LibraryPirate
LibraryPirate
CISSP Guide to Security Essentials
LibraryPirate
Australi a • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States
Peter Gregory
CISSP Guide to Security Essentials
LibraryPirate
CISSP Guide to Security Essentials,
Peter Gregory
Vice President, Career and Professional
Editorial: Dave Garza
Executive Editor: Stephen Helba
Managing Editor: Marah Bellegarde
Senior Product Manager: Michelle Ruelos
Cannistraci
Editorial Assistant: Sarah Pickering
Vice President, Career and Professional
Marketing: Jennifer McAvey
Marketing Director: Deborah S. Yarnell
Senior Marketing Manager: Erin Coffin
Marketing Coordinator: Shanna Gibbs
Production Director: Carolyn Miller
Production Manager: Andrew Crouth
Content Project Manager: Andrea Majot
Art Director: Jack Pendleton
Cover photo: iStock.com
Production Technology Analyst:
Tom Stover
Manufacturing Coordinator: Denise Powers
Compositor: PrePress PMG

© 2010 Course Technology, Cengage Learning
ALL RIGHTS RESERVED. No part of this work covered by the copyright
herein may be reproduced, transmitted, stored or used in any form or by
any means graphic, electronic, or mechanical, including but not limited to
photocopying, recording, scanning, digitizing, taping, Web distribution,
information networks, or information storage and retrieval systems, except
as permitted under Section 107 or 108 of the 1976 United States
Copyright Act, without the prior written permission of the publisher.
For product information and technology assistance, contact us at
Cengage Learning Customer & Sales Support, 1-800-354-9706
For permission to use material from this text or product,
submit all requests online at cengage.com/permissions
Further permissions questions can be emailed to

Library of Congress Control Number: 2009925212
ISBN-13: 978-1-435-42819-5
ISBN-10: 1-435-42819-6
Course Technology
20 Channel Center Street
Boston, MA 02210
USA
Cengage Learning is a leading provider of customized learning solutions
with office locations around the globe, including Singapore, the United
Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at:
international.cengage.com/region
Cengage Learning products are represented in Canada by Nelson
Education, Ltd.
For your lifelong learning solutions, visit course.cengage.com
Visit our corporate website at www.cengage.com
Notice to the Reader

Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered tra-
demarks of their respective manufacturers and sellers.
Microsoft and the Office logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Course
Technology, a part of Cengage Learning, is an independent entity from the Microsoft Corporation, and not affiliated with Microsoft in any manner.
Any fictional data related to persons or companies or URLs used throughout this book is intended for instructional purposes only. At the time this book
was printed, any such data was fictional and not belonging to any real persons or companies.
Course Technology, the Course Technology logo, and the Shelly Cashman Series
®
are registered trademarks used under license.
Adobe, the Adobe logos, Authorware, ColdFusion, Director, Dreamweaver, Fireworks, FreeHand, JRun, Flash, and Shockwave are either registered trade-
marks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. All other names used herein are for identification purposes
only and are trademarks of their respective owners.
Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time in its content without notice.
The programs in this book are for instructional purposes only. They have been tested with care, but are not guaranteed for any particular intent beyond educa-
tional purposes. The author and the publisher do not offer any warranties or representations, nor do they accept any liabilities with respect to the programs.
Printed in the United States of America
123456712111009
LibraryPirate
Brief Table of Contents
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXV
LAB REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXXV
CHAPTER 1
Information Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 2
Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
CHAPTER 3
Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
CHAPTER 4
Business Continuity and Disaster Recovery Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
CHAPTER 5

Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
CHAPTER 6
Legal, Regulations, Compliance and Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
CHAPTER 7
Operations Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
CHAPTER 8
Physical and Environmental Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
CHAPTER 9
Security Architecture and Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
CHAPTER 10
Telecommunications and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
APPENDIX A
The Ten Domains of CISSP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
APPENDIX B
The (ISC)
2
Code of Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
GLOSSARY 411
INDEX 428
vii
LibraryPirate
Table of Contents
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXV
LAB REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXXV
CHAPTER 1
Information Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Organizational Mission, Objectives, and Goals . . . 3
Mission . . 3
Objectives 3
Goals . . . 4

