Sybex CISSP Certified Information Systems Security Professional Study Guide 4th Edition Jul 2008 ISBN 0470276886 pdf

(1)

(2)

Wiley Publishing, Inc.

CISSP

®

Certified Information Systems

Security Professional

Study Guide

Fourth Edition

James Michael Stewart

Ed Tittel

(3)

(4)

CISSP

®

Certified Information Systems

Security Professional

(5)

(6)

Wiley Publishing, Inc.

CISSP

®

Certified Information Systems

Security Professional

Study Guide

Fourth Edition

James Michael Stewart

Ed Tittel

(7)

Acquisitions Editor: Jeff Kellum

Vice President and Executive Group Publisher: Richard Swadley Vice President and Executive Publisher: Joseph B. Wikert Vice President and Publisher: Neil Edde

Media Associate Project Manager: Laura Moss-Hollister Media Assistant Producer: Kit Malone

Media Quality Assurance: Josh Frank Book Designers: Judy Fung and Bill Gibson

Compositor: Craig J. Woods, Happenstance Type-O-Rama Proofreaders: Sondra Schneider and Nancy Bell

Indexer: Jack Lewis Cover Designer: Ryan Sneed

Published simultaneously in Canada

ISBN: 978-0-470-27688-4

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other pro-fessional services. If propro-fessional assistance is required, the services of a competent propro-fessional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organi-zation or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recom-mendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be avail-able in electronic books.

Library of Congress Cataloging-in-Publication Data is available from the publisher.

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written per-mission. CISSP is a registered trademark of International Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.

(8)

Dear Reader,

Thank you for choosing CISSP: Certified Information Systems Security Professional Study Guide. This book is part of a family of premium quality Sybex books, all written by out-standing authors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than thirty years later, we’re still committed to producing consistently exceptional books. With each of our titles we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.

I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at nedde@wiley.com, or if you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex.

Best regards,

Neil Edde

(9)

To Cathy, whenever there is trouble, just remember “Some beach, somewhere….”

—James Michael Stewart

To my family: Renee, Richard, Matthew, and Christopher, who lovingly put up with me during the hours I spent buried in my laptop writing this book.

(10)

Acknowledgments

I hope our efforts to improve this study guide will lend themselves handily to your understand-ing and comprehension of the wide berth of CISSP concepts. I’d like to express my thanks to Sybex for continuing to support this project. Thanks to Ed Tittel and Mike Chapple for con-tinuing to contribute to this project. Also thanks to all my CISSP course students who have provided their insight and input to improve my training courseware and ultimately this tome.

To my wonderful wife, Cathy, our life together is just getting started. To my son, Xzavier Slayde, may you grow to be more than we could imagine. To my parents, Dave and Sue, thanks for your love and consistent support. To Mark, as best friends go, it could’ve been worse. And finally, as always, to Elvis—all hail the King!

—James Michael Stewart

Thanks to both Michael Stewart and Mike Chapple for keeping me involved in this inter-esting project. I’m glad Michael has had the opportunity to keep teaching CISSP courses and provide us all with a lifeline to the hard-working professionals in the trenches for whom this credential can mean so much. Congrats also to Michael on the latest addition to his family; my son, Gregory, just turned four and it seems like only last month we brought him home from the hospital. May the months and years slip by as pleasantly and painlessly for you as they have for us. Next, thanks to the folks at Sybex, especially Jeff Kellum for rounding us all up and keeping us headed in the same direction and for his excellent view of where we need to take this book. Finally, I’d like to thank my loving and lovely wife, Dina, for putting up with me and for making our lives together both comfortable and interesting.

—Ed Tittel

Special thanks go to the information security team at the University of Notre Dame. Gary Dobbins, Bob Winding, David Seidl, and Robert Riley provided hours of interesting conversation and debate on security issues that inspired and informed much of the mate-rial in this book.

I would like to thank Jeff Kellum, our editor at Wiley, and the people at Allegro Editorial Services, who provided invaluable assistance throughout the book development process. I also owe a debt of gratitude to my literary agent, Carole Jelen of Waterside Productions. My coauthors, Ed Tittel and James Michael Stewart, have worked with me ever since we pub-lished the first edition of this book together five years ago. I’d also like to thank the many people who participated in the production of this book but whom I never had the chance to meet: the graphics team, the production staff, and all of those involved in bringing this book to press.

