241_SSCP_FM.qxd

1/22/03

4:55 PM

Page i

Syngress knows what passing the exam means to
you and to your career. And we know that you
are often financing your own training and
certification; therefore, you need a system that is
comprehensive, affordable, and effective.
Boasting one-of-a-kind integration of text, DVD-quality
instructor-led training, and Web-based exam simulation, the
Syngress Study Guide & DVD Training System guarantees 100% coverage of exam
objectives.
The Syngress Study Guide & DVD Training System includes:
■

Study Guide with 100% coverage of exam objectives By reading this
study guide and following the corresponding objective list, you can be
sure that you have studied 100% of the exam objectives.

■

Instructor-led DVD This DVD provides almost two hours of virtual
classroom instruction.

■

Web-based practice exams Just visit us at www.syngress.com/
certification to access a complete exam simulation.

Thank you for giving us the opportunity to serve your certification needs. And
be sure to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.

www.syngress.com/certification


241_SSCP_FM.qxd

1/22/03

4:55 PM

Page ii


241_SSCP_FM.qxd

1/22/03

Josh Jacobs
Lee Clemmer

Page iii

SSCP, CISSP

SSCP, CISSP

Michael Dalton
Russ Rogers

4:55 PM

SSCP, CISSP

CISSP

Jeffrey Posluns

SSCP, CISSP, Technical Editor


241_SSCP_FM.qxd

1/22/03

4:55 PM

Page iv

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or
other incidental or consequential damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Mission
Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress
Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of
their respective companies.
KEY
001
002
003
004
005
006
007
008
009
010

SERIAL NUMBER
FG3BV9UF7Y
K7QVNPV43A
5X829CT63C
A947FH8HY9
Z6T7PT25NR
BCE43TN8MS

G6AP3SH8XK
9MQ8N42DD7
SKEUU766BH
DF57ZWV24K

PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
SSCP Study Guide & DVD Training System

Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-80-9
Technical Editor: Jeffrey Posluns
Cover Designer: Michael Kavish
Technical Reviewer:Tony Piltzecker
Page Layout and Art by: Shannon Tozier
Acquisitions Editor: Catherine B. Nolan
Copy Editor: Judy Eby
DVD Production: Michael Donovan
Indexer: Odessa&Cie
Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.



241_SSCP_FM.qxd

1/22/03

4:55 PM

Page v

Acknowledgments
We would like to acknowledge the following people for their kindness and support
in making this book possible.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,
Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell,
Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea
Tetrick, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of
Publishers Group West for sharing their incredible marketing experience and
expertise.
Duncan Enright, AnnHelen Lindeholm, David Burton, Febea Marinetti, and Rosie
Moss of Elsevier Science for making certain that our vision remains worldwide in
scope.
David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,
Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with
which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene
Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates
for all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at
Jaguar Book Group for their help with distribution of Syngress books in Canada.

David Scott, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley
of Woodslane for distributing our books throughout Australia, New Zealand, Papua
New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of
Syngress books in the Philippines.

v


241_SSCP_FM.qxd

1/22/03

4:55 PM

Page vi

Contributors
Lee Clemmer (SSCP, CISSP, RHCE, CCNA, SGCE, SGCA, MCSE,
CCSA, Sun Solaris Certified Engineer) is a Founder and Chief Security
Consultant with Higher Ground Networks, LLC. His areas of expertise
range from Internet penetration testing and security auditing to information security systems architecture. Headquartered in Atlanta, GA, Higher
Ground Networks delivers technical and strategic information security
expertise to clients in the southeastern United States. Lee’s experience
with Linux and various versions of UNIX, coupled with his depth of
experience with Microsoft’s offerings, make him the firm’s key resource
for cross-platform security designs. Lee’s background includes positions
such as Senior Security Consultant with Kent Technologies, and Director
of Secure Networks with Xcelerate Corp. Lee holds a bachelor’s degree
from the University of Georgia, and is a member of the ISSA, USENIX,

