San Francisco • London

CISSP

®

:

Certified Information Systems
Security Professional

Study Guide

3rd Edition

James Michael Stewart
Ed Tittel
Mike Chapple

4443.book Page iii Sunday, July 10, 2005 12:49 PM

4443.book Page ii Sunday, July 10, 2005 12:49 PM
Reinforce understanding of key topics
with flashcards for your PC, Pocket PC,
or Palm handheld!
 Contains over 300 flashcard questions.
 Runs on multiple platforms for usability
and portability.
 Quiz yourself anytime, anywhere!

Access the entire book in PDF!
 Full search capabilities let you quickly
find the information you need.
 Complete with tables and illustrations.
 Adobe Acrobat Reader included.
he Best CISSP Study Combination Available!
T
Prepare yourself for the CISSP exam
with hundreds of challenging sample
test questions!
 Chapter-by-chapter review questions
from the book.
 Five bonus exams available only on
the CD.
 Supports question formats found on
actual exam.
4443_EP2.qxd 8/1/05 2:17 PM Page 2
My sole source of exam-related study was this book. I found that I knew much
of the material already, but this book definitely filled in all of the gaps.
—Amazon.com reader from Charlotte, NC
As I took the CISSP exam, I kept thinking, ‘the CISSP Study Guide authors
really knew what they were talking about.’ If you were to know this book
backwards and forwards, you would do well on the CISSP exam.
—Amazon.com reader from Utah, USA
This book follows in the tradition of the Sybex MCSE Study Guides, provid-
ing a good balance between detailed explanation and comprehensive coverage
of the exam topics.
—J. O’Connor, Amazon.com reader from Dublin, Ireland
It is crisp, sets the right tone for the actual exam, and does not lie.
—Amazon.com reader from New York City

I recently took and passed the CISSP exam…My sole source of exam related
study was this book.
—Amazon.com reader
Praise for CISSP: Certified Information Systems
Security Professional Study Guide from Sybex
4443_IFC.qxd 7/11/05 2:41 PM Page B

CISSP:

Certified Information Systems
Security Professional

Study Guide

3rd Edition

4443.book Page i Sunday, July 10, 2005 12:49 PM

4443.book Page ii Sunday, July 10, 2005 12:49 PM

San Francisco • London

CISSP

®

:

Certified Information Systems
Security Professional


Study Guide

3rd Edition

James Michael Stewart
Ed Tittel
Mike Chapple

4443.book Page iii Sunday, July 10, 2005 12:49 PM

Publisher: Neil Edde
Acquisitions and Developmental Editor: Heather O’Connor
Production Editor: Lori Newman
Technical Editor: Ed Tittel
Copyeditor: Judy Flynn
Compositor: Jeffrey Wilson, Happenstance Type-O-Rama
CD Coordinators and Technicians: Dan Mummert, Keith McNeil, Kevin Ly
Proofreaders: Nancy Riddiough, Jim Brook, Candace English
Indexer: Ted Laux
Book Designer: Bill Gibson, Judy Fung
Cover Designer: Archer Design
Cover Illustrator/Photographer: Victor Arre and Photodisc
Copyright © 2005 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No
part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but
not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written per-
mission of the publisher.
First edition copyright © 2004 SYBEX Inc.
Library of Congress Card Number: 2005929270
ISBN: 0-7821-4443-8

SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States
and/or other countries.
Screen reproductions produced with FullShot 99. FullShot 99 © 1991-1999 Inbit Incorporated. All rights reserved.
FullShot is a trademark of Inbit Incorporated.
The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997-1999 Macromedia Inc. For
more information on Macromedia and Macromedia Director, visit .
This study guide and/or material is not sponsored by, endorsed by, or affiliated with International Information
Systems Security Certification Consortium, Inc. (ISC)

2

® and CISSP® are registered service and/or trademarks of
the International Information Systems Security Certification Consortium, Inc. All other trademarks are the prop-
erty of their respective owners.
TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from
descriptive terms by following the capitalization style used by the manufacturer.
The author and publisher have made their best efforts to prepare this book, and the content is based upon final
release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied
by software manufacturer(s). The author and the publisher make no representation or warranties of any kind
with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including
but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of
any kind caused or alleged to be caused directly or indirectly from this book.
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1