(11)

About the Authors

James Michael Stewart, CISSP, has been writing and training for more than 14 years, with a current focus on security. He has taught dozens of CISSP training courses, not to mention numerous sessions on Windows security and the Certified Ethical Hacker certification. He is the author of several books and courseware sets on security certification, Microsoft topics, and network administration. More information about Michael can be found at his website: www.impactonline.com.

Ed Tittel is a full-time freelance writer, trainer, and consultant specializing in matters related to information security, markup languages, and networking technologies. He is a regular contributor to numerous TechTarget websites; teaches online security and technology courses for companies including HP, Sony, and Motorola; and writes regularly for Tom’s Hardware. Ed’s professional bio and other information are available at www.edtittel.com.

(12)

Contents at a Glance

Introduction xxvii

Assessment Test xxxv

Chapter 1 Accountability and Access Control 1

Chapter 2 Attacks and Monitoring 45

Chapter 3 ISO Model, Protocols, Network Security,

and Network Infrastructure 77

Chapter 4 Communications Security and Countermeasures 139

Chapter 5 Security Management Concepts and Principles 179

Chapter 6 Asset Value, Policies, and Roles 205

Chapter 7 Data and Application Security Issues 243

Chapter 8 Malicious Code and Application Attacks 293

Chapter 9 Cryptography and Private Key Algorithms 333

Chapter 10 PKI and Cryptographic Applications 375

Chapter 11 Principles of Computer Design 411

Chapter 12 Principles of Security Models 451

Chapter 13 Administrative Management 495

Chapter 14 Auditing and Monitoring 527

Chapter 15 Business Continuity Planning 563

Chapter 16 Disaster Recovery Planning 591

Chapter 17 Law and Investigations 629

Chapter 18 Incidents and Ethics 665

Chapter 19 Physical Security Requirements 691

Appendix About the Companion CD 725

Glossary 729

(13)

(14)

Introduction

The CISSP: Certified Information Systems Security Professional Study Guide, 4th Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam.

This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam.

Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of experience (or four years if you have a college degree) in one of the 10 domains covered by the CISSP exam. If you are qualified to take the CISSP exam according to (ISC)2_, then you are sufficiently prepared to use this book to study for the CISSP exam. For more information on (ISC)2_{, see the next section.}

(ISC)

2

The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)2_{organization. (ISC)}2_{is a global not-for-profit organization. It has four} primary mission goals:

Maintain the Common Body of Knowledge (CBK) for the field of information systems security.

Provide certification for information systems security professionals and practitioners. Conduct certification training and administer the certification exams.

Oversee the ongoing accreditation of qualified certification candidates through continued education.

The (ISC)2_{is operated by a board of directors elected from the ranks of its certified practitioners.} You can obtain more information about (ISC)2_{from its website at www.isc2.org.}

CISSP and SSCP

(31)

xxviii Introduction

The CISSP certification covers material from the 10 CBK domains:

Access Control

Telecommunications and Network Security Information Security and Risk Management Application Security

Cryptography

Security Architecture and Design Operations Security

Business Continuity and Disaster Recovery Planning Legal, Regulations, Compliance, and Investigations Physical (Environmental) Security

The SSCP certification covers material from seven CBK domains:

Access Controls Administration Audit and Monitoring Cryptography

Data Communications Malicious Code/Malware Risk, Response, and Recovery

The content for the CISSP and SSCP domains overlap significantly, but the focus is different for each set of domains. The CISSP focuses on theory and design, whereas the SSCP focuses more on implementation and best practices. This book focuses only on the domains for the CISSP exam.

Prequalifications

(ISC)2_{has defined several qualification requirements you must meet to become a CISSP. First,} you must be a practicing security professional with at least five years’ experience or with four years’ experience and a recent IT or IS degree. Professional experience is defined as security work performed for salary or commission within one or more of the 10 CBK domains.

Second, you must agree to adhere to a formal code of ethics. The CISSP Code of Ethics is a set of guidelines the (ISC)2_{wants all CISSP candidates to follow to maintain professionalism} in the field of information systems security. You can find it in the Information section on the (ISC)2_{website at www.isc2.org.}

(32)

Introduction xxix

To sign up for the CISSP exam, visit the (ISC)2_{website, and follow the instructions listed there} for registering to take the CISSP exam (the link reads “Register Now for CISSP Certification Exams”). You’ll provide your contact information, payment details, and security-related pro-fessional experience. You’ll also select one of the available time and location settings for the exam. Once (ISC)2_{approves your application to take the exam, you’ll receive a confirmation} email with all the details you’ll need to find the testing center and take the exam.