Security Support of Mission, Objectives, and Goals. . . 4
Risk Management 4
Risk Assessment. 5
Qualitative Risk Assessment 5
Quantitative Risk Assessment . . . 5
Quantifying Countermeasures . 6
Geographic Considerations . . . 7
Specific Risk Assessment Methodologies 7
Risk Treatment . 7
Risk Avoidance 8
Risk Reduction 8
Risk Acceptance 8
Risk Transfer. 8
Residual Risk. 8
Security Management Concepts 8
Security Controls 9
The CIA Triad . . 9
Confidentiality 9
Integrity 10
Availability . . 10
Defense in Depth 10
Single Points of Failure 11
Fail Open, Fail Closed, Fail Soft . . 11
Privacy . . 12
Personally Identifiable Information . . . 12
Security Management . . . 12
Security Executive Oversight . 13
Security Governance . . 13
Security Policy, Guidelines, Standards, and Procedures 14
Policies . 14

Policy Standards. . 14
Policy Effectiveness 15
Requirements . 15
Guidelines . . . 15
Standards . . . 15
Procedures . . . 16
Security Roles and Responsibilities. 16
Service Level Agreements . . . 17
Secure Outsourcing . . 17
ix
LibraryPirate
Data Classification and Protection . . . 17
Sensitivity Levels 18
Information Labeling . 18
Handling . 19
Destruction 20
Certification and Accreditation 20
Internal Audit . . . 20
Security Strategies. . . 20
Personnel Security. . . 21
Hiring Practices and Procedures. 21
Non-Disclosure Agreement . . 21
Consent to Background Verification. 21
Background Verification 22
Offer Letter 22
Non-Compete . . 22
Intellectual Property Agreement . . . 23
Employment Agreement 23
Employee Handbook . 23
Formal Job Descriptions 23

Termination. 23
Work Practices. . . 24
Separation of Duties . . 24
Job Rotation . . . 24
Mandatory Vacations . 24
Security Education, Training, and Awareness 25
Professional Ethics . . 25
Chapter Summary . . 26
Key Terms. . . 27
Review Questions. . . 30
Hands-On Projects . . 32
Case Projects . 34
CHAPTER 2
Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Controlling Access to Information and Functions . . 36
Identification and Authentication 37
Authentication Methods 37
How Information Systems Authenticate Users. . 38
How a User Should Treat Userids and Passwords 39
How a System Stores Userids and Passwords . . 39
Strong Authentication. 39
Two-Factor Authentication 39
Biometric Authentication. . 41
Authentication Issues . 42
Access Control Technologies and Methods. 43
LDAP . . . 43
Active Directory . 44
RADIUS . 44
Diameter . 44
x Table of Contents

LibraryPirate
TACACS 44
Kerberos 44
Single Sign-On 45
Reduced Sign-On . . . 45
Access Control Attacks . . 46
Buffer Overflow . 46
Script Injection. . 47
Data Remanence 47
Denial of Service 48
Dumpster Diving 48
Eavesdropping . . 48
Emanations 49
Spoofing and Masquerading . 49
Social Engineering . . . 50
Phishing . 50
Pharming. 52
Password Guessing . . . 52
Password Cracking. . . 52
Malicious Code . 53
Access Control Concepts. 53
Principles of Access Control . 53
Separation of Duties . 54
Least Privilege 54
Least Privilege and Server Applications . . . 54
User Permissions on File Servers and Applications. 54
Least Privilege on Workstations 55
Types of Controls. . . . 55
Technical Controls . . 55
Physical Controls . . . 55

Administrative Controls . . 56
Categories of Controls 56
Detective Controls . . 56
Deterrent Controls . . 57
Preventive Controls . 58
Corrective Controls . 58
Recovery Controls . . 58
Compensating Controls . . 59
Using a Defense in Depth Control Strategy 59
Example 1: Protected Application 60
Example 2: Protected Facility . . . 60
Testing Access Controls . 61
Penetration Testing. . . 61
Application Vulnerability Testing . . 62
Audit Log Analysis. . . 62
Chapter Summary 63
Key Terms. . 64
Review Questions. 67
Hands-On Projects 69
Case Projects 75
Table of Contents xi
LibraryPirate
CHAPTER 3
Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Types of Applications 78
Agents 78
Applets 79
Client-server Applications 79
Distributed Applications . 81
Web Applications. 82

Application Models and Technologies . 83
Control Flow Languages. 83
Structured Languages . . . 83
Object Oriented Systems . 83
Object Oriented Programming 83
Class . . . 84
Object . . 84
Method . 84
Encapsulation 84
Inheritance. . . 84
Polymorphism 84
Distributed Object Oriented Systems 84
Knowledge-based Applications 84
Neural Networks 85
Expert Systems. . 85
Threats in the Software Environment. . 85
Buffer Overflow . . 86
Types of Buffer Overflow Attacks . 86
Stack Buffer Overflow . . . 86
NOP Sled Attack . . . 86
Heap Overflow 86
Jump-to-Register Attack . . 87
Historic Buffer Overflow Attacks. . 87
Buffer Overflow Countermeasures . 87
Malicious Software 88
Types of Malicious Software . 89
Viruses . 89
Worms . 90
Trojan Horses 90
Rootkits 91