4443.book Page iv Sunday, July 10, 2005 12:49 PM

Wiley Publishing Inc End-User License Agreement

READ THIS. You should carefully read these terms and

conditions before opening the software packet(s) included
with this book “Book”. This is a license agreement “Agree-
ment” between you and Wiley Publishing, Inc.”WPI”. By
opening the accompanying software packet(s), you
acknowledge that you have read and accept the following
terms and conditions. If you do not agree and do not want
to be bound by such terms and conditions, promptly return
the Book and the unopened software packet(s) to the place
you obtained them for a full refund.
1. License Grant. WPI grants to you (either an individual
or entity) a nonexclusive license to use one copy of the
enclosed software program(s) (collectively, the “Software”
solely for your own personal or business purposes on a sin-
gle computer (whether a standard computer or a worksta-
tion component of a multi-user network). The Software is
in use on a computer when it is loaded into temporary
memory (RAM) or installed into permanent memory (hard
disk, CD-ROM, or other storage device). WPI reserves all
rights not expressly granted herein.
2. Ownership. WPI is the owner of all right, title, and inter-
est, including copyright, in and to the compilation of the
Software recorded on the disk(s) or CD-ROM “Software
Media”. Copyright to the individual programs recorded
on the Software Media is owned by the author or other
authorized copyright owner of each program. Ownership
of the Software and all proprietary rights relating thereto
remain with WPI and its licensers.
3. Restrictions On Use and Transfer. (a) You may only (i)
make one copy of the Software for backup or archival pur-
poses, or (ii) transfer the Software to a single hard disk,

provided that you keep the original for backup or archival
purposes. You may not (i) rent or lease the Software, (ii)
copy or reproduce the Software through a LAN or other
network system or through any computer subscriber sys-
tem or bulletin- board system, or (iii) modify, adapt, or cre-
ate derivative works based on the Software. (b) You may
not reverse engineer, decompile, or disassemble the Soft-
ware. You may transfer the Software and user documenta-
tion on a permanent basis, provided that the transferee
agrees to accept the terms and conditions of this Agree-
ment and you retain no copies. If the Software is an update
or has been updated, any transfer must include the most
recent update and all prior versions.
4. Restrictions on Use of Individual Programs. You must
follow the individual requirements and restrictions
detailed for each individual program in the About the CD-
ROM appendix of this Book. These limitations are also
contained in the individual license agreements recorded on
the Software Media. These limitations may include a
requirement that after using the program for a specified
period of time, the user must pay a registration fee or dis-
continue use. By opening the Software packet(s), you will
be agreeing to abide by the licenses and restrictions for
these individual programs that are detailed in the About
the CD-ROM appendix and on the Software Media. None
of the material on this Software Media or listed in this
Book may ever be redistributed, in original or modified
form, for commercial purposes.
5. Limited Warranty. (a) WPI warrants that the Software
and Software Media are free from defects in materials and

workmanship under normal use for a period of sixty (60)
days from the date of purchase of this Book. If WPI
receives notification within the warranty period of defects
in materials or workmanship, WPI will replace the defec-
tive Software Media. (b) WPI AND THE AUTHOR OF
THE BOOK DISCLAIM ALL OTHER WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING WITHOUT LIM-
ITATION IMPLIED WARRANTIES OF MERCHANT-
ABILITY AND FITNESS FOR A PARTICULAR
PURPOSE, WITH RESPECT TO THE SOFTWARE,
THE PROGRAMS, THE SOURCE CODE CON-
TAINED THEREIN, AND/OR THE TECHNIQUES
DESCRIBED IN THIS BOOK. WPI DOES NOT WAR-
RANT THAT THE FUNCTIONS CONTAINED IN
THE SOFTWARE WILL MEET YOUR REQUIRE-
MENTS OR THAT THE OPERATION OF THE SOFT-
WARE WILL BE ERROR FREE. (c) This limited warranty
gives you specific legal rights, and you may have other
rights that vary from jurisdiction to jurisdiction.
6. Remedies. (a) WPI’s entire liability and your exclusive
remedy for defects in materials and workmanship shall be
limited to replacement of the Software Media, which may
be returned to WPI with a copy of your receipt at the fol-
lowing address:
Software Media Fulfillment Department,
Attn.: CISSP: Certified Information Systems Security
Professional Study Guide, 3rd Ed.,
Wiley Publishing, Inc., 10475
Crosspoint Blvd., Indianapolis, IN 46256,
or call 1-800-762-2974.