Overview of the CISSP Exam

The CISSP exam consists of 250 questions, and you have 6 hours to complete it. The exam is still administered using a paper booklet and answer sheet. This means you’ll be using a pencil to fill in answer bubbles.

The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To success-fully complete this exam, you’ll need to be familiar with every domain in the CBK but not nec-essarily be a master of each domain.

You’ll need to register for the exam through the (ISC)2_{website at www.isc2.org.} (ISC)2_{administers the exam itself. In most cases, the exams are held in large conference rooms} at hotels. Existing CISSP holders are recruited to serve as proctors or administrators for these exams. Be sure to arrive at the testing center around 8 a.m., and keep in mind that absolutely no one will be admitted into the exam after 8:30 a.m. Once all test takers are signed in and seated, the exam proctors will pass out the testing materials and read a few pages of instructions. This may take 30 minutes or more. Once that process is finished, the 6 hour window for taking the test will begin.

CISSP Exam Question Types

Every question on the CISSP exam is a four-option, multiple-choice question with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, such as asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response. Here’s an example:

1. What is the most important goal and top priority of a security solution?

A. Preventing disclosure

B. Maintaining integrity

C. Maintaining human safety

D. Sustaining availability

(33)

xxx Introduction

By the way, the correct answer for this question is C. Protecting human safety is always your first priority.

Advice on Taking the Exam

The CISSP exam consists of two key elements. First, you need to know the material from the 10 CBK domains. Second, you must have good test-taking skills. With 6 hours to complete a 250-question exam, you have just less than 90 seconds for each question. Thus, it is important to work quickly, without rushing but also without wasting time.

One key factor to remember is that guessing is better than not answering a question. If you don’t answer a question, you will not get any credit. But if you guess, you have at least a 25 percent chance of improving your score. Wrong answers are not counted against you. So, near the end of the sixth hour, be sure an answer is selected for every line on the answer sheet. You can write on the test booklet, but nothing written on it will count for or against your score. Use the booklet to make notes and keep track of your progress. We recommend circling each answer you select before you mark it on your answer sheet.

To maximize your test-taking activities, here are some general guidelines:

Answer easy questions first.

Skip harder questions, and return to them later. Consider creating a column on the front cover of your testing booklet to keep track of skipped questions.

Eliminate wrong answers before selecting the correct one. Watch for double negatives.

Be sure you understand what the question is asking.

Manage your time. You should try to complete about 50 questions per hour. This will leave you with about an hour to focus on skipped questions and double-check your work.

Be very careful to mark your answers on the correct question number on the answer sheet. The most common cause of failure is making a transference mistake from the test booklet to the answer sheet.

Be sure to bring food and drink to the test site. You will not be allowed to leave to obtain sustenance. Your food and drink will be stored against one wall of the testing room. You can eat and drink at any time, but only against that wall. Be sure to bring any medications or other essential items, but leave all things electronic at home or in your car. Wear a watch, but make sure it is not a programmable one. Bring pencils, manual sharpener, and an eraser.

(34)

Introduction xxxi

Study and Exam Preparation Tips

We recommend planning for a month or so of nightly intensive study for the CISSP exam. Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits:

Take one or two evenings to read each chapter in this book and work through its review material.

Take all the practice exams provided in the book and on the CD. Complete the written labs from each chapter, and use its self-assessment questions to help guide you to top-ics where more study or time spent working through key concepts and strategies might be beneficial.

Review the (ISC)2’s study guide from www.isc2.org.

Use the flashcards found on the CD to reinforce your understanding of concepts.

We recommend spending about half of your study time reading and reviewing concepts and the other half taking practice exams. Students have reported that the more time they spent taking practice exams, the better they retained test topics.

You might also consider visiting resources such as www.cccure.org,

www.cissp.com, and other CISSP-focused websites.

Completing the Certification Process

Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification. That final step is known as endorsement. Basically, this involves getting someone familiar with your work history to sign and submit an endorsement form on your behalf. The endorsement form is sent to you as an attachment to the email notifying you of your achievement in passing the exam. Simply send the form to a CISSP in good standing along with your résumé. The endorser must review your résumé, ensure that you have sufficient experience in the 10 CISSP domains, and then submit the signed form to (ISC)2_{via fax or post mail. You must have submitted the endorsement files} to (ISC)2_{within 90 days after receiving the confirmation of passing email. Once (ISC)}2_receives your endorsement form, the certification process will be completed and you will be sent a welcome packet via post mail.