Bots . . . 92
Spam. . . 92
Pharming 93
Spyware and Adware 93
Malicious Software Countermeasures 94
Anti-virus . . . 94
Anti-rootkit Software 95
Anti-spyware Software . . . 95
Anti-spam Software . 95
Firewalls 96
Decreased Privilege Levels . 96
xii Table of Contents
LibraryPirate
Penetration Testing 97
Hardening . . 98
Input Attacks . . . 98
Types of Input Attacks . . . 99
Input Attack Countermeasures . . 99
Object Reuse . . . 100
Object Reuse Countermeasures . . 100
Mobile Code . . . 100
Mobile Code Countermeasures . . 101
Social Engineering . . . 101
Social Engineering Countermeasures . . 101
Back Door 101
Back Door Countermeasures 102
Logic Bomb 102
Logic Bomb Countermeasures . . . 102
Security in the Software Development Life Cycle. . 103
Security in the Conceptual Stage . . 103

Security Application Requirements and Specifications . 104
Security in Application Design 104
Threat Risk Modeling . 105
Security in Application Coding . . . 105
Common Vulnerabilities to Avoid 105
Use Safe Libraries. . . 106
Security in Testing . . . 106
Protecting the SDLC Itself. . . 107
Application Environment and Security Controls . . 108
Authentication . . 108
Authorization. . . 108
Role-based Access Control 108
Audit Log 109
Audit Log Contents . 109
Audit Log Protection 109
Databases and Data Warehouses 109
Database Concepts and Design . . . 110
Database Architectures . . . 110
Hierarchical Databases . . 110
Network Databases 110
Relational Databases . . . 110
Object Oriented Databases . . . 111
Distributed Databases. . . 111
Database Transactions . . . 111
Database Security Controls . . 112
Access Controls 112
Views . . 112
Chapter Summary 112
Key Terms. . 113
Review Questions. 116

Hands-On Projects 119
Case Projects 122
Table of Contents xiii
LibraryPirate
CHAPTER 4
Business Continuity and Disaster Recovery Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Business Continuity and Disaster Recovery Planning Basics 126
What Is a Disaster? 126
Natural Disasters 127
Man-Made Disasters . 127
How Disasters Affect Businesses . . 127
Direct Damage 127
Transportation 127
Communications . . . 128
Utilities . 129
How BCP and DRP Support Data Security. 129
BCP and DRP Differences and Similarities . 129
Industry Standards 129
Benefits of BCP and DRP Planning . . 130
The Role of Prevention . . 130
Running a BCP/DRP Project 131
Pre-project Activities 131
Obtaining Executive Support. 131
Defining the Scope of the Project . . 131
Choosing Project Team Members . 132
Developing a Project Plan . . . 132
Developing a Project Charter. 133
Performing a Business Impact Analysis 133
Survey In-Scope Business Processes 133
Information Collection . . . 134

Information Consolidation 135
Threat and Risk Analysis . . . 135
Threat Analysis 135
Risk Analysis . 135
Determine Maximum Tolerable Downtime (MTD) . 136
Develop Statements of Impact . . . 136
Recording Other Key Metrics . . . 136
Ascertain Current Continuity and Recovery Capabilities . . 137
Developing Key Recovery Targets . 137
Recovery Time Objective (RTO) . 137
Recovery Point Objective (RPO) . 137
Criticality Analysis . . . 138
Establishing Ranking Criteria . . . 138
Complete the Criticality Analysis . 139
Improving System and Process Resilience . . 139
Identifying Risk Factors . . 139
Developing Business Continuity and Disaster Recovery Plans. . 139
Selecting Recovery Team Members 140
Emergency Response . 141
Damage Assessment and Salvage . . 141
Notification 141
Personnel Safety . 142
Communications 142
Public Utilities and Infrastructure. . 143
Electricity . . . 143
xiv Table of Contents
LibraryPirate
Water 144
Natural Gas. 144
Wastewater Treatment . . 144

Steam 144
Logistics and Supplies 144
Fire Protection 145
Business Resumption Planning. . . 145
Restoration and Recovery . 146
Improving System Resilience and Recovery 146
Off-Site Media Storage . . . 146
Server Clusters 147
Data Replication . . . 147
Training Staff on Business Continuity and Disaster Recovery Procedures . 148
Testing Business Continuity and Disaster Recovery Plans 148
Document Review . . . 148
Walkthrough . . . 148
Simulation 149
Parallel Test 149
Cutover Test . . . 149
Maintaining Business Continuity and Disaster Recovery Plans . 149
Chapter Summary 150
Key Terms. . 151
Review Questions. 153
Hands-On Projects 155
Case Projects 156
CHAPTER 5
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Applications and Uses of Cryptography . . . 158
Encryption Terms and Operations . 159
Plaintext 159
Encryption. . . 159
Decryption. . . 159
Encryption Key 159