and SAGE organizations.
Michael Dalton (SSCP, CISSP, CCNA, MCSE, CISA) is an Information
Security Specialist with a Fortune 500 insurance benefits company in
North America. Michael works in the Information Protection practice on
the Compliance Review Team. His primary work responsibilities include
Internet and extranet firewall reviews, Information Protection Systems
Development Lifecycle (SDLC) application reviews, and external service
provider security posture assessments. Michael holds a bachelor’s degree
from Central Connecticut State University and is an ISSA-CT and ISACA
member. Michael currently resides in Weatouge, CT with his incredibly
supportive wife, Kimberly, and two sons, Benjamin and John Clark.
Joshua G. Jacobs (SSCP, MCSA, MCP, A+) is the Technology
Administrator for Reynolds, Bone & Griesbeck, PLC. He has an extensive
background in systems administration as well as Web application design
and development. Joshua provides support for the firm’s network as well
as client networks throughout the South. His specialties include security
information management, Intranet development, firewall administration,
vi


241_SSCP_FM.qxd

1/22/03

4:55 PM

Page vii

policy development, and support for various operating systems including
Novell NetWare,Windows 2000 and AIX. Joshua’s recent work also

includes Web application development and custom software scripting to
automate application deployment. Joshua, his wife, Heather, and their two
sons, Owen and Joshua II, live in Collierville,TN. He would like to thank
his wife for her love and continuous support that made it possible for him
to contribute to this book.
Russ Rogers (CISSP, IAM) is the President of Security Horizon, Inc.
Security Horizon is a veteran-owned small business, based in Colorado
Springs, CO, specializing in professional security services and training.
It is one of only two companies with a Cooperative Research and
Development Agreement (CRADA) with the National Security Agency
(NSA) to teach their INFOSEC Assessment Methodology (IAM). Russ’s
background includes network vulnerability assessments, organizational
assessments using the NSA IAM, security policy development, and
training assessors on the IAM. His experience spans positions in military
intelligence, system administration, security administration, commercial
and Department of Defense assessments, and special security project
development. Russ holds a master’s degree in Computer Systems
Management from the University of Maryland and is a member of the
Information System Security Association (ISSA), International Who’s Who
in Information Technology, International Information Systems Security
Certification Consortium (ISC)2, and a regular contributor to the annual
Black Hat Security conference.
Robert J. Shimonski (Security+, Sniffer SCP, Cisco CCDP, CCNP,
Nortel NNCSS, MCSE, MCP+I, Master CNE, CIP, CIBS, CWP, CIW,
GSEC, GCIH, Server+, Network+, i-Net+, A+, e-Biz+,TICSA, SPS) is
the Lead Network Engineer and Security Analyst for Thomson Industries,
a leading manufacturer and provider of linear motion products and engineering. One of Robert’s responsibilities is to use multiple network analysis tools to monitor, baseline, and troubleshoot an enterprise network
comprised of many protocols and media technologies.
Robert currently hosts an online forum for TechTarget.com and is
referred to as the “Network Management Answer Man,” where he offers

vii


241_SSCP_FM.qxd

1/22/03

4:55 PM

Page viii

daily solutions to seekers of network analysis and management advice.
Robert’s other specialties include network infrastructure design with the
Cisco and Nortel product line for enterprise networks. Robert also provides network and security analysis using Sniffer Pro, Etherpeek, the
CiscoSecure Platform (including PIX Firewalls), and Norton’s AntiVirus
Enterprise Software.
Robert has contributed to many articles, study guides and certification
preparation software,Web sites, and organizations worldwide, including
MCP Magazine,TechTarget.com, BrainBuzz.com, and SANS.org. Robert
holds a bachelor’s degree from SUNY, NY and is a part time Licensed
Technical Instructor for Computer Career Center in Garden City, NY
teaching Windows-based and Networking Technologies. Robert is also a
contributing author for Configuring and Troubleshooting Windows XP
Professional (Syngress Publishing, ISBN: 1-928994-80-6), BizTalk Server
2000 Developer’s Guide for .NET (Syngress, ISBN: 1-928994-40-7), Sniffer
Pro Network Optimization & Troubleshooting Handbook (Syngress, ISBN:
1-931836-57-4), MCSE Implementing and Administering Security in a
Windows 2000 Network Study Guide & DVD Training System (Syngress,
ISBN: 1-931836-84-1) and is Technical Editor for Security+ Study Guide &
DVD Training System (Syngress, ISBN: 1-931836-72-8).