(35)

xxxii Introduction

Post-CISSP Concentrations

(ISC)2_{has added three concentrations to its certification lineup. These concentrations are offered} only to CISSP certificate holders. The (ISC)2_{has taken the concepts introduced on the CISSP} exam and focused on specific areas, namely, architecture, management, and engineering. These three concentrations are as follows:

Information Systems Security Architecture Professional (ISSAP): Aimed at those who specialize in information security architecture. Key domains covered here include access control systems and methodology; cryptography; physical security integration; requirements analysis and security standards, guidelines, and criteria; technology-related aspects of business continuity planning and disaster recovery planning; and telecommunications and network security. This is a credential for those who design security systems or infrastructure or for those who audit and analyze such structures.

Information Systems Security Management Professional (ISSMP): Aimed at those who focus on management of information security policies, practices, principles, and procedures. Key domains covered here include enterprise security management practices; enterprise-wide sys-tem development security; law, investigations, forensics, and ethics; oversight for operations security compliance; and understanding business continuity planning, disaster recovery plan-ning, and continuity of operations planning. This is a credential for those professionals who are responsible for security infrastructures, particularly where mandated compliance comes into the picture.

Information Systems Security Engineering Professional (ISSEP): Aimed at those who focus on the design and engineering of secure hardware and software information systems, compo-nents, or applications. Key domains covered include certification and accreditation, systems security engineering, technical management, and U.S. government information assurance rules and regulations. Most ISSEPs work for the U.S. government or for a government con-tractor that manages government security clearances.

For more details about these concentration exams and certifications, please see the (ISC)2 website at www.isc2.org.

Notes on This Book’s Organization

This book is designed to cover each of the 10 CISSP Common Body of Knowledge domains in sufficient depth to provide you with a clear understanding of the material. The main body of this book comprises 19 chapters. The first nine domains are each covered by two chapters, and the final domain (Physical Security) is covered in Chapter 19. The domain/chapter break-down is as follows:

Chapters 1 and 2 Access Control

Chapters 3 and 4 Telecommunications and Network Security Chapters 5 and 6 Information Security and Risk Management Chapters 7 and 8 Application Security

Chapters 9 and 10 Cryptography

(36)

Introduction xxxiii

Chapters 13 and 14 Operations Security

Chapters 15 and 16 Business Continuity and Disaster Recovery Planning Chapters 17 and 18 Legal, Regulations, Compliance, and Investigation Chapter 19 Physical (Environmental) Security

Each chapter includes elements to help you focus your studies and test your knowledge, detailed in the following sections.

The Elements of This Study Guide

You’ll see many recurring elements as you read through this study guide. Here’s a description of some of those elements:

Key Terms and Glossary In every chapter, we’ve identified key terms, which are important for you to know. You’ll also find these key terms and their definitions in the glossary.

Summaries The summary is a brief review of the chapter to sum up what was covered. Exam Essentials The Exam Essentials highlight topics that could appear on one or both of the exams in some form. While we obviously do not know exactly what will be included in a particular exam, this section reinforces significant concepts that are key to understanding the body of knowledge area and the test specs for the CISSP exam.

Chapter Review Questions Each chapter includes practice questions that have been designed to measure your knowledge of key ideas that were discussed in the chapter. After you finish each chapter, answer the questions; if some of your answers are incorrect, it’s an indication that you need to spend some more time studying that topic. The answers to the practice questions can be found at the end of the chapter.

Written Labs Each chapter includes written labs that synthesize various concepts and topics that appear in the chapter. These raise questions that are designed to help you put together various pieces you’ve encountered individually in the chapter and assemble them to propose or describe potential security strategies or solutions.

Real World Scenarios As you work through each chapter, you’ll find at least two descriptions of typical and plausible workplace situations where an understanding of the security strategies and approaches relevant to the chapter content could play a role in fixing problems or in fending off potential difficulties. This gives readers a chance to see how specific security policies, guide-lines, or practices should or may be applied to the workplace.

What’s on the CD?

We worked really hard to provide some essential tools to help you with your certification process. All of the following gear should be loaded on your workstation when studying for the test.

The Sybex Test Preparation Software

(37)

xxxiv Introduction

test yourself by chapter, take the practice exams, or take a randomly generated exam com-prising all the questions.

Electronic Flashcards for PCs and Palm Devices

Sybex’s electronic flashcards include hundreds of questions designed to challenge you further for the CISSP exam. Between the review questions, practice exams, and flashcards, you’ll have more than enough practice for the exam!

