ebook img

CISSP Study Notes from CISSP Prep Guide - Edy Susanto PDF

104 Pages·2014·0.8 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview CISSP Study Notes from CISSP Prep Guide - Edy Susanto

CISSP Study Notes from CISSP Prep Guide These notes were prepared from the The CISSP Prep Guide: Mastering the Ten Domains of Computer Security by Ronald L. Krutz, Russell Dean V ines, Edward M. Stroz and are not intended to be a replacement to the book. In addition to the CISSP Prep Guide I used the following resources to prepare for the exam:  The Information Security Management Handbook, Fourth Edition by Micki Krause and Harold F. Tipton  The revised Michael Overly notes  The Boson Questions #2 and #3  Lots of misc. websites  And of course www.cccure.org Good Luck! JWG, CISSP CISSP STUDY NOTES FROM CISSP PREP GUIDE ................................................................. 1 DOMAIN 1 – SECURITY MANAGEMENT PRACTICES ........................................................ 2 DOMAIN 2 – ACCESS CONTROL SYSTEMS ....................................................................... 7 DOMAIN 3 – TELECOM AND NETWORK SECURITY ....................................................... 14 DOMAIN 4 – CRYPTOGRAPHY ....................................................................................... 39 DOMAIN 5 – SECURITY ARCHITECTURE AND MODELS ................................................. 51 DOMAIN 6 – OPERATIONS SECURITY ........................................................................... 62 DOMAIN 7 – APPLICATIONS AND SYSTEM DEVELOPMENT ........................................... 69 DOMAIN 8 – BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING ............... 77 DOMAIN 9 – LAW, INVESTIGATION A ND ETHICS ......................................................... 85 DOMAIN 10 – PHYSICAL SECURITY ............................................................................... 95 1 Domain 1 – Security Management Practices The Big Three - C. I. A .  Confidentiality – Prevent disclosure of data  Integrity – Prevent modification of data  Availability – Ensure reliable timely access to data Other Important Concepts  Identification – Means in which user claims Identity  Authentication – Establishes the users Identity  Accountability – Systems ability to determine actions of users  Authorization – rights and permissions granted to an individual  Privacy – Level of confidentiality that a user is given Objective of Security is to reduce effects of threats and vulnerabilities to a tolerable level. Risk Analysis Assess the following:  Impact of the threat  Risk of the threat occurring (likelihood) Controls reduce both the impact of the threat and the likelihood of the threat, important in cost benefit of controls. Data Classification  Data classification has high level enterprise wide benefit  Demonstrates organizations commitment to security  Helps identify sensitive and vital information  Supports C.I.A .  May be required for legal regulatory reasons Data owners are responsible for defining the sensitivity level of the data. Government Classification Terms:  Unclassified – Neither sensitive nor classified, public release is acceptable  Sensitive But Unclassified (SBU) – Minor secret, no serious damage if disclosed  Confidential – disclosure could cause damage to National Security  Secret - disclosure could cause serious damage to National Security  Top Secret – Highest Level - disclosure could cause exponentially grave damage to National Security In addition must have a Need to Know – just because you have “ secret” clearance does not mean all “ secret” data just data with a need to know. Additional Public Classification Terms  Public – similar to unclassified, should not be disclosed but is not a problem if it is  Sensitive – data protected from loss of Confidentiality and integrity  Private – data that is personal in nature and for company use only  Confidential – very sensitive for internal use only - could seriously negatively impact the company Classification Criteria  Value - number one criteria, if it is valuable it should be protected 2  Age – value of data lowers over time, automatic de-classification  Useful Life – If the information is made obsolete it can often be de-classified  Personal Association – If the data contains personal information it should remain classified Distribution may be required in the event of the following:  Court Order – may be required by court order  Government Contracts – government contractors may need to disclose classified information  Senior Level Approval – senior executives may approve release Information Classification Roles Owner  May be executive