Norris L. Johnson, Jr. (Security+, MCSA, MCSE, CTT+, A+, Linux+,
Network +, CCNA) is a technology trainer and owner of a consulting
company in the Seattle-Tacoma area. His consultancies have included
deployments and security planning for local firms and public agencies, as
well as providing services to other local computer firms in need of
problem solving and solutions for their clients. He specializes in Windows
NT 4.0,Windows 2000, and Windows XP issues, providing consultation
and implementation for networks, security planning, and services. In addition to consulting work, Norris provides technical training for clients and
teaches for area community and technical colleges. He is co-author of
Security+ Study Guide & DVD Training System (Syngress Publishing, ISBN:
1-931836-72-8), Configuring and Troubleshooting Windows XP Professional
(Syngress, ISBN: 1-928994-80-6), and Hack Proofing Your Network, Second
Edition (Syngress, ISBN: 1-928994-70-9). Norris has also performed technical edits and reviews on Hack Proofing Windows 2000 Server (Syngress,
viii


241_SSCP_FM.qxd

1/22/03

4:55 PM

Page ix

ISBN: 1-931836-49-3) and Windows 2000 Active Directory, Second Edition
(Syngress, ISBN: 1-928994-60-1). Norris holds a bachelor’s degree from
Washington State University. He is deeply appreciative of the support of
his wife, Cindy, and three sons in helping to maintain his focus and efforts
toward computer training and education.
Jeremy Faircloth (Security+, CCNA, MCSE, MCP+I, A+) is a Senior IT

Engineer for Gateway, Inc., where he develops and maintains enterprisewide client/server and Web-based technologies. He also acts as a technical
resource for other IT professionals, using his expertise to help others
expand their knowledge. As an analyst with over 10 years of real world IT
experience, he has become an expert in many areas including Web development, database administration, enterprise security, network design, and project management. Jeremy is a contributor to several Syngress publications
including Hack Proofing XML (ISBN: 1-931836-50-7), ASP .NET
Developer’s Guide (ISBN: 1-928994-51-2), and Security+ Study Guide &
DVD Training System (ISBN: 1-931836-72-8). Jeremy currently resides in
Dakota City, NE and wishes to thank Christina Williams and Austin
Faircloth for their support in his various technical endeavors.
Michael Cross (Security+, MCSE, MCP+I, CNA, Network+) is an
Internet Specialist and Programmer with the Niagara Regional Police
Service, and has also served as their Network Administrator. He performs
computer forensic examinations on computers involved in criminal investigations, and has consulted and assisted in cases dealing with computerrelated/Internet crimes. He is responsible for designing and maintaining
their Web site at www.nrps.com, as well as their Intranet. Michael programs applications used by various units of the Police Service, has been
responsible for network security and administration, and continues to
assist in this regard. Michael is part of an Information Technology team
that provides support to a user base of over 800 civilian and uniform
users. His theory is that when the users carry guns, you tend to be more
motivated in solving their problems.
Michael also owns KnightWare, a company that provides Web page
design and various other services. In addition to this company, he has
been a freelance writer for several years, and published over three dozen
ix


241_SSCP_FM.qxd

1/22/03

4:55 PM


Page x

times in numerous books and anthologies. He is a contributing author to
Scene of the Cybercrime: Computer Forensics Handbook (Syngress Publishing,
ISBN: 1-931836-65-5) and the Security+ Study Guide & DVD Training
System (Syngress, ISBN: 1-931836-72-8). He currently resides in St.
Catharines, Ontario, Canada with his lovely wife, Jennifer, and his darling
daughter, Sara.
F. William Lynch (Security+ SCSA, CCNA, LPI-I, MCSE, MCP,
Linux+, A+) is co-author for Hack Proofing Sun Solaris 8 (Syngress
Publishing, ISBN: 1-928994-44-X), Hack Proofing XML (Syngress, ISBN:
1-931836-50-7), Security+ Study Guide & DVD Training System (Syngress,
ISBN: 1-931836-72-8), and Hack Proofing Your Network, Second Edition
(Syngress, ISBN: 1-928994-70-9). He is an independent security and systems administration consultant and specializes in firewalls, virtual private
networks, security auditing, documentation, and systems performance
analysis.William has served as a consultant to multinational corporations
and the Federal government including the Centers for Disease Control
and Prevention headquarters in Atlanta, GA as well as various airbases of
the United States Air Force. He is also the Founder and Director of the
MRTG-PME project, which uses the MRTG engine to track systems
performance of various UNIX-like operating systems.William holds a
bachelor’s degree in Chemical Engineering from the University of
Dayton in Dayton, OH and a master’s of Business Administration from
Regis University in Denver, CO.
Debra Littlejohn Shinder (MCSE) is author of Scene of the Cybercrime:
Computer Forensics Handbook (Syngress Publishing, ISBN: 1-931836-65-5),
co-author of Configuring ISA Server 2000: Building Firewalls for Windows
2000 (Syngress, ISBN: 1-928994-29-6) and Troubleshooting Windows 2000
TCP/IP (Syngress, ISBN: 1-928994-11-3), as well as a contributor to