CISSP Study Guide

in PDF

Sybex offers the CISSP Study Guide in PDF format on the CD so you can read the book on your PC or laptop. So if you travel and don’t want to carry a book, or if you just like to read from the computer screen, Adobe Acrobat is also included on the CD.

Bonus Exams

Sybex includes bonus exams on the CD, each comprised of questions meant to survey your understanding of key elements in the CISSP CBK.

How to Use This Book and CD

This book has a number of features designed to guide your study efforts for the CISSP certi-fication exam. It assists you by listing the CISSP body of knowledge at the beginning of each chapter and by ensuring that each topic is fully discussed within the chapter. The practice questions at the end of each chapter and the practice exams on the CD are designed to test your retention of the material you’ve read to make you are aware of areas in which you should spend additional study time. Here are some suggestions for using this book and CD:

Take the assessment test before you start reading the material. This will give you an idea of the areas in which you need to spend additional study time, as well as those areas in which you may just need a brief refresher.

Answer the review questions after you’ve read each chapter; if you answer any incorrectly, go back to the chapter and review the topic, or utilize one of the additional resources if you need more information.

Download the flashcards to your handheld device, and review them when you have a few minutes during the day.

Take every opportunity to test yourself. In addition to the assessment test and review questions, there are bonus exams on the CD. Take these exams without referring to the chapters and see how well you’ve done—go back and review any topics you’ve missed until you fully understand and can apply the concepts.

(38)

Assessment Test

1. Which of the following type of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity?

A. Preventive

B. Deterrent C. Detective

D. Corrective

2. Can you define and detail the aspects of password selection that distinguish good password choices from ultimately poor password choices?

A. Difficult to guess or unpredictable B. Meet minimum length requirements

C. Meet specific complexity requirements

D. All of the above

3. Which of the following is most likely to detect DoS attacks?

A. Host-based IDS

B. Network-based IDS C. Vulnerability scanner

D. Penetration testing

4. Which of the following is considered a denial-of-service attack?

A. Pretending to be a technical manager over the phone and asking a receptionist to change their password

B. While surfing the Web, sending to a web server a malformed URL that causes the system to use 100 percent of the CPU to process an endless loop

C. Intercepting network traffic by copying the packets as they pass through a specific subnet D. Sending message packets to a recipient who did not request them simply to be annoying

5. At which layer of the OSI model does a router operate?

A. Network layer

B. Layer 1

C. Transport layer

D. Layer 5

6. Which type of firewall automatically adjusts its filtering rules based on the content of the traffic of existing sessions?

A. Static packet filtering

B. Application-level gateway

(39)

xxxvi Assessment Test

7. A VPN can be established over which of the following?

A. Wireless LAN connection

B. Remote access dial-up connection C. WAN link

D. All of the above

8. Email is the most common delivery vehicle for which of the following?

A. Viruses

B. Worms

C. Malicious code D. All of the above

9. The CIA Triad is comprised of what elements?

A. Contiguousness, interoperable, arranged

B. Authentication, authorization, accountability

C. Capable, available, integral

D. Availability, confidentiality, integrity

10. Which of the following is not a required component in the support of accountability?

A. Auditing B. Privacy

C. Authentication

D. Authorization

11. Which of the following is not a defense against collusion?

A. Separation of duties

B. Restricted job responsibilities C. Group user accounts

D. Job rotation

12. A data custodian is responsible for securing resources after ________ has assigned the resource a security label.

A. senior management B. data owner

C. auditor

(40)

Assessment Test xxxvii

13. In what phase of the Capability Maturity Model for Software (SW-CMM) are quantitative measures utilized to gain a detailed understanding of the software development process? A. Repeatable

B. Defined

C. Managed

D. Optimizing

14. Which one of the following is a layer of the ring protection scheme that is not normally imple-mented in practice?

A. Layer 0

B. Layer 1

C. Layer 3 D. Layer 4

15. What is the last phase of the TCP/IP three-way handshake sequence?

A. SYN packet

B. ACK packet

C. NAK packet

D. SYN/ACK packet

16. Which one of the following vulnerabilities would best be countered by adequate parameter checking?

A. Time-of-check-to-time-of-use

B. Buffer overflow

C. SYN flood

D. Distributed denial of service

17. What is the value of the logical operation shown here?

X: 0 1 1 0 1 0 Y: 0 0 1 1 0 1 X ⊕_{Y: ?}

A. 0 1 1 1 1 1 B. 0 1 1 0 1 0

C. 0 0 1 0 0 0

(41)

xxxviii Assessment Test

18. In what type of cipher are the letters of the plain-text message rearranged to form the cipher text?

A. Substitution cipher

B. Block cipher

C. Transposition cipher

D. One-time pad

19. What is the length of a message digest produced by the MD5 algorithm?

A. 64 bits B. 128 bits

C. 256 bits

D. 384 bits

20. If Renee receives a digitally signed message from Mike, what key does she use to verify that the message truly came from Mike?