Encryption Methodologies . . . 160
Methods of Encryption 160
Substitution . . 160
Transposition. 160
Monoalphabetic 161
Polyalphabetic 161
Running Key Cipher. 162
One-Time Pads 162
Types of Encryption . . 163
Block Ciphers 163
Block Cipher Modes of Operation 163
Electronic Codebook (ECB). . . 164
Cipher-block Chaining (CBC) . 164
Cipher Feedback (CFB). . 164
Table of Contents xv
LibraryPirate
Output Feedback (OFB) . . 164
Counter (CTR) 166
Stream Ciphers. . 166
Types of Encryption Keys 167
Symmetric Keys 167
Asymmetric Key Cryptography . . 167
Key Exchange Protocols 168
Diffie-Hellman Key Exchange . . . 168
Length of Encryption Keys . . 170
Protection of Encryption Keys 170
Protecting Symmetric Keys 170
Protecting Public Cryptography Keys . . 170
Protecting Encryption Keys Used by Applications . . 171
Cryptanalysis—Attacks on Cryptography 171

Frequency Analysis. . . 172
Birthday Attacks 172
Ciphertext Only Attack. 172
Chosen Plaintext Attack 172
Chosen Ciphertext Attack . . . 172
Known Plaintext Attack 172
Man in the Middle Attack . . 172
Replay Attack . . 172
Application and Management of Cryptography . . . 173
Uses for Cryptography . . 173
File Encryption. . 173
Disk Encryption . 174
E-mail Security. . 174
Secure/Multipurpose Internet Mail Extensions (S/MIME). . 174
PGP 174
PEM 174
MOSS . . 174
Secure Point to Point Communications. . . 175
SSH 175
IPSec . . . 175
SSLandTLS 175
Web Browser and e-Commerce Security . . 175
Secure Hypertext Transfer Protocol (S-HTTP) 176
Secure Electronic Transaction (SET). . . 176
Cookies: Used for Session and Identity Management 176
Virtual Private Networks . . . 177
Key Management . 178
Key Creation . . . 178
Key Protection and Custody . 178
Key Rotation . . . 178

Key Destruction . 178
Key Escrow 179
Message Digests and Hashing . 179
Digital Signatures . 179
Digital Certificates 180
Non-Repudiation . 181
Public Key Infrastructure (PKI) 181
xvi Table of Contents
LibraryPirate
Encryption Alternatives. . 181
Steganography . . 181
Watermarking . . 182
Chapter Summary 183
Key Terms. . 184
Review Questions. 187
Hands-On Projects 190
Case Projects 196
CHAPTER 6
Legal, Regulations, Compliance, and Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Computers and Crime . . 200
The Role of Computers in Crime. . 200
The Trend of Increased Threats in Computer Crimes . 201
Categories of Computer Crimes. . . 202
Military and Intelligence . . 202
Financial 203
Business. 203
Grudge . 203
“Fun” 204
Terrorist 204
Computer Crime Laws and Regulations . . . 204

Categories of U.S. Laws 205
U.S. Laws 205
U.S. Intellectual Property Law . . . 205
U.S. Privacy Law . . . 206
U.S. Computer Crime Law 207
Canadian Laws . 208
European Laws . 209
Laws in Other Countries 210
Managing Compliance . . 210
Security Incident Response . . . 212
Incident Declaration . . 212
Triage . . . 213
Investigation . . . 213
Analysis. . 213
Containment . . . 214
Recovery . 214
Debriefing 214
Incident Management Preventive Measures 215
Incident Response Training, Testing, and Maintenance 216
Incident Response Models. . . 216
Reporting Incidents to Management. 216
Investigations 217
Involving Law Enforcement Authorities . . . 217
Forensic Techniques and Procedures . 218
Identifying and Gathering Evidence 219
Evidence Collection Techniques . . . 219
Preserving Evidence . . 220
Table of Contents xvii
LibraryPirate
Chain of Custody. 220

