® Eleventh Hour CISSP ® Eleventh Hour CISSP Study Guide Second Edition Eric Conrad Seth Misenar Joshua Feldman Kevin Riggins, Technical Editor AMSTERDAM (cid:129) BOSTON (cid:129) HEIDELBERG (cid:129) LONDON NEW YORK (cid:129) OXFORD (cid:129) PARIS (cid:129) SAN DIEGO SAN FRANCISCO (cid:129) SINGAPORE (cid:129) SYDNEY (cid:129) TOKYO Syngress is an Imprint of Elsevier AcquiringEditor:ChrisKatsaropoulos EditorialProjectManager:BenjaminRearick ProjectManager:MohanaNatarajan Designer:AlanStudholme SyngressisanimprintofElsevier 225WymanStreet,Waltham,MA02451,USA Secondedition2014 Copyright#2014,2011ElsevierInc.Allrightsreserved. Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorby anymeanselectronic,mechanical,photocopying,recordingorotherwisewithoutthepriorwritten permissionofthepublisher. PermissionsmaybesoughtdirectlyfromElsevier’sScience&TechnologyRightsDepartmentinOxford, UK:phone(þ44)(0)1865843830;fax(þ44)(0)1865853333;email:[email protected]. AlternativelyyoucansubmityourrequestonlinebyvisitingtheElsevierwebsiteathttp://elsevier.com/ locate/permissions,andselectingObtainingpermissiontouseElseviermaterial. Notice Noresponsibilityisassumedbythepublisherforanyinjuryand/ordamagetopersonsorpropertyasa matterofproductsliability,negligenceorotherwise,orfromanyuseoroperationofanymethods, products,instructionsorideascontainedinthematerialherein.Becauseofrapidadvancesinthemedical sciences,inparticular,independentverificationofdiagnosesanddrugdosagesshouldbemade. LibraryofCongressCataloging-in-PublicationData ApplicationSubmitted BritishLibraryCataloguinginPublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary ForinformationonallSyngresspublications,visitourwebsiteatstore.elsevier.com/syngress ISBN:978-0-12-417142-8 PrintedandboundinUSA 14 15 16 17 18 10 9 8 7 6 5 4 3 2 1 Author biography SethMisenar(CISSP®,GIACGSE,CompTIACASP,GPEN,GCIH,GCIA,GCFA, GWAPT, GCWN, GSEC, MCSE, and MCDBA) is a Certified Instructor with the SANS Institute and coauthor of the SANS SEC528: SANS Training Program for theCompTIAAdvancedSecurityPractitioner(CASP)Certification.Sethalsoserves asleadconsultantforJackson,Mississippi-basedContextSecurity.Seth’sbackground includessecurityresearch,networkandWebapplicationpenetrationtesting,vulnera- bilityassessment,regulatorycomplianceefforts,securityarchitecturedesign,andgen- eralsecurityconsulting.Hehaspreviouslyservedasaphysicalandnetworksecurity consultantforFortune100companiesaswellastheHIPAAandinformationsecurity officerforastategovernmentagency.SethteachesavarietyofcoursesfortheSANS Institute, including Security Essentials, Advanced Web Application Penetration ® ® Testing,HackerTechniques,andtheCISSP andCASP courses. SethispursuingaMasterofSciencedegreeininformationsecurityengineering fromtheSANSTechnologyInstituteandholdsaBachelorofSciencedegreefrom MillsapsCollege.SethresidesinJackson,Mississippi,withhisfamily,Rachel,Jude, and Hazel. EricConrad(CISSP,GIACGSE,GPEN,GCIH,GCIA,GCFA,GAWN,GSEC, GISP, CompTIA CASP, and Securityþ) is a partner with Backshore Communica- tions, which provides information warfare, penetration testing, incident handling, and intrusion detection consulting services. He is also a Certified Instructor with the SANS Institute and coauthor of SANS Security 528: SANS Training Program for the CompTIA Advanced Security Practitioner (CASP) Certification. Eric’sprofessionalcareerbeganin1991asaUNIXsystemsadministratorfora small oceanographic communications company. He gained information security experienceinavarietyofindustries,includingresearch,education,power,Internet, and healthcare, in roles ranging from systems programmer to security engineer to HIPAA security officer and ISSO. He has taught thousands of students in courses ® including SANS Management 414: CISSP , Security 560: Network Penetration TestingandEthicalHacking,Security504HackerTechniques,ExploitsandIncident Handling,and others. Eric is a graduate of the SANS Technology Institute with a Master of Science degree in information security engineering. Eric currently lives in Peaks Island, Maine, with his family, Melissa, Eric, andEmma. JoshuaFeldman(CISSP,NSAIAM)hassupportedtheDepartmentofDefense InformationSystemsAgency(DISA),asacontractorworkingforSAIC,Inc.,since 2002.HeisasubjectmatterexpertandtrainingdeveloperforDISA’scybersecurity mission.Duringhistenure,hehascontributedtotheDoD8500series,specifically conducting research and authoring sections of the DoD 8570.01-M, also known as the DoD IA Workforce Improvement Program. He is the program manager for DISA’s Computer Network Defense training initiative (entitled, “RaD-X”) and has instructed well over 1000 students. He also is a subject matter expert for the xv xvi Author biography Web-basedInformationAssuranceawarenesstrainingeveryDoDuserisrequiredto take each year as part of their security awareness curriculum. He is a regular pre- senterandpanelmemberattheInformationAssuranceSymposium,hostedbyboth DISAand NSA. Before joining the support