or manager  Owner has final corporate responsibility of the data protection  Makes determination of classification level  Reviews classification level regularly for appropriateness  Delegates responsibility of data protection to the Custodian Custodian  Generally IT systems personnel  Running regular backups and testing recovery  Performs restoration when required  Maintains records in accordance with the classification policy User  Anyone the routinely uses the data  Must follow operating procedures  Must take due care to protect  Must use computing resources of the company for company purposes only Policies Standards, Guidelines and Procedures  Policies are the highest level of documentation  Standards, Guidelines and Procedures derived from policies  Should be created first, but are no more important than the rest Senior Management Statement – general high-level statement  Acknowledgment of importance of computing resources  Statement of Support for information security  Commitment to authorize lower level Standards, Guidelines and Procedures Regulatory Policies – company is required to implement due to legal or regulatory requirements  Usually very detailed and specific to the industry of the organization  Two main purposes  To ensure the company is following industry standard procedures  To give the company confidence they are following industry standard procedures Advisory Polices – not mandated but strongly suggested.  Company wants employees to consider these mandatory.  Advisory Policies can have exclusions for certain employees or job functions Informative Policies  Exist simply to inform the reader  No implied or specified requirements 3 Standards, Guidelines and Procedures  Contain actual detail of the policy  How the policies should be implemented  Should be kept separate from one another  Different Audiences  Security Controls are different for each policy type  Updating the policy is more manageable Standards - Specify use of technology in a uniform way, compulsory Guidelines – similar to standards but not compulsory, more flexible Procedures – Detailed steps, required, sometimes called “ practices” , lowest level Baselines – baselines are similar to standards, standards can be developed after the baseline is established Roles and Responsibilities  Senior Management – Has ultimate responsibility for security  Infosec Officer – Has the functional responsibility for security  Owner – Determines the data classification  Custodian - Preserves C.I.A .  User – Performs in accordance with stated policy  Auditor – Examines Security Risk Management Mitigate (reduce) risk to a level acceptable to the organization. Identification of Risk  Actual threat  Possible consequences  Probable frequency  Likely hood of event Risk Analysis  Identification of risks  Benefit - cost justification of counter measures Risk Analysis Terms  Asset – Resource, product, data  Threat – Action with a negative impact  Vulnerability – Absence of control  Safeguard – Control or countermeasure  Exposure Factor % of asset loss caused by threat  Single Loss Expectancy (SLE) – Expected financial loss for single event SLE = Asset Value x Exposure Factor  Annualized Rate of Occurrence (ARO) – represents estimated frequency in which threat will occur within one year  Annualized Loss Expectancy (ALE) – Annually expected financial loss 4 ALE = SLE x ARO Risk Analysis  Risk analysis is more comprehensive than a Business Impact Analysis  Quantitative – assigns objective numerical values (dollars)  Qualitative – more intangible values (data)  Quantitative is a major project that requires a detailed process plan Preliminary Security Examination (PSE)  Often conducted prior to the quantitative analysis.  PSE helps gather elements that will be needed for actual RA Risk Analysis Steps 1) Estimate of potential loss 2) Analyze potential threats 3) Define the Annualized Loss Expectancy (ALE) Categories of Threats  Data Classification – malicious code or logic  Information Warfare – technically oriented terrorism  Personnel – Unauthorized system access  Application / Operational – ineffective security results in data entry errors  Criminal – Physical destruction, or vandalism  Environmental – utility outage, natural disaster  Computer Infrastructure – Hardware failure, program errors  Delayed Processing – reduced productivity, delayed collections processing Annualized Loss Expectancy (ALE)  Risk analysis should contain the following:  Valuation of Critical Assets  Detailed listing of significant threats  Each threats likelihood  Loss potential by threat  Recommended remedial safeguards Remedies  Risk Reduction - implementation of