integral to sound management Computer security should be cost effective System Owners have responsibility outside of their organization Computer security requires a comprehensive integrated approach Computer security should be periodically reassessed Computer security is constrained by societal factors Gramm-Leach-Bliley Gramm-Leach-Bliley (PL 106-102) was signed into law on 12 November 1999. Title V of the law deals with Privacy. Title V Section 501 establishes policy for the protection of nonpublic personal information. Section 501 states, “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.” The law further states, financial regulatory agencies/authorities will “establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards to insure (sic) the security and confidentiality of customer records and information; to protect against any anticipated threats or hazards to the security or integrity of such records; and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.” Investigation Also known as computer forensics – collecting information from and about computer systems that is admissible in a court of law. Computer Forensic Issues Compressed timeframe for investigation Information is intangible Investigation may interfere with normal business operations May find difficulty in gathering evidence Co-mingling of live production data and evidence Experts are required Locations may be geographically in different jurisdictions Differences in law and attitude Many jurisdictions have expanded definitions of property to include electronic information Evidence Gathering, control and preservation are critical Subject to easy modification without a trace, must be carefully handled though its life cycle. Chain of Command - must be followed Chain of Command components Location of evidence Time evidence obtained Identification of individual who discovered evidence Page 79 of 89 CISSP CBK Review Identification of individual who obtained evidence Identification of individual who controlled/maintained possession of evidence Evidence Life Cycle Discovery and recognition Protection Recording Collection Collect all relevant storage media Make image of hard disk before removing power Print out screen Avoid degaussing equipment Identification (tagging and marking) Preservation Protect from magnetic erasure Store in proper environment Transportation Presentation in court Return to evidence owner Evidence Admissibility Evidence must meet stringent requirements. Must be relevant, legally permissible, reliable, properly identified and preserved Relevant – must be related to the crime, shows crime has been committed Legally Permissible – obtained in lawful manner Reliable – not been tampered or modified Properly Identified – identified without changing or damaging evidence Preservation – not subject to damage or destruction Make backups, write protect, take digital signatures of files or disk sectors Types of Evidence Best Evidence – Original or primary evidence rather than a copy Secondary evidence – a copy of evidence, or description of contents Direct Evidence – proves or disproves a specific act based on witness testimony using five senses Conclusive Evidence – incontrovertible, overrides all evidence Opinions Two Types Expert – may offer opinion based on expertise and facts Nonexpert – may testify only to the facts Circumstantial – inference on other information Hearsay – not based on first hand knowledge, not admissible in court, often computer generated reports fall under this rule. Exceptions to Hearsay Rule Made during the regular conduct of business with witnesses Made by a person with knowledge of records Made by person with knowledge Made at or near time of occurrence of act In the custody of the witness on regular basis Searching and Seizing Computers U.S. D.O.J. Computer Crime and Intellectual Property Sections (CCIPS) has issued the publication “Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations”. Sites the following US Codes Page 80 of 89 CISSP CBK Review 18 U.S.C. § 12510 - Definitions 18 U.S.C. § 1251 – interception and disclosure of wire, oral or electronic communications 18 U.S.C. § 2701 – unlawful access to stored communications 18 U.S.C. § 2702 – disclosure of contents 18 U.S.C. § 2703 – requirements for governmental access 18 U.S.C. § 2705 – delayed notice 18 U.S.C. § 2711 – definitions 18 U.S.C. § 2000aa – searches and seizures by government officers and employees in connection with the investigation of a crime Export Issues with Technology In July of 2000 U.S. relaxed its encryption export policy to certain countries. American companies can export encryption to any end user. Eliminated third day of waiting period when exporting Conducting the Investigation Corporate investigation should include Management, corporate security, Human Resources, legal department and other appropriate staff. May prompt retaliatory acts from the investigate, important to plan ahead Committee should be set up before hand to address the following issues Establishing liaison with law enforcement Deciding when and if to bring in law enforcement (FBI and Secret Service) Setting up means of reporting computer crimes Establishing procedures for handling reports of computer crimes Planning and conducting investigations Involving senior management and corporate security, Human Resources, the legal dept. Ensuring proper collection of evidence U.S. Federal Requirements requires crimes to be reported. U.S. government must obtain warrant to search for evidence under the 4 th amendment. Must be probable cause. Private individuals can conduct a search without a warrant. Exigent Circumstances Doctrine – (Probable Cause) then do not need a warrant. Good sources of evidence include Telephone records Video cameras Audit trails System logs System backups Witnesses Results of surveillance E-mails MOM Motive Opportunity Means Interview If interviewing do not give information away to suspect Questions should be scripted Don’t use original documents in the interview Page 81 of 89 CISSP CBK Review Liability 1991 US Federal Sentencing Guidelines Unauthorized possession without the intent to profit is a crime Address both