Please allow four to six weeks for delivery. This Limited
Warranty is void if failure of the Software Media has
resulted from accident, abuse, or misapplication. Any
replacement Software Media will be warranted for the
remainder of the original warranty period or thirty (30)
days, whichever is longer. (b) In no event shall WPI or the
author be liable for any damages whatsoever (including
without limitation damages for loss of business profits,
business interruption, loss of business information, or any
other pecuniary loss) arising from the use of or inability to
use the Book or the Software, even if WPI has been advised
of the possibility of such damages. (c) Because some juris-
dictions do not allow the exclusion or limitation of liability
for consequential or incidental damages, the above limita-
tion or exclusion may not apply to you.
7. U.S. Government Restricted Rights. Use, duplication, or
disclosure of the Software for or on behalf of the United
States of America, its agencies and/or instrumentalities
“U.S. Government” is subject to restrictions as stated in
paragraph (c)(1)(ii) of the Rights in Technical Data and
Computer Software clause of DFARS 252.227-7013, or
subparagraphs (c) (1) and (2) of the Commercial Com-
puter Software - Restricted Rights clause at FAR 52.227-
19, and in similar clauses in the NASA FAR supplement, as
applicable.
8. General. This Agreement constitutes the entire under-
standing of the parties and revokes and supersedes all prior
agreements, oral or written, between them and may not be
modified or amended except in a writing signed by both
parties hereto that specifically refers to this Agreement.

This Agreement shall take precedence over any other doc-
uments that may be in conflict herewith. If any one or more
provisions contained in this Agreement are held by any
court or tribunal to be invalid, illegal, or otherwise unen-
forceable, each and every other provision shall remain in
full force and effect.

4443.book Page v Sunday, July 10, 2005 12:49 PM

To Cathy, whenever there is trouble, just remember “Some beach, somewhere ”

4443.book Page vi Sunday, July 10, 2005 12:49 PM

Acknowledgments

Wow, I can’t believe it has already been a year since the last revision and lots of things have
changed in the world of CISSP. I hope our efforts to improve this study guide will lend themselves
handily to your understanding and comprehension of the wide berth of CISSP concepts. I’d like
to express my thanks to Sybex for continuing to support this project. Thanks to Ed Tittel co-
author (1st and 2nd editions) and technical editor (3rd edition) for a great job making sure as few
errors as possible made it into print. Also thanks to all my CISSP course students who have pro-
vided their insight and input to improve my training courseware and ultimately this tome.
To my fiancé, Cathy, I’m looking forward to a wonderful life shared with you. To my par-
ents, Dave and Sue, thanks for your love and consistent support. To my sister Sharon and
nephew Wesley, it’s great having family like you to spend time with. To Mark, we’d all get along
better if you and everyone else would just learn to worship me. To HERbert and Quin, brace
yourself, the zoo is about to invade! And finally, as always, to Elvis—I just discovered you’ve
been re-incarnated in the Cow Parade as Cowlvis!
—James Michael Stewart