Presentation of Findings . 221
Ethical Issues . 221
Codes of Conduct 221
RFC 1087: Ethics and the Internet. . . 221
The (ISC)
2
Code of Ethics 222
Guidance on Ethical Behavior . 223
Chapter Summary . . 224
Key Terms. . . 225
Review Questions. . . 227
Hands-On Projects . . 230
Case Projects . 231
CHAPTER 7
Operations Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Applying Security Operations Concepts 234
Need-to-Know . . . 235
Least Privilege . . . 236
Separation of Duties 236
Job Rotation 237
Monitoring of Special Privileges 237
Records Management Controls 238
Data Classification . . . 239
Access Management . . 239
Record Retention 240
Backups. . 241
Data Restoration . . . 241
Protection of Backup Media 241
Offsite Storage of Backup Media . 241
Data Destruction 242

Anti-Virus and Anti-Malware . 242
Applying Defense-In-Depth Malware Protection 243
Central Anti-Malware Management 243
Remote Access . . . 243
Risks and Remote Access . . . 244
Administrative Management and Control 245
Types and Categories of Controls . . . 246
Employing Resource Protection . . 246
Facilities . . . 246
Hardware . . 247
Software . . . 248
Documentation . . 249
Incident Management 249
High Availability Architectures . . 250
Fault Tolerance . . 251
Clusters 251
Failover 252
Replication . 252
xviii Table of Contents
LibraryPirate
Business Continuity Management . . . 253
Vulnerability Management . . . 253
Penetration Testing. . . 253
Application Scanning . 254
Patch Management. . . 254
Change Management . . . 255
Configuration Management. . . 256
Operations Attacks and Countermeasures . 256
Social Engineering . . . 256
Sabotage . 256

Theft and Disappearance . . . 257
Extortion. 257
Bypass. . . 257
Denial of Service 257
Chapter Summary 258
Key Terms. . 260
Review Questions. 262
Hands-On Projects 264
Case Projects 266
CHAPTER 8
Physical and Environmental Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Site Access Security 270
Site Access Control Strategy . 270
Site Access Controls . . 270
Key Cards . . . 271
Biometric Access Controls. 274
Metal Keys . . 275
Mantraps. . . . 276
Security Guards 276
Guard Dogs. . 277
Access Logs . . 277
Fences and Walls . . . 278
Video Surveillance . . 278
Camera Types . . . 278
Recording Capabilities . . 280
Intrusion, Motion, and Alarm Systems . 280
Visible Notices . . 281
Exterior Lighting 281
Other Physical Controls . . 282
Secure Siting 282

Natural Threats . 284
Man-Made Threats . . 285
Other Siting Factors . . 286
Protection of Equipment . 286
Theft Protection . 286
Damage Protection . . . 287
Fire Protection 288
Table of Contents xix
LibraryPirate
Fire Extinguishers. . . 288
Smoke Detectors . . . 288
Fire Alarm Systems. . 289
Automatic Sprinkler Systems 289
Gaseous Fire Suppression . 290
Cabling Security. . 291
Environmental Controls . . 292
Heating and Air Conditioning . 292
Humidity. 292
Electric Power . . . 293
Line Conditioner 293
Uninterruptible Power Supply (UPS). 293
Electric Generator . . . 294
Redundant Controls 294
Chapter Summary . . 295
Key Terms. . . 297
Review Questions. . . 298
Hands-On Projects . . 301
Case Projects . 302
CHAPTER 9
Security Architecture and Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Security Models 306
Bell-LaPadula 307
Biba . 307
Clark-Wilson 308
Access Matrix . . . 308
Multi-level . . 309
Mandatory Access Control (MAC) . . 309
Discretionary Access Control (DAC) . 309
Role-Based Access Control (RBAC) . . 310
Non-Interference . 310
Information Flow . 310
Information Systems Evaluation Models 310
Common Criteria . 311
TCSEC 312
Trusted Network Interpretation (TNI) 312
ITSEC 312
SEI-CMMI. . 312
SSE-CMM . . 313
Certification and Accreditation 314
FISMA . . 314
DITSCAP 314
DIACAP . 315
NIACAP . 315
DCID 6/3 315
Computer Hardware Architecture 316
Central Processor . 316
Components . . . 316
xx Table of Contents
LibraryPirate
Operations. . . 316

Instruction Sets 317
Single Core and Multi-Core Designs . . 317
Single and Multi Processor Computers . 318
CPU Security Features . . . 318
Bus 318
Storage . . 320
Main Storage . 320
Secondary Storage . . 320
Virtual Memory 321
Swapping. . . 321
Paging 321
Communications . . . 322
Firmware. 322
Trusted Computing Base (TCB) . . . 323
Reference Monitor . . . 323
Security Hardware . . . 323
Trusted Platform Module . 323
Hardware Authentication . 323
Security Modes . 324
Software . . . 324
Operating Systems . . . 324
Subsystems 325
Programs, Tools, and Applications 326
Software Security Threats 327
Covert Channels 327
Side-Channel Attacks . 328
State Attacks (TOCTTOU) . . 328
Emanations 328
Maintenance Hooks and Back Doors 328
Privileged Programs . . 328