A. Renee’s public key

B. Renee’s private key

C. Mike’s public key

D. Mike’s private key

21. Which of the following statements is true?

A. The less complex a system, the more vulnerabilities it has. B. The more complex a system, the less assurance it provides.

C. The less complex a system, the less trust it provides.

D. The more complex a system, the less attack surface it generates.

22. Ring 0, from the design architecture security mechanism known as protection rings, can also be referred to as all but which of the following:

A. privileged mode

B. supervisory mode

C. system mode

D. user mode

23. Which of the following is not a composition theory related to security models?

A. Cascading B. Feedback

C. Iterative

(42)

Assessment Test xxxix

24. Which level of Trusted Computer System Security Criteria (TCSEC) required that the evaluated system have mandatory access controls?

A. C2

B. B1

C. D

D. C1

25. Audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and cyclic redundancy checks (CRCs) are examples of what?

A. Directive controls B. Preventive controls

C. Detective controls

D. Corrective controls

26. System architecture, system integrity, covert channel analysis, trusted facility management and trusted recovery are elements of what security criteria?

A. Quality assurance

B. Operational assurance

C. Life cycle assurance

D. Quantity assurance

27. Which of the following is a procedure designed to test and perhaps bypass a system’s security controls?

A. Logging usage data

B. War dialing

C. Penetration testing

D. Deploying secured desktop workstations

28. Auditing is a required factor to sustain and enforce what?

A. Accountability

B. Confidentiality

C. Accessibility

D. Redundancy

29. What is the formula used to compute the ALE?

A. ALE = AV * EF B. ALE = ARO * EF

C. ALE = AV * ARO

(43)

xl Assessment Test

30. What is the first step of the business impact assessment process?

A. Identification of priorities

B. Likelihood assessment C. Risk identification

D. Resource prioritization

31. Which of the following represent natural events that can pose a threat or risk to an organization?

A. Earthquake

B. Flood

C. Tornado D. All of the above

32. What kind of recovery facility enables an organization to resume operations as quickly as possible, if not immediately upon failure of the primary facility?

A. Hot site

B. Warm site C. Cold site

D. All of the above

33. What law allows ISPs to voluntarily provide government investigators with a large range of user information without a warrant?

A. Electronic Communications Privacy Act B. Gramm-Leach-Bliley Act

C. USA PATRIOT Act

D. Privacy Act of 1974

34. In the United States, how are the administrative determinations of federal agencies promulgated?

A. Code of Federal Regulations

B. United States Code C. Supreme Court decisions

D. Administrative declarations

35. Why are military and intelligence attacks among the most serious computer crimes?

A. The use of information obtained can have far-reaching detrimental strategic effect on national interests in an enemy’s hands.

B. Military information is stored on secure machines, so a successful attack can be embarrassing.

C. The long-term political use of classified information can impact a country’s leadership. D. The military and intelligence agencies have ensured that the laws protecting their

(44)

Assessment Test xli

36. What type of detected incident allows the most time for an investigation?

A. Compromise

B. Denial of service C. Malicious code

D. Scanning

37. If you want to restrict access to one direction within a facility, which would you choose?

A. Gate

B. Turnstile

C. Fence D. Mantrap

38. What is the point of a secondary verification system?

A. To verify the identity of a user

B. To verify the activities of a user

C. To verify the completeness of a system

(45)

xlii Answers to Assessment Test

Answers to Assessment Test

1. C. Detective access controls are used to discover (and document) unwanted or unautho-rized activity. For more information, please see Chapter 1.

2. D. Strong password choices are difficult to guess, unpredictable, and of specified minimum lengths to ensure that password entries cannot be computationally determined. They may be randomly generated and utilize all the alphabetic, numeric, and punctuation characters; they should never be written down or shared; they should not be stored in publicly accessible or generally readable locations; and they shouldn’t be transmitted in the clear. For more infor-mation, please see Chapter 1.

3. B. Network-based IDSs are usually able to detect the initiation of an attack or the ongoing attempts to perpetrate an attack (including DoS). They are, however, unable to provide informa-tion about whether an attack was successful or which specific systems, user accounts, files, or appli-cations were affected. Host-based IDSs have some difficulty with detecting and tracking down DoS attacks. Vulnerability scanners don’t detect DoS attacks; they test for possible vulnerabilities. Penetration testing may cause a DoS or test for DoS vulnerabilities, but it is not a detection tool. For more information, please see Chapter 2.