controls to alter risk position  Risk Transference – get insurance, transfer cost of a loss to insurance  Risk Acceptance – Accept the risk, absorb loss Qualitative Scenario Procedure  Scenario Oriented  List the threat and the frequency  Create exposure rating scale for each scenario  Scenario written that address each major threat  Scenario reviewed by business users for reality check  Risk Analysis team evaluates and recommends safeguards  Work through each finalized scenario  Submit findings to management Value Assessment  Asset valuation necessary to perform cost/ benefit analysis 5  Necessary for insurance  Supports safeguard choices Safeguard Selection  Perform cost/ benefit analysis  Costs of safeguards need to be considered including  Purchase, development and licensing costs  Installation costs  Disruption to production  Normal operating costs Cost Benefit Analysis ALE (PreControl) – ALE (PostControl) = Annualized value of the control Level of manual operations  The amount of manual intervention required to operate the safeguard  Should not be too difficult to operate Auditability and Accountability Safeguard must allow for auditability and accountability Recovery Ability  During and after the reset condition  No asset destruction during activation or reset  No covert channel access to or through the control during reset  No security loss after activation or reset  Defaults to a state that does not allow access until control are fully operational Security Awareness Training Benefits of Awareness  Measurable reduction in unauthorized access attempts  Increase effectiveness of control  Help to avoid fraud and abuse Periodic awareness sessions for new employees and refresh other Methods of awareness improvement  Live interactive presentations  CBTs  Publishing of posters and newsletters  Incentives and awards  Reminders, login banners Training & Education  Security training for Operators  Technical training  Infosec training  Manager training 6 Domain 2 – Access Control Systems C - Confidentiality I - Integrity A - Availability Confidentiality  Not disclosed to unauthorized person Integrity  Prevention of modification by unauthorized users  Prevention of unauthorized changes by otherwise authorized users  Internal and External Consistency  Internal Consistency within the system (i.e. within a database the sum of subtotals is equal to the sum of all units)  External Consistency – database with the real world (i.e. database total is equal to the actual inventory in the warehouse) Availability  Timely access Three things to consider  Threats – potential to cause harm  Vulnerabilities – weakness that can be exploited  Risk – potential for harm Controls  Preventative – prevent harmful occurrence  Detective – detect after harmful occurrence  Corrective – restore after harmful occurrence Controls can be:  Administrative – polices and procedures  Logical or Technical - restricted access  Physical – locked doors Three types of access rules: 1. Mandatory access control (MAC): Authorization of subject’s access to an object depends on labels (sensitivity levels), which indicate subject’s clearance, and the classification or sensitivity of the object  Every Object is assigned a sensitivity level/ label and only users authorized up to that particular level can access the object  Access depends on rules and not by the identity of the subjects or objects alone  Only administrator (not owners) may change category of a resource — Orange book B- level  Output is labeled as to sensitivity level  Unlike permission bits or ACLs, labels cannot ordinarily be changed  Can’t copy a labeled file into another file with a different label  Rule based AC 2. Discretionary Access Control (DAC): Subject has authority, within certain limits, to specify what objects can be accessible (e.g., use of ACL)  User-directed means a user has discretion  Identity-based means discretionary access control is based on the subjects identity 7  Very common in commercial context because of flexibility  Orange book C level  Relies on object owner to control access  Identity Based AC 3. Non-Discretionary Access Control: Central authority determines what subjects can have access to certain objects based on organization’s security policy (good for high turnover)  May be based on individual’s role in the organization (Role-Based) or the subject’s responsibilities or duties (task-based) Lattice based – provides least access privileges of the access pair  Greatest lower bound  Lowest upper bound Preventative Detective Administrative Policies and procedures, pre- Polices and procedures, job employment background checks, rotation, sharing of strict