Software Security Countermeasures . . 329
Sniffers and Other Analyzers . 329
Source Code Reviews . 329
Auditing Tools. . 329
Penetration Testing Tools . . . 330
Chapter Summary 330
Key Terms. . 332
Review Questions. 336
Hands-On Projects 339
Case Projects 341
CHAPTER 10
Telecommunications and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Telecommunications Technologies . . . 344
Wired Telecom Technologies. 344
DS-1 . . . 345
SONET . 345
Frame Relay . 346
Table of Contents xxi
LibraryPirate
ATM 346
DSL 346
MPLS . . . 347
Other Wireline Technologies . 348
Wireless Telecom Technologies 348
CDMA2000 . . . 348
GPRS . . . 348
EDGE . . . 349
UMTS . . . 349
WiMAX . 349
Other Wireless Telecom Technologies . . . 349

Network Technologies . . . 349
Wired Network Technologies . 349
Ethernet . 349
Ethernet Cable Types 349
Ethernet Frame Layout . . . 350
Ethernet Error Detection. . 351
Ethernet MAC Addressing 351
Ethernet Devices 352
Token Ring 352
USB 353
RS-232 . . 353
Other Wired Network Technologies 353
Network Cable Types. 354
Network Topologies. . 355
Wireless Network Technologies 355
Wi-Fi . . . 355
Wi-Fi Standards 356
Wi-Fi Security 356
Bluetooth. 357
IrDA 357
Wireless USB . . . 357
Near Field Communication . . 357
Network Protocols . . 357
The OSI Network Model 358
Physical . . 358
Data Link 358
Network . 359
Transport 360
Session . . 360
Presentation 360

Application 360
TCP/IP 360
TCP/IP Link Layer . . . 360
TCP/IP Internet Layer. 361
Internet Layer Protocols . . 362
Internet Layer Routing Protocols . 362
Internet Layer Addressing . 363
TCP/IP Transport Layer 365
TCP Transport Protocol . . 365
UDP Transport Protocol . . 365
TCP/IP Application Layer . . . 366
xxii Table of Contents
LibraryPirate
TCP/IP Routing Protocols . . . 367
RIP 367
IGRP. . . 368
EIGRP. . 368
OSPF . . 368
IS-IS . . . 368
BGP 368
Remote Access/Tunneling Protocols 368
VPN 369
SSL/TLS 369
SSH 370
IPsec . . . 370
L2TP. . . 370
PPTP. . . 370
PPP 370
SLIP . . . 370
Network Authentication Protocols . . . 370

RADIUS 371
Diameter 371
TACACS 371
802.1X . 371
CHAP . . 371
EAP 372
PEAP . . 372
PAP 373
Network-Based Threats, Attacks, and Vulnerabilities . . 373
Threats . 373
Attacks . 373
DoS 373
DDoS 373
Teardrop . . . 373
Sequence Number. 373
Smurf 374
Ping of Death 374
SYN Flood . 374
Worms 374
Spam. 375
Phishing . . . 375
Vulnerabilities 376
Unnecessary Open Ports . 376
Unpatched Systems 376
Poor and Outdated Configurations . . 376
Exposed Cabling . 376
Network Countermeasures . . . 376
Access Control Lists . . 377
Firewalls . 377
Intrusion Detection Systems (IDS) . 377

Intrusion Prevention Systems (IPS) . 378
Protect Network Cabling . . . 378
Anti-Virus Software . . 378
Private Addressing . . . 378
Table of Contents xxiii
LibraryPirate
Close Unnecessary Ports and Services. 378
Install Security Patches . . 378
UTM 379
Gateways. . . 379
Chapter Summary . . 379
Key Terms. . . 381
Review Questions. . . 388
Hands-On Projects . . 391
Case Projects . 398
APPENDIX A
The Ten Domains of CISSP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Changes in the CBK. 403
The Common Body of Knowledge 403
Domain 1: Access Controls . . . 403
Domain 2: Application Security 404
Domain 3: Business Continuity and Disaster Recovery Planning 404
Domain 4: Cryptography 405
Domain 5: Information Security and Risk Management. 405
Domain 6: Legal, Regulations, Compliance, and Investigations 405
Domain 7: Operations Security 406
Domain 8: Physical (Environmental) Security 406
Domain 9: Security Architecture and Design 406
Domain 10: Telecommunications and Network Security 406
Key Terms. . . 407