team at DoD/DISA, Joshua spent time as an IT Sec engineerworkingfortheDepartmentofState,DiplomaticSecurity.There,hetrav- eledtoembassiesworldwidetoconductTigerTeamassessmentsofthesecurityof eachembassy.JoshuagothisstartintheITSecurityfieldwhenhelefthisposition teaching science for Montgomery County Public Schools, Maryland, and went to workforNFRSecuritySoftware.Atthetime,NFRwasoneoftheleadingcompanies producingNetworkIntrusion Detection systems. CHAPTER 1 Domain 1: Access Control EXAM OBJECTIVES IN THIS CHAPTER (cid:129) CornerstoneAccessControlConcepts (cid:129) AccessControlModels (cid:129) AccessControlDefensiveCategoriesandTypes (cid:129) AuthenticationMethods (cid:129) AccessControlTechnologies (cid:129) AssessingAccessControl INTRODUCTION Thepurposeofaccesscontrolistoallowauthorizedusersaccesstoappropriatedata anddenyaccesstounauthorizedusers.Accesscontrolsprotectagainstthreatssuchas unauthorizedaccess,inappropriatemodificationofdata,andlossofconfidentiality. CORNERSTONE INFORMATION SECURITY CONCEPTS Beforewecanexplainaccesscontrol,wemustdefinecornerstoneinformationsecu- rityconcepts.Theseconceptsprovidethefoundationuponwhichthe10domainsof the Common Body ofKnowledge are built. Confidentiality, integrity, and availability Confidentiality,Integrity,andAvailabilityarethe“CIAtriad,”thecornerstonecon- ceptofinformationsecurity.Thetriad,showninFigure1.1,formsthethree-legged stoolinformationsecurityisbuiltupon.Theorderoftheacronymmaychange(some prefer “AIC,”perhaps toavoid association with a certain intelligence agency), but the concepts are essential. This book will usethe “CIA” acronym. Confidentiality Confidentialityseekstopreventtheunauthorizeddisclosureofinformation:itkeeps datasecret.Inotherwords,confidentialityseekstopreventunauthorizedreadaccess todata.AnexampleofaconfidentialityattackwouldbethetheftofPersonallyIden- tifiableInformation (PII), such as credit card information. 1 2 CHAPTER 1 Domain 1: Access Control y entialit Avail d a onfi bilit C y Integrity FIGURE1.1 TheCIAtriad. Integrity Integrityseekstopreventunauthorizedmodificationofinformation.Inotherwords, integrity seeks topreventunauthorized writeaccesstodata. CRUNCH TIME Therearetwotypesofintegrity:dataintegrityandsystemintegrity.Dataintegrityseeksto protectinformationagainstunauthorizedmodification;systemintegrityseekstoprotecta system,suchasaWindows2012serveroperatingsystem,fromunauthorizedmodification. Availability Availabilityensuresthatinformationisavailablewhenneeded.Systemsneedtobe usable (available) for normal business use. An example of attack on availability wouldbeaDenial-of-Service(DoS)attack,whichseekstodenyservice(oravailabil- ity)ofa system. Disclosure, alteration, and destruction The CIA triad may also be described by its opposite: Disclosure, Alteration, and Destruction(DAD).Disclosureistheunauthorizeddisclosureofinformation;alter- ation is the unauthorized modification of data, and destruction is making systems unavailable. While the CIA acronym sometimes changes, the DAD acronym is shown inthat order. Identity and authentication, authorization, and accountability The term “AAA” is often used, describing cornerstone concepts Authentication, Authorization, and Accountability. Left out of the AAA acronym is Identification, whichisrequired before the three “A’s”can follow. Cornerstone Information Security Concepts 3 Identity and authentication Identityisaclaim:ifyournameis“PersonX,”youidentifyyourselfbysaying“Iam Person X.” Identity alone isweak because there isnoproof. You can alsoidentify yourselfbysaying“IamPersonY.”Provinganidentityclaimiscalledauthentica- tion:youauthenticatetheidentityclaim,usuallybysupplyingapieceofinformation or anobject thatonly you posses, such as apasswordoryourpassport. Authorization Authorizationdescribestheactionsyoucanperformonasystemonceyouhaveiden- tifiedandauthenticated.Actionsmayincludereading,writing,orexecutingfilesor programs. Accountability Accountability holds users accountable for their actions. This is typically accom- plished by logging and analyzing audit data. Enforcing accountability helps keep “honestpeoplehonest.”Forsomeusers,knowingthatdataisloggedisnotenough toprovideaccountability:theymustknowthatthedataisloggedandauditedandthat sanctions may result from violation ofpolicy. Nonrepudiation Nonrepudiation means ausercannot deny(repudiate) havingperformedatransac- tion.Itcombinesauthenticationandintegrity:nonrepudiationauthenticatestheiden- tityofauserwhoperformsatransactionandensurestheintegrityofthattransaction. Youmusthavebothauthenticationandintegritytohavenonrepudiation:provingyou signedacontracttobuyacar(authenticating youridentityasthepurchaser)isnot useful if the car dealer can change the price from $20,000 to $40,000 (violate the integrity ofthe contract). Least privilege and need to know Least privilege means users should be granted the minimum amount of access (authorization) required to do their jobs, but no more. Least privilege is applied to groupsofobjects.Needtoknowismoregranularthanleastprivilege:theusermust need toknow that specific piece ofinformationbeforeaccessing it. Subjects and objects A subject is an active entity on a data system. Most examples of subjects involve people accessing data files. However, running computer programs are subjects as well. Anobjectisanypassivedatawithinthesystem.Objectscanrangefromdatabases totextfiles.Theimportantthingtorememberaboutobjectsisthattheyarepassive within the system. Theydo not manipulate otherobjects. 