4. B. Not all instances of DoS are the result of a malicious attack. Errors in coding OSs, services, and applications have resulted in DoS conditions. Some examples of this include a process failing to release control of the CPU or a service consuming system resources out of proportion to the service requests it is handling. Social engineering and sniffing are typically not considered DoS attacks. For more information, please see Chapter 2.

5. A. Network hardware devices, including routers, function at layer 3, the Network layer. For more information, please see Chapter 3.

6. D. Dynamic packet-filtering firewalls enable the real-time modification of the filtering rules based on traffic content. For more information, please see Chapter 3.

7. D. A VPN link can be established over any other network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even an Internet connection used by a client for access to the office LAN. For more information, please see Chapter 4.

8. D. Email is the most common delivery mechanism for viruses, worms, Trojan horses, docu-ments with destructive macros, and other malicious code. For more information, please see Chapter 4.

9. D. The components of the CIA Triad are confidentiality, availability, and integrity. For more information, please see Chapter 5.

10. B. Privacy is not necessary to provide accountability. For more information, please see Chapter 5.

(46)

Answers to Assessment Test xliii

12. B. The data owner must first assign a security label to a resource before the data custodian can secure the resource appropriately. For more information, please see Chapter 6.

13. C. The Managed phase of the SW-CMM involves the use of quantitative development metrics. The Software Engineering Institute (SEI) defines the key process areas for this level as Quantitative Pro-cess Management and Software Quality Management. For more information, please see Chapter 7.

14. B. Layers 1 and 2 contain device drivers but are not normally implemented in practice. Layer 0 always contains the security kernel. Layer 3 contains user applications. Layer 4 does not exist. For more information, please see Chapter 7.

15. B. The SYN packet is first sent from the initiating host to the destination host. The destination host then responds with a SYN/ACK packet. The initiating host sends an ACK packet, and the connection is then established. For more information, please see Chapter 8.

16. B. Parameter checking is used to prevent the possibility of buffer-overflow attacks. For more information, please see Chapter 8.

17. A. The ⊕_{symbol represents the OR function, which is true when one or both of the input bits}

are true. For more information, please see Chapter 9.

18. C. Transposition ciphers use an encryption algorithm to rearrange the letters of the plain-text message to form a cipher-text message. For more information, please see Chapter 9.

19. B. The MD5 algorithm produces a 128-bit message digest for any input. For more informa-tion, please see Chapter 10.

20. C. Any recipient can use Mike’s public key to verify the authenticity of the digital signature. For more information, please see Chapter 10.

21. B. The more complex a system, the less assurance it provides. More complexity means more areas for vulnerabilities exist and more areas must be secured against threats. More vulnera-bilities and more threats mean that the subsequent security provided by the system is less trust-worthy. For more information, please see Chapter 11.

22. D. Ring 0 has direct access to the most resources, thus user mode is not an appropriate label as user mode requires restrictions to limit access to resources. For more information, please see Chapter 11.

23. C. Iterative is not one of the composition theories related to security models. Cascading, feedback, and hookup are the three composition theories. For more information, please see Chapter 12.

24. B. The B1 level is the level that requires mandatory access controls. Other levels that require this are B2, B3, and A1. D, C1, and C2 do not require MAC. For more information, please see Chapter 12.

25. C. Examples of detective controls are audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and CRCs. For more information, please see Chapter 13.

(47)

xliv Answers to Assessment Test

27. C. Penetration testing is the attempt to bypass security controls to test overall system security. For more information, please see Chapter 14.

28. A. Auditing is a required factor to sustain and enforce accountability. For more information, please see Chapter 14.

29. C. The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the annualized rate of occurrence (ARO). The other formulas displayed here do not accu-rately reflect this calculation. For more information, please see Chapter 15.

30. A. Identification of priorities is the first step of the business impact assessment process. For more information, please see Chapter 15.

31. D. Natural events that can threaten organizations include earthquakes, floods, hurricanes, tornados, wildfires, and other acts of nature as well. Thus A, B, and C are correct because they are natural and not man-made. For more information, please see Chapter 16.