APPENDIX B
The (ISC)
2
Code of Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
GLOSSARY 411
INDEX 428
xxiv Table of Contents
LibraryPirate
Introduction
“If the Internet were a city street, I would not travel it in daylight,” laments a chief information
security officer for a prestigious university.
The Internet is critical infrastructure at the world’s commerce. Cybercrime is escalating; once the
domain of hackers and script kiddies, cyber-gangs and organized criminal organizations have dis-
covered the business opportunities for extortion, embezzlement, and fraud that now surpasses
income from illegal drug trafficking. Criminals are going for the gold, the information held in infor-
mation systems that are often easily accessed anonymously from the Internet.
The information security industry is barely able to keep up. Cybercriminals and hackers always
seem to be one step ahead, and new threats and vulnerabilities crop up at a rate that often exceeds
our ability to continue protecting our most vital information and systems. Like other sectors in IT,
security planners, analysts, engineers, and operators are expected to do more with less. Cybercri-
minals have never had it so good.
There are not enough good security professionals to go around. As a profession, information secu-
rity in all its forms is relatively new. Fifty years ago there were perhaps a dozen information security
professionals, and their jobs consisted primarily of making sure the doors were locked and that keys
were issued only to personnel who had an established need for access. Today, whole sectors of com-
merce are doing virtually all of their business online, and other critical infrastructures such as public
utilities are controlled online via the Internet. It’s hard to find something that’s not online these
days. The rate of growth in the information security profession is falling way behind the rate of
growth of critical information and infrastructures going online. This is making it all the more
critical for today’s and tomorrow’s information security professionals to have a good understanding

xxv
LibraryPirate
of the vast array of principles, practices, technologies, and tactics that are required to
protect an organization’s assets.
The CISSP (Certified Information Systems Security Professional) is easily the most recog-
nized security certification in the business. CISSP is also one of the most difficult
certifications to earn, because it requires knowledge in almost every nook and cranny of
information technology and physical security. The CISSP is a jack-of-all-trades certification
that, like that of a general practitioner physician, makes us ready for any threat that could
come along.
The required body of knowledge for the CISSP certification is published and updated regu-
larly. This book covers all of the material in the published body of knowledge, with each
chapter clearly mapping to each of the ten categories within that body of knowledge.
With the demand for security professionals at an all-time high, whether you are a security
professional in need of a reference, an IT professional with your sights on the CISSP certifi-
cation, or a course instructor, CISSP Guide to Security Essentials has arrived just in time.
Intended Audience
This book is written for students and professionals who want to expand their knowledge of
computer, network, and business security. It is not necessary that the reader specifically
target CISSP certification; while this book is designed to support that objective, the student
or professional who desires to learn more about security, but who does not aspire to earn
the CISSP certification at this time, will benefit from this book as equally as a CISSP candi-
date.
CISSP Guide to Security Essentials is also ideal for someone in a self-study program. The
end of each chapter has not only study questions, but also Hands-On Projects and Case
Projects that you can do on your own with a computer running Windows, MacOS, or
Linux.
The structure of this book is designed to correspond with the ten domains of knowledge for
the CISSP certification, called the Common Body of Knowledge (CBK). While this align-
ment will be helpful for the CISSP candidate who wants to align her study with the CBK,

this is not a detriment to other readers. This is because the CBK domains align nicely with
professional practices such as access control, cryptography, physical security, and other sen-
sibly organized categories.
This book’s pedagogical features will help all readers who wish to broaden their skills and
experience in computer and business security. Each chapter contains several Hands-On Pro-
jects that guide the reader through several key security activities, many of which are truly
hands-on with computers and networks. Each chapter also contains Case Projects that take
the reader into more advanced topics to help them apply the concepts in the chapter.
Chapter Descriptions
Here is a summary of the topics covered in each chapter of this book:
Chapter 1, “Information Security and Risk Management,” begins with the fundamentals of
information and business security—security and risk management—by explaining how an
organization’s security program needs to support the organization’s goals and objectives. The
xxvi Introduction
LibraryPirate
chapter continues with risk management, security management and strategies, personnel secu-
rity, and professional ethics.
Chapter 2, “Access Controls,” discusses access control principles and architectures, and
continues with descriptions of the types of attacks that are carried out against access control
systems. The chapter also discusses how an organization can test its access controls to make
sure they are secure.
Chapter 3, “Application Security,” begins with a discussion of the types of application soft-
ware, application models, and technologies. The chapter continues by exploring threats to
software applications and countermeasures to deal with them. It explores how to secure
the software development life cycle—the process used for the creation and maintenance of
application software. The chapter discusses application environment and security controls,
and concludes with a discussion of the security of databases and data warehouses.
Chapter 4, “Business Continuity and Disaster Recovery Planning,” explores the concepts
and practices in business continuity planning and disaster recovery planning. The chapter
provides a lengthy discourse on a practical approach to running a BCP / DRP project.