4 CHAPTER 1 Domain 1: Access Control Defense-in-depth Defense-in-depth (also called layered defenses) applies multiple safeguards (also calledcontrols:measurestakentoreducerisk)toprotectanasset.Anysinglesecurity control may fail; by deploying multiple controls, you improve the confidentiality, integrity, and availabilityof yourdata. ACCESS CONTROL MODELS Nowthatwehavereviewedthecornerstoneaccesscontrolconcepts,wecandiscuss the different access control models: the primary models are Discretionary Access Control (DAC), Mandatory Access Control (MAC), and nondiscretionary access control. Discretionary access controls DiscretionaryAccessControl(DAC)givessubjectsfullcontrolofobjectstheyhave beengivenaccessto,includingsharingtheobjectswithothersubjects.Subjectsare empoweredandcontroltheirdata.StandardUNIXandWindowsoperatingsystems use DAC for file systems: subjects can grant other subjects access to their files, change their attributes,alter them, or delete them. Mandatory access controls MandatoryAccessControl(MAC)issystem-enforcedaccesscontrolbasedonsub- ject’s clearance and object’s labels. Subjects and objects have clearances and labels, respectively, such as confidential, secret, and top secret. A subject may access an object only if the subject’s clearance is equal to or greater than the object’s label. Subjects cannot share objects with other subjects who lack the proper clearance or “write down” objects to a lower classification level (such as from top secret to secret). MAC systems are usually focused on preserving the confidentiality of data. Nondiscretionary access control Role-BasedAccessControl(RBAC)defineshowinformationisaccessedonasystem basedontheroleofthesubject.Arolecouldbeanurse,abackupadministrator,a helpdesktechnician,etc.Subjectsaregroupedintorolesandeachdefinedrolehas accesspermissions based upon the role, notthe individual. RBAC is a type of nondiscretionary access control because users do not have discretionregardingthegroupsofobjectstheyareallowedtoaccessandareunable to transfer objects toothersubjects. Task-based access control is another nondiscretionary access control model, relatedtoRBAC.Task-basedaccesscontrolisbasedonthetaskseachsubjectmust Access Control Models 5 perform,suchaswritingprescriptions,restoringdatafromabackuptape,oropening ahelpdeskticket.ItattemptstosolvethesameproblemthatRBACsolves,focusing on specific tasks, instead of roles. Rule-based access controls A rule-based access control system uses a series of defined rules, restrictions, and filters for accessing objects within a system. The rules are in the form of “if/then”statements.Anexampleofarule-basedaccesscontroldeviceisaproxy firewallthatallowsuserstosurftheWebwithpredefinedapprovedcontentonly (If the user is authorized to surf the Web and the site is on the approved list, then allow access). Other sites are prohibited and this rule is enforced across all authenticated users. Centralized access control Centralized access control concentrates access control in one logical point for a system or organization. Instead of using local access control databases, systems authenticate via third-party authentication servers. Centralized access control can be used to provide Single Sign-On (SSO), where a subject may authenticate once, and then access multiple systems. Centralized access control can centrally provide the three “A’s” of access control: Authentication, Authorization, and Accountability. Access control lists Access control lists (ACLs) are used throughout many IT security policies, proce- dures,andtechnologies.Anaccesscontrollistisalistofobjects;eachentrydescribes thesubjectsthatmayaccessthatobject.Anyaccessattemptbyasubjecttoanobject that does not have a matching entry onthe ACLwillbe denied. Access provisioning lifecycle Oncetheproperaccesscontrolmodelhasbeenchosenanddeployed,theaccesspro- visioninglifecyclemustbemaintainedandsecured.Whilemanyorganizationsfol- low best practices for issuing access, many lack formal processes for ensuring the entire lifetime of access is kept secure as employees and contractors move within an organization. IBM describesthe following identity lifecyclerules: (cid:129) “Passwordpolicy compliance checking (cid:129) Notifyingusersto change their passwords before they expire (cid:129) Identifyinglifecyclechangessuchasaccountsthatareinactiveformorethan30 consecutive days (cid:129) Identifyingnewaccountsthathavenotbeenusedformorethan10daysfollowing their creation