4443.book Page vii Sunday, July 10, 2005 12:49 PM

Contents At A Glance

Introduction xxiii
Assessment Test xxxi

Chapter 1

Accountability and Access Control 1

Chapter 2

Attacks and Monitoring 43

Chapter 3

ISO Model, Network Security, and Protocols 69

Chapter 4

Communications Security and Countermeasures 121

Chapter 5

Security Management Concepts and Principles 153

Chapter 6

Asset Value, Policies, and Roles 175


Chapter 7

Data and Application Security Issues 209

Chapter 8

Malicious Code and Application Attacks 257

Chapter 9

Cryptography and Private Key Algorithms 293

Chapter 10

PKI and Cryptographic Applications 335

Chapter 11

Principles of Computer Design 369

Chapter 12

Principles of Security Models 415

Chapter 13

Administrative Management 449

Chapter 14


Auditing and Monitoring 477

Chapter 15

Business Continuity Planning 509

Chapter 16

Disaster Recovery Planning 535

Chapter 17

Law and Investigations 571

Chapter 18

Incidents and Ethics 605

Chapter 19

Physical Security Requirements 627

Glossary

659

Index 725

4443.book Page viii Sunday, July 10, 2005 12:49 PM


Contents

Introduction xxiii
Assessment Test xxxi

Chapter 1 Accountability and Access Control 1

Access Control Overview 2
Types of Access Control 2
Access Control in a Layered Environment 5
The Process of Accountability 5
Identification and Authentication Techniques 9
Passwords 10
Biometrics 13
Tokens 18
Tickets 20
Single Sign On 20
Access Control Techniques 23
Discretionary Access Controls (DAC) 23
Nondiscretionary Access Controls 24
Mandatory Access Controls 24
Role-Based Access Control (RBAC) 25
Lattice-Based Access Controls 26
Access Control Methodologies and Implementation 27
Centralized and Decentralized Access Control 27
RADIUS and TACACS 27
Access Control Administration 28
Account Administration 29
Account, Log, and Journal Monitoring 30

Access Rights and Permissions 30
Summary 32
Exam Essentials 34
Review Questions 36
Answers to Review Questions 40

Chapter 2 Attacks and Monitoring 43

Monitoring 44
Intrusion Detection 45
Host-Based and Network-Based IDSs 46
Knowledge-Based and Behavior-Based Detection 47
IDS-Related Tools 48
Penetration Testing 49

4443.book Page ix Sunday, July 10, 2005 12:49 PM

x

Contents

Methods of Attacks 50
Brute Force and Dictionary Attacks 51
Denial of Service 52
Spoofing Attacks 55
Man-in-the-Middle Attacks 56
Sniffer Attacks 57
Spamming Attacks 57
Crackers 58
Access Control Compensations 58

Summary 59
Exam Essentials 59
Review Questions 62
Answers to Review Questions 66

Chapter 3 ISO Model, Network Security, and Protocols 69

OSI Model 70
History of the OSI Model 70
OSI Functionality 71
Encapsulation/Deencapsulation 72
OSI Layers 73
TCP/IP Model 78
Communications and Network Security 79
Network Cabling 79
LAN Technologies 84
Network Topologies 87
TCP/IP Overview 89
Internet/Intranet/Extranet Components 96
Firewalls 97
Other Network Devices 100
Remote Access Security Management 102
Network and Protocol Security Mechanisms 103
VPN Protocols 103
Secure Communications Protocols 104
E-Mail Security Solutions 105
Dial-Up Protocols 105
Authentication Protocols 106
Centralized Remote Authentication Services 106
Network and Protocol Services 107

Frame Relay 107
Other WAN Technologies 108
Avoiding Single Points of Failure 108
Redundant Servers 109
Failover Solutions 109
RAID 110

4443.book Page x Sunday, July 10, 2005 12:49 PM

Contents

xi

Summary 111
Exam Essentials 112
Review Questions 114
Answers to Review Questions 118

Chapter 4 Communications Security and Countermeasures 121

Virtual Private Network (VPN) 122
Tunneling 123
How VPNs Work 124
Implementing VPNs 124
Network Address Translation 125
Private IP Addresses 125
Stateful NAT 126
Switching Technologies 126
Circuit Switching 126
Packet Switching 127

Virtual Circuits 127
WAN Technologies 128
WAN Connection Technologies 129
Encapsulation Protocols 130
Miscellaneous Security Control Characteristics 131
Transparency 131
Verifying Integrity 131
Transmission Mechanisms 132
Managing E-Mail Security 132
E-Mail Security Goals 132
Understanding E-Mail Security Issues 133
E-Mail Security Solutions 134
Securing Voice Communications 136
Social Engineering 136
Fraud and Abuse 137
Phreaking 138
Security Boundaries 139
Network Attacks and Countermeasures 139
Eavesdropping 140
Second-Tier Attacks 140
Address Resolution Protocol (ARP) 141
Summary 142
Exam Essentials 143
Review Questions 146
Answers to Review Questions 150