numerous other technical books. Along with her husband, Dr.Thomas W.
Shinder, Deb does network consulting in the Dallas-Ft.Worth area, designs
Web sites for businesses, municipalities and non-profit organizations, and
teaches in the Dallas County Community College District’s technical
training programs. As a former police officer and Police Academy instructor,
she specializes in computer/network security and forensics.
x


241_SSCP_FM.qxd

1/22/03

4:55 PM

Page xi

Deb has written hundreds of articles for Web and print publications
such as TechRepublic, CNET, Swynk.com, BrainBuzz.com, and WinXP
News. She has also written numerous online courses for DigitalThink, Inc.
and prepared curricula for classroom instruction. She has contributed to
Microsoft’s TechNet, and speaks at conferences such as the Black Hat
Security briefings and Certification Expo. She edits the A+ weekly
newsletter for CramSession and writes a weekly feature for the Net
Admin News.
Deb has been writing since she finished her first (still unpublished)
novel in ninth grade. She edited her high school and college newspapers
and wrote and edited newsletters for city employees and police associations. Prior to entering the tech field, she had articles published in law
enforcement and self-help psychology publications. She is a member of
the IEEE’s IPv6 Working Group and has written and tech edited questions for various certification practice exams.


Technical Reviewer
Tony Piltzecker (Security+, CISSP, MCSE, CCNA, Check Point
CCSA, Citrix CCA), author of the CCSA Exam Cram, is a Network
Architect with Planning Systems Inc., providing network design and support for federal and state agencies.Tony’s specialties include network security design, implementation, and testing.Tony’s background includes
positions as a Senior Networking Consultant with Integrated Information
Systems and a Senior Engineer with Private Networks, Inc.Tony holds a
bachelor’s degree in Business Administration, and is a member of ISSA.
Tony is a contributing author to Security+ Study Guide & DVD Training
System (Syngress Publishing, ISBN: 1-931836-72-8) and MCSE
Implementing and Administering Security in a Windows 2000 Network Study
Guide & DVD Training System (Syngress, ISBN: 1-931836-84-1).Tony
currently resides in Leominster, MA with his wife, Melanie, and his
daughter, Kaitlyn.
xi


241_SSCP_FM.qxd

1/22/03

4:55 PM

Page xii

Technical Editor
Jeffrey Posluns (SSCP, CISSP, CISA, CCNP, CCDA, GSEC) is the
Founder of SecuritySage, a leading-edge information security and privacy
consulting firm. Jeffrey oversees and directs the professional services
teams, product reviews, and innovative product development. Jeffrey has

over 11 years experience specializing in security methodologies, audits
and controls. He has extensive expertise in the analysis of hacker tools and
techniques, intrusion detection, security policies, forensics, and incident
response. Jeffrey is an industry-recognized leader known for his ability to
identify trends, resolve issues, and provide the highest quality of customer
service, educational seminars, and thought-provoking presentations. Prior
to SecuritySage, Jeffrey founded and co-founded several e-commerce and
security initiatives, where he served as President and/or Chief Technology
Officer. His responsibilities included such areas as the strategy and implementation of corporate initiatives, project management, professional and
managed services, as well as research and development. He has also
authored a variety of security-specific books, white papers, financial and
security-related software, and security toolkits. Jeffrey is looked to as an
authority to speak on IT security related issues and trends at conferences,
in the media, and law enforcement forums. He is a regular speaker at
industry conferences organized by such groups as the Information
Systems Audit and Control Association (ISACA) and the Association of
Certified Fraud Examiners (ACFE). Jeffrey is also a trainer for the CISSP
certification course.

xii


241_SSCP_FM.qxd

1/22/03

4:55 PM

Page xiii


About the Study Guide &
DVD Training System
In this book, you’ll find lots of interesting sidebars designed to highlight the most
important concepts being presented in the main text.These include the following:
■

Exam Warnings focus on specific elements on which the reader needs to
focus in order to pass the exam.