hiring practices, responsibilities employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks. Technical Logical system controls, smart IDS, logging, monitoring, cards, bio-metrics, menu shell clipping levels Physical Restrict physical access, guards, Motion detectors, cameras, man trap, gates thermal detectors Identification and Authentication Identification establishes accountability Three Factor Authentication  Something you know (password)  Something you have (token)  Something you are (biometrics) Sometimes - something you do Passwords  Static – same each time  Dynamic – changes each time you logon Tokens – Smartcards Static Password (like software with pin)  Owner Authenticates to the token  Token authenticates to the system 8 Synchronous Dynamic Password  Token – generates passcode value  Pin – user knows  Token and Pin entered into PC  Must fit in valid time window Asynchronous  Similar to synchronous, new password is generated asynchronously, No time window Challenge Response  System generates challenge string  User enters into token  Token generates response entered into workstation  Mechanism in the workstation determines authentication Biometrics – something you are  Identify – one to many  Authenticate – one to one False Rejection Rate (FRR) – Type I error False Acceptance Rate (FAR) – Type II error Crossover Error Rate – (CER) – CER = % when FRR = FAR Biometric Issues  Enrollment Time – Acceptable rate is 2 minutes per person  Throughput Time – acceptable rate is 10 people per minute Acceptability Issues – privacy, physical, psychological Types of Biometrics  Fingerprints: A re made up of ridge endings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae.  Retina Scans: Scans the blood-vessel pattern of the retina on the backside of the eyeball.  Iris Scans: Scan the colored portion of the eye that surrounds the pupil.  Facial Scans: Takes attributes and characteristics like bone structures, nose ridges, eye widths, forehead sizes and chin shapes into account.  Palm Scans: The palm has creases, ridges and grooves throughout it that are unique to a specific person.  Hand Geometry: The shape of a person’s hand (the length and width of the hand and fingers) measures hand geometry.  Voice Print: Distinguishing differences in people’s speech sounds and patterns.  Signature Dynamics: Electrical signals of speed and time that can be captured when a person writes a signature.  Keyboard Dynamics: Captures the electrical signals when a person types a certain phrase.  Hand Topology: Looks at the size and width of an individual’s hand and fingers. Single Sign On Kerberos  Symmetric key encryption  KDC – Kerberos-trusted Key Distribution Center  TGS – Ticket Granting Service  AS – Authentication Server 9 Kerberos 1. KDC knows secret keys of Client and Server 2. KDC exchanges info with the Client and the Server using symmetric keys 3. Using TGS grants temporary symmetric key 4. Client and Server communicate using the temporary session key Initial Exchange Client sends Hash Password to the TGS Server, TGS verifies with the Auth. Server TGS Server responds with: 1) Key for Client and TGS server encrypted with Client Key [ K(c,tgs)] Kc 2) Ticket Granting Ticket (TGT) = [ K(c, tgs), c,a,v] K(tgs) Request for Service Client sends request for service to TGS with 1) TGT = [ K(c, tgs), c,a,v] K(tgs) 2) Authenticator K(c, tgs) TGS Issues Ticket for Service TGS sends Client back ticket for server and authenticator for server 1) Ticket T(c,s) = [ s,c,a,v,K(c,s)] Ks 2) [ K(c,s)] K(c,tgs) Receive Service from Server Client sends Server 1) Ticket T(c,s) = [ s,c,a,v,K(c,s)] Ks 2) authenticator = [ c,t,key] K(c,s) Kerberos weaknesses  Replay is possible within time frame  TGS and Auth server are vulnerable as they know everything  Initial exchange passed on password authentication  Keys are vulnerable SESAME – Secure European System for Applications in a Multi-vendor Environment  Uses Needham-Schroeder protocol  Uses public key cryptography  Supports MD5 and CRC32 Hashing  Uses two tickets 1) One contains authentication 2) One contains the access rights to the client SESAME weaknesses  Only authenticates by using first block of message  Initial exchange passed on password authentication  SESAME incorporates two certificates or tickets: One certificate provides authentication as in Kerberos and the other certificate defines the access privileges that are assigned to a client. KryptoKnight  Peer to peer relationship between KDC – Key Distribution Center and parties (Client and Server)  NetSP is based on KryptoKnight  Supported by RACF  Authentication 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.