32. A. A is correct, because hot sites provide backup facilities maintained in constant working order and fully capable of taking over business operations. Neither warm sites nor cold sites are cor-rect. Warm sites consist of preconfigured hardware and software to run the business, which pos-sess none of the vital business information. Cold sites are simply facilities designed with power and environmental support systems, but no configured hardware, software, or services. Disaster recovery services can facilitate and implement any of these sites on behalf of a company. For more information, please see Chapter 16.

33. C. The USA PATRIOT Act granted broad new powers to law enforcement, including the solicitation of voluntary ISP cooperation. For more information, please see Chapter 17.

34. A. Administrative determinations of federal agencies are published as the Code of Federal Regulations. For more information, please see Chapter 17.

35. A. The purpose of a military and intelligence attack is to acquire classified information. The detrimental effect of using such information could be nearly unlimited in the hands of an enemy. Attacks of this type are launched by very sophisticated attackers. It is often very diffi-cult to ascertain what documents were successfully obtained. So when a breach of this type occurs, you sometimes cannot know the full extent of the damage. For more information, please see Chapter 18.

36. D. Scanning incidents are generally reconnaissance attacks. The real damage to a system comes in the subsequent attacks, so you may have some time to react if you detect the scanning attack early. For more information, please see Chapter 18.

37. B. A turnstile is a form of gate that prevents more than one person from gaining entry at a time and often restricts movement in one direction. It is used to gain entry but not exit, or vice versa. For more information, please see Chapter 19.

(48)

Chapter

1 Accountability and

Access Control

THE CISSP EXAM TOPICS COVERED IN THIS

CHAPTER INCLUDE:

Access Control Overview

Accountability Overview

Access Control Techniques

Access Control Models

Access Control Administration

Identification and Authentication Techniques

(49)

The Access Control Systems and Methodology domain of the Common Body of Knowledge (CBK) for the CISSP certification exam deals with topics and issues related to monitoring, identi-fying, and authorizing or restricting user access to resources. Generally, an access control is any hardware, software, or organizational administrative policy or procedure that grants or restricts access, monitors and records attempts to access, identifies users attempting to access, and determines whether access is authorized.

In this chapter and in Chapter 2, “Attacks and Monitoring,” we discuss the Access Control Systems and Methodology domain. Be sure to read and study the materials from both chapters to ensure complete coverage of the essential material for this domain of the CISSP certification exam. We’ve called this chapter “Accountability and Access Control” because accountability and access control are interrelated concepts and share overlapping principles even though newer CISSP course materials reference only access control.

Access Control Overview

Controlling access to resources is one of the central themes of security. Access control addresses more than just controlling which users can access which files or services. Access control is about the relationships between subjects and objects. The transfer of information from an object to a sub-ject is called access. However, access is not just a logical or technical concept; don’t forget about the physical realm where access can involve disclosure, use, or proximity. A foundational principle of access control is to deny access by default if access to a subject is not granted explicitly.

Subjects are active entities that, through the exercise of access, seek information about or data from passive entities, or objects. A subject can be a user, program, process, file, computer, database, and so on. An object can be a file, database, computer, program, process, file, printer, storage media, and so on. The subject is always the entity that receives information about or data from the object. The subject is also the entity that alters information about or data stored within the object. The object is always the entity that provides or hosts the information or data. The roles of subject and object can switch back and forth while two entities, such as a program and a data-base interacting with a process and a file, communicate to accomplish a task.

Sybex CISSP Certified Information Systems Security Professional Study Guide 4th Edition Jul 2008 ISBN 0470276886 pdf

CISSP

®

Certified Information Systems

Security Professional

Study Guide

Fourth Edition

James Michael Stewart

Ed Tittel

CISSP

®

Certified Information Systems

Security Professional

CISSP

®

Certified Information Systems

Security Professional

Study Guide

Fourth Edition

James Michael Stewart

Ed Tittel

Acknowledgments

About the Authors

Contents at a Glance

Contents

Introduction

(ISC)

CISSP and SSCP

Prequalifications

Overview of the CISSP Exam

CISSP Exam Question Types

Advice on Taking the Exam

Study and Exam Preparation Tips

Completing the Certification Process

Post-CISSP Concentrations

Notes on This Book’s Organization

The Elements of This Study Guide

What’s on the CD?

The Sybex Test Preparation Software

Electronic Flashcards for PCs and Palm Devices

CISSP Study Guide

in PDF

Bonus Exams

How to Use This Book and CD

Assessment Test

Answers to Assessment Test

Chapter

1

Accountability and

Access Control

THE CISSP EXAM TOPICS COVERED IN THIS

CHAPTER INCLUDE:

Access Control Overview

Types of Access Control