individuals and organizations Degree of punishment corresponds to level of due diligence Invoke “prudent man” rule due care of Senior Officials – Civil Law Place responsibility on Senior Management for prevention and detection programs up to $290 Million Due Care Requirements Means to prevent computer resources from being used as a source of attack on another organization Relates to proximate causation – part of a chain that results in negative consequence Backups Scans for malicious code Business Continuity and Disaster Recovery Local and remote access control Elimination of unauthorized insecure modems Security polices and procedures Ensuing Confidentiality, Integrity and Availability Assessing responsibilities to third parties Established incident response capability Downstream liabilities When companies come together to work in an integrated manner, special care must be taken to ensure that each party promises to provide the necessary level of protection, liability and responsibility needed which should be clearly defined in the contracts that each party signs. Due Care Steps that are taken to show that a company has taken responsibility for the activities that take place within the corporation and have taken the necessary steps to help protect the company, its resources and employees. Due Diligence Continual activities that make sure the protection mechanisms are continually maintained and operational. Prudent man rule To perform duties that prudent people would exercise in similar circumstances. Criteria for evaluating legal requirements C – cost of implementing the control L – estimated loss from exploitation If – C < L, then a legal liability exists. Incident Handling should address What constitutes an incident How should an incident be reported To who should an incident be reported When should management be informed of an incident What action should be taken if an incident occurs Who should handle the response to the incident How much damage was caused by the incident What data was damaged by the incident Are recovery procedures required Page 82 of 89 CISSP CBK Review What type of follow up or review is required Should additional safeguards be implemented Establish a CIRT – Computer Incident Response Team Ethics Certified professionals are morally and legally held to a higher standard. Should be included in organizational computing policy ISC2 Code of Ethics CISSPs Shall Conduct themselves with highest standards of ethical, moral and legal behavior Not commit any unlawful or unethical act that may impact the reputation of the profession Appropriately report unlawful behavior Support efforts to promote prudent information security measures Provide competent service to their employers and clients; avoid conflicts of interest Execute responsibilities with highest standards Not misuse information in which they come into contact with during their duties Internet Activities Board (IAB) “Internet Activity Should be treated as a privilege” Unacceptable actions Seeks to gain unauthorized access to resources of the Internet Disrupts intended use of the internet Wastes resources Compromises privacy of others Involves negligence in conduct of Internet Experiments US Dept. Of Health, Education and Warfare Fair information practices, individually identifiable information No personal record keeping on systems that are secret Way for person to find out what information is contained and how it is used Way for person to prevent information from being used for other purposes than originally intended Organizations must ensure reliability of data Phone Phreakers Blue boxing - A device that simulates a tone that tricks the telephone company’s system into thinking the user is authorized for long distance service, which enables him to make the call. Red boxes - Simulates the sound of coins being dropped into a payphone. Black boxes - Manipulates the line voltage to receive a toll-free call. TOP DOMAIN 10 – PHYSICAL SECURITY Physical security mechanisms include site design and layout, environmental components, emergency response readiness, training, access control, intrusion detection, power and fire protection. Page 83 of 89 CISSP CBK Review “The value of items to be protected can be deteremined by a critical path anaylsis”. The critical path analysis lists all peices of an environment and how they interract. The CPA should include power, data, water and sewer lines, A/C, generators and storm drains. “The physical security domain addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprises’ resources and sensitive information”. These include personnel, facilities, data, equipment, support systems and media. There are seven major causes of physical loss Temperate Sunlight, fire, freezing, heat. Gases War gases, vapors, humidity, dry air, smoke, smog. Liquids Water and chemicals Organisms People, animals, viruses, bacteria Projectiles Meteors, cars and trucks, bullets, tornados Movement Collapse, shearing, shaking, earthquakes Energy Anomalies Surges or power failures, static, radiation, magnets. Some common physical controls are Administrative Facility selection or construction Facility management Personnel controls Training Emergency response and procedures Technical Access controls Intrusion detection Alarms CCTV HVAC Power supply. Fire detection Physical Fencing Locks Lighting Facility construction “Load” How much weight can be held by a building’s walls, floors & ceiling. Raised floors need to be electrically grounded. A/C Should have positive air pressure Pushes smoke out. Water should have positive flow flows out of the builders, not in. Page 84 of 89 CISSP CBK Review MTBF Mean time between failure. MTTR Mean time to repair. Power Supply There are 3 main methods to protecting against power problems UPS, Power line conditioners and backup sources. Definitions Ground Pathway to earth to enable excess voltage to dissipate. Noise Electromagnetic or frequency interference that disrupts power flow and can cause fluctuations. Transient Noise Short duration of power line disruption. Clean Power Power that does not fluctuate. EMI is created by the different between three wires Hot, Neutral & ground. RFI is