Chapter 5 Security Management Concepts and Principles 153

Security Management Concepts and Principles 154
Confidentiality 154


4443.book Page xi Sunday, July 10, 2005 12:49 PM

xii

Contents

Integrity 155
Availability 156
Other Security Concepts 157
Protection Mechanisms 159
Layering 160
Abstraction 160
Data Hiding 160
Encryption 161
Change Control/Management 161
Data Classification 162
Summary 165
Exam Essentials 166
Review Questions 168
Answers to Review Questions 172

Chapter 6 Asset Value, Policies, and Roles 175

Employment Policies and Practices 176
Security Management for Employees 176
Security Roles 179
Security Management Planning 181
Policies, Standards, Baselines, Guidelines, and Procedures 182
Security Policies 182

Security Standards, Baselines, and Guidelines 184
Security Procedures 184
Risk Management 185
Risk Terminology 186
Risk Assessment Methodologies 188
Quantitative Risk Analysis 190
Qualitative Risk Analysis 193
Handling Risk 195
Security Awareness Training 196
Summary 197
Exam Essentials 199
Review Questions 202
Answers to Review Questions 206

Chapter 7 Data and Application Security Issues 209

Application Issues 210
Local/Nondistributed Environment 210
Distributed Environment 212
Databases and Data Warehousing 216
Database Management System (DBMS) Architecture 216
Database Transactions 219

4443.book Page xii Sunday, July 10, 2005 12:49 PM

Contents

xiii

Security for Multilevel Databases 220

ODBC 222
Aggregation 223
Data Mining 224
Data/Information Storage 225
Types of Storage 225
Storage Threats 226
Knowledge-Based Systems 226
Expert Systems 227
Neural Networks 228
Decision Support Systems 228
Security Applications 229
Systems Development Controls 229
Software Development 229
Systems Development Life Cycle 234
Life Cycle Models 237
Gantt Charts and PERT 240
Change Control and Configuration Management 242
Software Testing 243
Security Control Architecture 244
Service Level Agreements 247
Summary 247
Exam Essentials 248
Written Lab 249
Review Questions 250
Answers to Review Questions 254
Answers to Written Lab 256

Chapter 8 Malicious Code and Application Attacks 257

Malicious Code 258

Sources 258
Viruses 259
Logic Bombs 264
Trojan Horses 264
Worms 265
Active Content 267
Countermeasures 267
Password Attacks 268
Password Guessing 269
Dictionary Attacks 269
Social Engineering 270
Countermeasures 270
Denial of Service Attacks 271
SYN Flood 271

4443.book Page xiii Sunday, July 10, 2005 12:49 PM

xiv

Contents

Distributed DoS Toolkits 272
Smurf 273
Teardrop 274
Land 276
DNS Poisoning 276
Ping of Death 276
Application Attacks 277
Buffer Overflows 277
Time-of-Check-to-Time-of-Use 278

Trap Doors 278
Rootkits 278
Reconnaissance Attacks 278
IP Probes 279
Port Scans 279
Vulnerability Scans 279
Dumpster Diving 280
Masquerading Attacks 280
IP Spoofing 280
Session Hijacking 281
Decoy Techniques 281
Honey Pots 281
Pseudo-Flaws 281
Summary 282
Exam Essentials 283
Written Lab 284
Review Questions 285
Answers to Review Questions 289
Answers to Written Lab 291

Chapter 9 Cryptography and Private Key Algorithms 293

History 294
Caesar Cipher 294
American Civil War 295
Ultra vs. Enigma 295
Cryptographic Basics 296
Goals of Cryptography 296
Cryptography Concepts 297
Cryptographic Mathematics 299

Ciphers 305
Modern Cryptography 310
Cryptographic Keys 311
Symmetric Key Algorithms 312
Asymmetric Key Algorithms 313
Hashing Algorithms 316