■

Test Day Tips are short tips that will help you in organizing and remembering information for the exam.

■

Notes from the Underground contain background information that goes
beyond what you need to know from the exam, providing a deep foundation for understanding the security concepts discussed in the text.

■

Damage and Defense relate real-world experiences to security exploits
while outlining defensive strategies.

■

Head of the Class discussions are based on the author’s interactions with
students in live classrooms and the topics covered here are the ones students
have the most problems with.

Each chapter also includes hands-on exercises. It is important that you work

through these exercises in order to be confident you know how to apply the concepts you have just read about.
You will find a number of helpful elements at the end of each chapter. For
example, each chapter contains a Summary of Exam Objectives that ties the topics discussed in that chapter to the published objectives. Each chapter also contains an
Exam Objectives Fast Track, which boils all exam objectives down to manageable summaries that are perfect for last minute review. The Exam Objectives Frequently Asked
Questions answers those questions that most often arise from readers and students
regarding the topics covered in the chapter. Finally, in the Self Test section, you will
find a set of practice questions written in a multiple-choice form similar to those you
will encounter on the exam.You can use the Self Test Quick Answer Key that follows
the Self Test questions to quickly determine what information you need to review
again.The Self Test Appendix at the end of the book provides detailed explanations of
both the correct and incorrect answers.
xiii


241_SSCP_FM.qxd

1/22/03

4:55 PM

Page xiv

Additional Resources
There are two other important exam preparation tools included with this Study
Guide. One is the DVD included in the back of this book.The other is the practice
exam available from our website.

xiv

■


Instructor-led training DVD provides you with almost two hours
of virtual classroom instruction. Sit back and watch as an author and
trainer reviews all the key exam concepts from the perspective of someone
taking the exam for the first time. Here, you’ll cut through all of the noise
to prepare you for exactly what to expect when you take the exam for the
first time.You will want to watch this DVD just before you head out to the
testing center!

■

Web based practice exams. Just visit us at www.syngress.com/
certification to access a complete Exam Simulation.These exams are
written to test you on all of the published certification objectives.The
exam simulator runs in both “live” and “practice” mode. Use “live” mode
first to get an accurate gauge of your knowledge and skills, and then use
practice mode to launch an extensive review of the questions that gave
you trouble.


241_SSCP_TOC.qxd

1/27/03

2:44 PM

Page xv

Table of Contents and (ISC)2 SSCP
Common Body of Knowledge (CBK)

All seven domains of (ISC)2’s published Common Body
of Knowledge (CBK) for the SSCP Exam are covered
in this book. We’ve devoted one, complete
chapter to each of the seven domains. To help
you easily find coverage for each, we’ve referenced each domain under the corresponding
chapter title in the following Table of Contents. By
reading this study guide and following the corresponding domain list, you can be sure that you have
studied 100% of (ISC)2’s SSCP CBK.

Chapter 1 SSCP Certification Overview …………………………1
Introduction…………………………………………………………2
(ISC)2 ………………………………………………………………2
Systems Security Certified Practitioner …………………………3
Certified Information Systems Security Professional……………4
Overview of the SSCP Domains……………………………………5
Domain One: Access Controls …………………………………6
Specialty Areas ………………………………………………6
Product Types ………………………………………………9
Standards and Methodologies ………………………………9
Domain Two: Administration ……………………………………9
Specialty Areas ……………………………………………10
Product Types ………………………………………………11
Standards and Methodologies ………………………………12
Domain Three: Audit and Monitoring ………………………12
Specialty Areas ……………………………………………13
Product Types ………………………………………………14
Standards and Methodologies ………………………………14
Domain Four: Risk, Response, and Recovery…………………15
Specialty Areas ……………………………………………16
xv