created by components of an electrical system. For example, electrical cables and flourescent lighting. Power Excess Spike Momentary high voltage. Surge Prolonged high voltage. Power Loss Fault Momentary power out. Blackout Prolonged loss of power. Power Degradation Sag Momentary low voltage. Brownout Prolonged supply below normal voltage. EMI is the difference betwen the charges in the hot, neutral and ground wires Common Noise Noise from radiation generated by the difference in hot and ground. Traverse-mode Noise Noise from radiation generated by the difference between hot and neutral wires. RFI is generated by components of electrical systems. Environmental Issues Water, steam and gas must have proper shutoff values. High Humidity Corrosion. Page 85 of 89 CISSP CBK Review Low Humidity Static. The ideal level of humidity is between 45% and 60%. A hygrometer measures humidity. Ideal temperate for computing devices is 70 to 74%. Magnetic media are affected from 100 degrees. Disks are damaged at 150 degrees Computer damaged equipment at 175 degrees. Source ROTHKE, Ben, CISSP CBK Review presentation on domain 10. Fire Prevention, Detection and Suppression Fire detectors can be activated by Smoke Photoelectric device detects change in electric current when there is a variation in the light intensive. Heat Rate-of-rise temporarate sensors and fixed temperature sensors. Fixed temperature sensors have less false positives. Flame Senses pulsation of flames or infrared energy associated with flames and combustion. Smoke Detectors Detectors should be on and above suspended ceilings – smoke usually gathers there first. Detectors should be installed below raised floors because there are many types of wire that could start an electrical fire. Detectors should be located in enclosures and air ducts. Fire Suppression There are four main classes of fires Class A Common combustibles such as wood, paper, laminated. Best fought with water or soda acid. Class B Liquid fires such as petroleum products and coolants. Best fought with Gas (Halon), CO2, Soda Acid. Class C Electrical equipment and wires. Best fought with Gas (Halon) or CO2. Class D Combustible metals. Best fought with Dry Powder. A fire needs heat, fuel and oxygen to burn. The different fire suppression methods do the following CO2 & Soda Acid Water Halon (or substitute) Remove fuel and oxygen from the fire. Lowers temperature Interferes with chemical reaction between elements. Page 86 of 89 CISSP CBK Review Halon is no longer legal due to environmental issues, some replacements are FM200 NAF-S-III FE-13 Inergen Argon Argonite Halon 1211 does not require the sophisticated pressurization system needed by Halon 1301 and tends to be used in self-pressurized portable extinguishers. Water Sprinklers “Sensors should be in place to shut down electrical power before water sprinklers activate” Wet Pipe Water in pipe. At a preset temperature (165), a link melts to release the water. Water can freeze in the pipes in colder climates. Dry Pipe Water is held back by a value until a specific temperature is reached, then a time delay occurs before the water is released. This can give time for shutdown in a false alarm, but not as fast response as wet pipe. Best in colder climates because water cannot freeze in the pipes. Preaction Combination of wet and dry pipe. Water is not held in the pipes – released into the pipes when a specific temperature is reached. The water is not then released right away – a link in the pipes has to melt to release the water. This type is most the one most recommended for a computer room. Deluge Same as dry pipe, except sprinkler heads are open. Large volume of water releases in a short period of time. Not recommended for electrical equipment. HVACR Heating, Ventilation, Air Conditioning, Refridgeration. Administrative Controls Emergency Response and procedures Evacuation procedures System shutdown Training and drills Integrate with disaster recovery plans Documented procedures for different types of emergencies Periodic equipment tests Perimeter Security The first line of defense is perimeter security. Preventing access to the facility deals with Access control, surveillance, monitoring, intrusion detection and corrective actions. Preset locks Usually used on doors. Latches and deadbolts. Page 87 of 89 CISSP CBK Review Cipher Locks Keypads, combination entry, swipe cards or both. Options on Cipher locks can include Door delay – alarm will trigger if door is open for too long. Key Override – specific combination programmed for emergencies Master Keying – enabled supervisor personnel to change access codes and other features Hostage Alarm – special code that does not ring alarm locally, but at the monitoring site (police station or alarm company) Device Locks Locks for specific devices such as cable locks for laptops, disk drive locks, switch control, slot locks, port controls and cable traps. Personnel Access Controls A common problem is “piggybacking”. Magnetic Cards Can be just a strip containing information, or “smart” cards requiring a PIN number. Wireless Proximity readers User activated Card transmits values to the reader. System Sensing Three main types of system sending cards Transponders – Card and reader both have a receiver, transmitter and battery. Passive Devices – Card uses power from the reader. Field-Powered Devices – Card and reader contain a transmitter. Card has its own power supply. External Boundary Protection Fencing 3 to 4 feet Deters Casual Trespassers. 6 to 7 feet Too high to climb easily. 8 ft + barbed wire Deter more determined intruders. Lighting Critical access should be illuminated 8 feet high and 2 feet out. Surveillance There are three main categories of surveillance Patrol force and guards – costly, unreliable but provide judgement. Dogs Visual recording devices – CCTV. Issues with guards are availability, reliability, training and cost. Page 88 of 89 CISSP CBK Review Surveillance techniques are used to watch for unusual behaviors, whereas detecting devices are used to sense changes that take place in an environment. Monitoring live events is preventative, recording events is detective. TOP Page 89 of 89