4443.book Page xiv Sunday, July 10, 2005 12:49 PM
xl
Answers to Assessment Test
27. B. Layers 1 and 2 contain device drivers but are not normally implemented in practice. Layer
0 always contains the security kernel. Layer 3 contains user applications. Layer 4 does not exist.
For more information, please see Chapter 7.
28. C. Transposition ciphers use an encryption algorithm to rearrange the letters of the plaintext
message to form a ciphertext message. For more information, please see Chapter 9.
29. C. The annualized loss expectancy (ALE) is computed as the product of the asset value (AV)
times the annualized rate of occurrence (ARO). The other formulas displayed here do not accu-
rately reflect this calculation. For more information, please see Chapter 15.
30. C. The principle of integrity states that objects retain their veracity and are only intentionally
modified by authorized subjects. For more information, please see Chapter 5.
31. D. E-mail is the most common delivery mechanism for viruses, worms, Trojan horses, docu-
ments with destructive macros, and other malicious code. For more information, please see
Chapter 4.
32. A. Technical security controls include access controls, intrusion detection, alarms, CCTV,
monitoring, HVAC, power supplies, and fire detection and suppression. For more information,
please see Chapter 19.
33. A. Administrative determinations of federal agencies are published as the Code of Federal Reg-
ulations. For more information, please see Chapter 17.
34. A. Identification of priorities is the first step of the Business Impact Assessment process. For
more information, please see Chapter 15.

35. C. Any recipient can use Mike’s public key to verify the authenticity of the digital signature. For
more information, please see Chapter 10.
36. C. A Type 3 authentication factor is something you are, such as fingerprints, voice print, retina
pattern, iris pattern, face shape, palm topology, hand geometry, and so on. For more informa-
tion, please see Chapter 1.
37. C. The primary goal of risk management is to reduce risk to an acceptable level. For more infor-
mation, please see Chapter 6.
4443.book Page xl Sunday, July 10, 2005 12:49 PM

Contents

xv

Symmetric Cryptography 316
Data Encryption Standard (DES) 316
Triple DES (3DES) 318
International Data Encryption Algorithm (IDEA) 319
Blowfish 319
Skipjack 320
Advanced Encryption Standard (AES) 320
Key Distribution 322
Key Escrow 324
Summary 324
Exam Essentials 325
Written Lab 327
Review Questions 328
Answers to Review Questions 332
Answers to Written Lab 334

Chapter 10 PKI and Cryptographic Applications 335


Asymmetric Cryptography 336
Public and Private Keys 337
RSA 337
El Gamal 338
Elliptic Curve 339
Hash Functions 340
SHA 341
MD2 342
MD4 342
MD5 343
Digital Signatures 344
HMAC 345
Digital Signature Standard 345
Public Key Infrastructure 346
Certificates 346
Certificate Authorities 347
Certificate Generation and Destruction 348
Key Management 350
Applied Cryptography 350
Electronic Mail 351
Web 353
E-Commerce 354
Networking 355
Cryptographic Attacks 359
Summary 360
Exam Essentials 361
Review Questions 363
Answers to Review Questions 367


4443.book Page xv Sunday, July 10, 2005 12:49 PM

xvi

Contents

Chapter 11 Principles of Computer Design 369

Computer Architecture 371
Hardware 371
Input/Output Structures 389
Firmware 391
Security Protection Mechanisms 391
Technical Mechanisms 391
Security Policy and Computer Architecture 393
Policy Mechanisms 394
Distributed Architecture 395
Security Models 397
State Machine Model 397
Information Flow Model 398
Noninterference Model 398
Take-Grant Model 398
Access Control Matrix 399
Bell-LaPadula Model 400
Biba 402
Clark-Wilson 403
Brewer and Nash Model (a.k.a. Chinese Wall) 403
Classifying and Comparing Models 404
Summary 405
Exam Essentials 406

Review Questions 408
Answers to Review Questions 412

Chapter 12 Principles of Security Models 415

Common Security Models, Architectures, and Evaluation Criteria 416
Trusted Computing Base (TCB) 417
Security Models 418
Objects and Subjects 420
Closed and Open Systems 421
Techniques for Ensuring Confidentiality, Integrity,
and Availability 422
Controls 423
Trust and Assurance 423
Understanding System Security Evaluation 424
Rainbow Series 424
ITSEC Classes and Required Assurance and Functionality 428
Common Criteria 429
Certification and Accreditation 432
Common Flaws and Security Issues 435
Covert Channels 435