241_SSCP_TOC.qxd

xvi

1/27/03

2:44 PM

Page xvi

Contents

Product Types ………………………………………………19
Standards and Methodologies ………………………………20
Domain Five: Cryptography …………………………………20
Specialty Areas ……………………………………………20
Product Types ………………………………………………22
Standards and Methodologies ………………………………22
Domain Six: Data Communications …………………………23
Specialty Areas ……………………………………………23
Product Types ………………………………………………24
Standards and Methodologies ………………………………25
Domain Seven: Malicious Code or Malware …………………25
Specialty Areas ……………………………………………26
Product Types ………………………………………………27
Standards and Methodologies ………………………………27
Summary …………………………………………………………28
Chapter 2 Access Controls ………………………………………29

Domain 1: The access controls area includes the mechanisms
that allow a system manager to specify what users and
processes can do, which resources they can access, and what
operations they can perform.

Introduction ………………………………………………………30
Access Control Objectives …………………………………………31
Obtaining Access ………………………………………………32
Identification ………………………………………………33
Authentication ……………………………………………34
Authorization ………………………………………………34
Assurance ………………………………………………………37
Confidentiality ……………………………………………37
Integrity ……………………………………………………38
Availability …………………………………………………38
Accountability and Logging ………………………………38
Authentication Types ………………………………………………40
Something You Know …………………………………………40
Something You Have …………………………………………42
Something You Are ……………………………………………43


241_SSCP_TOC.qxd

1/27/03

2:44 PM

Page xvii


Contents

Authentication Type Combinations ……………………………44
Enterprise Authentication ……………………………………45
Single Sign-On ……………………………………………45
Remote Access Authentication ……………………………50
Password Administration …………………………………………52
Selecting a Password …………………………………………52
Managing Passwords …………………………………………54
Auditing Passwords ……………………………………………55
Access Control Policies ……………………………………………56
Access Control Policy Types …………………………………56
Preventive …………………………………………………56
Corrective …………………………………………………57
Detective……………………………………………………57
Access Control Policy Implementations ………………………58
Administrative ………………………………………………58
Logical/Technical …………………………………………59
Physical ……………………………………………………59
Access Control Methodologies ……………………………………60
Centralized ……………………………………………………60
Decentralized …………………………………………………60
Access Control Models ……………………………………………61
Discretionary Access Control …………………………………63
Mandatory Access Control ……………………………………64
Non-Discretionary ……………………………………………65
Formal Models…………………………………………………67
Bell-LaPadula ………………………………………………67
Biba…………………………………………………………67
Clark-Wilson ………………………………………………68

Administrating Access Control ……………………………………68
Account Administration ………………………………………68
Determining Rights and Permissions …………………………70
Management of Access Control Objects ………………………70
Monitoring ……………………………………………………71
Securing Removable Media …………………………………72
Management of Data Caches …………………………………72
Methods of Attack …………………………………………………73
Dictionary Attack………………………………………………73

xvii


241_SSCP_TOC.qxd

xviii

1/27/03

2:44 PM

Page xviii

Contents

Brute Force Attack ……………………………………………74
Denial of Service Attacks………………………………………77
Spoofing ………………………………………………………78
Man In The Middle Attacks……………………………………79
Spamming ……………………………………………………81

Sniffers …………………………………………………………81
Monitoring ………………………………………………………82
Intrusion Detection Systems …………………………………83
Alarms …………………………………………………………83
Audit Trails ……………………………………………………84
Violation Reports ……………………………………………84
Penetration Testing…………………………………………………85
Methodology …………………………………………………85
Identifying Weaknesses…………………………………………87
Summary of Exam Objectives ……………………………………88
Exam Objectives Fast Track ………………………………………89
Exam Objectives Frequently Asked Questions ……………………93
Self Test ……………………………………………………………94
Self Test Quick Answer Key………………………………………100
Chapter 3 Administration ………………………………………101
Domain 2: The administration area encompasses the security
principles, policies, standards, procedures and guidelines used
to identify, classify and ensure the confidentiality, integrity
and availability of an organization’s information assets. It also
includes roles and responsibilities, configuration management,
change control, security awareness, and the application of
accepted industry practices.