Next, the chapter describes several approaches to testing BCP and DRP plans, and how
such plans are maintained over time.
Chapter 5, “Cryptography,” begins with an introduction to the science of cryptography, the
practice of hiding data in plain sight. The chapter continues with a discussion of the appli-
cations and uses of cryptography, and on the methodologies used by cryptographic algo-
rithms. The chapter also includes a discussion of cryptography and key management.
Chapter 6, “Legal, Regulations, Compliance, and Investigations,” starts with a discussion of
the different types of computer crime and the various ways that computers are involved in
criminal activity. The next discussion focuses on the types and categories of laws in the
U.S. and other countries, with a particular focus on computer-related laws. The chapter
continues with a discussion of security incident response, investigations, and computer
forensics, and concludes with a discussion of ethical issues in the workplace.
Chapter 7, “Operations Security,” introduces and discusses the broad topic of putting secu-
rity controls, concepts, and technologies into operation in an organization. The specific
topics discussed includes records management, backup, anti-virus, remote access, adminis-
trative access, resource protection, incident management, vulnerability management, change
management, and configuration management. The chapter discusses resource protection,
high-availability application architectures, and attacks and countermeasures for IT
operations.
Chapter 8, “Physical and Environmental Security,” begins with a discussion of site access
controls for the physical protection of worksites that may include IT systems. The chapter
discusses secure siting, which is the process of identifying risk factors associated with the
location and features of an office building. The chapter provides an overview of fire preven-
tion and suppression, theft prevention, and building environmental controls including elec-
tric power and heating, ventilation, and air conditioning.
Chapter 9, “Security Architecture and Design,” discusses security models that have been
developed and are still in use from the 1970s to the present. The chapter continues with
a discussion of information system evaluation models including the Common Criteria.
Introduction xxvii
LibraryPirate

The chapter discusses computer hardware architecture and computer software, including
operating systems, tools, utilities, and applications. Security threats and countermeasures in
the context of computer software are also explored.
Chapter 10, “Telecommunications and Network Security,” is a broad exploration of tele-
communications and network technologies. The chapter examines the TCP/IP and OSI
protocol models, and continues with a dissection of the TCP/IP protocol suite. The chapter
addresses TCP/IP network architecture, protocols, addressing, devices, routing, authentica-
tion, access control, tunneling, and services. The chapter concludes with a discussion of
network-based threats and countermeasures.
Appendix A, “The Ten Domains of CISSP Security,” provides a background on the CISSP
certification, and then describes the ten domains in the CISSP Common Body of Knowledge.
Appendix B, “The (ISC)
2
Code of Ethics,” contains the full text of the (ISC)
2
Code of
Ethics, which every CISSP candidate is required to support and uphold. The Code of Ethics
is a set of enduring principles to guide the behavior of every security professional.
Glossary, lists common information security and risk management terms that are found in
this book.
Features
To aid you in fully understanding computer and business security, this book includes many
features designed to enhance your learning experience.
• Maps to the CISSP Common Body of Knowledge (CBK). The material in this text
covers all of the CISSP exam objectives. Aside from Information Security and Risk
Management being addressed first in the book, the sequence of the chapters follows
the ten CISSP domains.
• Common Body of Knowledge objectives included. Each chapter begins with the pre-
cise language from the (ISC)
2

Common Body of Knowledge for the respective topic in
the CISSP certification. This helps to remind the reader of the CISSP certification
requirements for that particular topic.
• Chapter Objectives. Each chapter begins with a detailed list of the concepts to be
mastered within that chapter. This list provides you with both a quick reference to the
chapter’s contents and a useful study aid.
• Illustrations and Tables. Numerous illustrations of security vulnerabilities, attacks,
and defenses help you visualize security elements, theories, and concepts. In addition,
the many tables provide details and comparisons of practical and theoretical
information.
• Chapter Summaries. Each chapter’s text is followed by a summary of the concepts
introduced in that chapter. These summaries provide a helpful way to review the ideas
covered in each chapter.
• Key Terms. All of the terms in each chapter that were introduced with bold text are
gathered in a Key Terms list with definitions at the end of the chapter, providing
additional review and highlighting key concepts.
• Review Questions. The end-of-chapter assessment begins with a set of review ques-
tions that reinforce the ideas introduced in each chapter. These questions help you
xxviii Introduction