4443.book Page xvi Sunday, July 10, 2005 12:49 PM

Contents

xvii

Attacks Based on Design or Coding Flaws and Security Issues 435
Programming 439

Timing, State Changes, and Communication Disconnects 439
Electromagnetic Radiation 439
Summary 440
Exam Essentials 441
Review Questions 443
Answers to Review Questions 447

Chapter 13 Administrative Management 449

Operations Security Concepts 450
Antivirus Management 451
Operational Assurance and Life Cycle Assurance 452
Backup Maintenance 452
Changes in Workstation/Location 453
Need-to-Know and the Principle of Least Privilege 453
Privileged Operations Functions 454
Trusted Recovery 455
Configuration and Change Management Control 455
Standards of Due Care and Due Diligence 456
Privacy and Protection 457
Legal Requirements 457
Illegal Activities 457
Record Retention 458
Sensitive Information and Media 458
Security Control Types 461
Operations Controls 462
Personnel Controls 464
Summary 466
Exam Essentials 467
Review Questions 470

Answers to Review Questions 474

Chapter 14 Auditing and Monitoring 477

Auditing 478
Auditing Basics 478
Audit Trails 480
Reporting Concepts 481
Sampling 482
Record Retention 483
External Auditors 484
Monitoring 484
Monitoring Tools and Techniques 485

4443.book Page xvii Sunday, July 10, 2005 12:49 PM

xviii

Contents

Penetration Testing Techniques 486
Planning Penetration Testing 487
Penetration Testing Teams 488
Ethical Hacking 488
War Dialing 488
Sniffing and Eavesdropping 489
Radiation Monitoring 490
Dumpster Diving 490
Social Engineering 491
Problem Management 491

Inappropriate Activities 491
Indistinct Threats and Countermeasures 492
Errors and Omissions 492
Fraud and Theft 493
Collusion 493
Sabotage 493
Loss of Physical and Infrastructure Support 493
Malicious Hackers or Crackers 495
Espionage 495
Malicious Code 495
Traffic and Trend Analysis 495
Initial Program Load Vulnerabilities 496
Summary 497
Exam Essentials 498
Review Questions 502
Answers to Review Questions 506

Chapter 15 Business Continuity Planning 509

Business Continuity Planning 510
Project Scope and Planning 511
Business Organization Analysis 511
BCP Team Selection 512
Resource Requirements 513
Legal and Regulatory Requirements 514
Business Impact Assessment 515
Identify Priorities 516
Risk Identification 516
Likelihood Assessment 517
Impact Assessment 518

Resource Prioritization 519
Continuity Strategy 519
Strategy Development 519
Provisions and Processes 520
Plan Approval 522

4443.book Page xviii Sunday, July 10, 2005 12:49 PM

Contents

xix

Plan Implementation 522
Training and Education 522
BCP Documentation 523
Continuity Planning Goals 523
Statement of Importance 523
Statement of Priorities 524
Statement of Organizational Responsibility 524
Statement of Urgency and Timing 524
Risk Assessment 524
Risk Acceptance/Mitigation 525
Vital Records Program 525
Emergency Response Guidelines 525
Maintenance 525
Testing 526
Summary 526
Exam Essentials 526
Review Questions 528
Answers to Review Questions 532


Chapter 16 Disaster Recovery Planning 535

Disaster Recovery Planning 536
Natural Disasters 537
Man-Made Disasters 541
Recovery Strategy 545
Business Unit Priorities 545
Crisis Management 546
Emergency Communications 546
Work Group Recovery 546
Alternate Processing Sites 547
Mutual Assistance Agreements 550
Database Recovery 551
Recovery Plan Development 552
Emergency Response 553
Personnel Notification 553
Backups and Offsite Storage 554
Software Escrow Arrangements 557
External Communications 558
Utilities 558
Logistics and Supplies 558
Recovery vs. Restoration 558
Training and Documentation 559
Testing and Maintenance 560
Checklist Test 560
Structured Walk-Through 560

4443.book Page xix Sunday, July 10, 2005 12:49 PM