Introduction ………………………………………………………102
Principles …………………………………………………………103
System Accountability ………………………………………103
Multifactor Authentication …………………………………104
Principle of Least Privilege …………………………………107
Goals of Information Security ……………………………………110
Confidentiality ………………………………………………110

Integrity ………………………………………………………111


241_SSCP_TOC.qxd

1/27/03

2:44 PM

Page xix

Contents

Availability ……………………………………………………112
Access Control ………………………………………………112
Mandatory Access Control ………………………………112
Discretionary Access Control ……………………………113
Role-based Access Control ………………………………113
Consider the Entire Life Cycle of Information………………115
Terms and Definitions ……………………………………………117
Involvement with Development Groups …………………………119
Quality Assurance, Audit, and InfoSec Need
to be Involved ………………………………………………119
Ensuring that Policies, Laws, and Contractual
Obligations are Respected …………………………………120
Certifying the Security Functionality ………………………120
Certifying Processing Integrity ………………………………121
Operational Testing …………………………………………121
Separation of Duties ……………………………………………122
Control Mechanisms and Policies ……………………………123

Development Staff Should Not Conduct Evaluation
or Testing ……………………………………………………124
Security Administrators Should Not Perform Audit Tasks……124
Individuals Should Not Be Responsible for
Approving Their Own Work ………………………………124
Risk Assessment …………………………………………………125
Potential Vulnerabilities …………………………………………130
Malicious Code ………………………………………………130
Data Problems ………………………………………………131
Access Problems………………………………………………132
System Architecture: Modes of Operation ………………………133
System High Mode …………………………………………134
Compartment Mode …………………………………………134
Multilevel Secure Mode ……………………………………134
Change Control …………………………………………………135
Tools …………………………………………………………139
System Security Architecture Concepts …………………………139
Hardware Segmentation………………………………………139
Reference Monitor …………………………………………140
High Security Mode …………………………………………140

xix


241_SSCP_TOC.qxd

xx

1/27/03


2:44 PM

Page xx

Contents

Data Protection Mechanisms …………………………………140
Data Classification ……………………………………………142
Employment Policies and Practices ………………………………144
Separation of Duties …………………………………………144
The Hiring Process …………………………………………144
Background Checks ………………………………………144
Employment Agreements …………………………………145
Termination Policies …………………………………………147
Awareness…………………………………………………………148
Security Management Planning …………………………………150
Define the Mission and Determine Priorities ………………151
Determine the Risks and Threats to Priority Areas …………151
Create a Security Plan to Address Threats ……………………152
Develop Security Policies …………………………………152
Perform Security Assessments ……………………………153
Identify Security Solutions ………………………………153
Identify Costs, Benefits, and Feasibility……………………153
Get Upper Management Buy-In ……………………………153
Summary of Exam Objectives ……………………………………155
Exam Objectives Fast Track ………………………………………159
Exam Objectives Frequently Asked Questions …………………164
Self Test …………………………………………………………167
Self Test Quick Answer Key………………………………………174
Chapter 4 Audit and Monitoring ………………………………175

Domain 3: The monitoring area includes those mechanisms,
tools and facilities used to identify, classify, prioritize, respond
to, and report on security events and vulnerabilities. The audit
function provides the ability to determine if the system is
being operated in accordance with accepted industry practices, and in compliance with specific organizational policies,
standards, and procedures.

Introduction ………………………………………………………176
Security Audits……………………………………………………181
Internal versus External Auditors ……………………………185
Auditing Process ……………………………………………188


241_SSCP_TOC.qxd

1/27/03

2:44 PM

Page xxi

Contents

Auditing Methods ………………………………………………190
Audit Data Sources ………………………………………………192
Audit Subsystem ……………………………………………192
System Events ………………………………………………195
Sampling and Data Extraction ………………………………195
Retention Periods ……………………………………………196
Audit Trails……………………………………………………196

Audit Trail Integrity ………………………………………196
Checklist Audits ………………………………………………198
Penetration Testing……………………………………………201
Wardialing ……………………………………………………206
Social Engineering……………………………………………210
Monitoring Methods and Mechanisms …………………………211
Scorecards ……………………………………………………212
Intrusion Detection Systems …………………………………212
Pattern Recognition (Signature Based)……………………213
Anomaly Detection ………………………………………213
Log Watching …………………………………………………214
Event Monitoring ……………………………………………215
Trend Analysis ………………………………………………215
Summary of Exam Objectives ……………………………………216
Exam Objectives Fast Track ………………………………………218
Exam Objectives Frequently Asked Questions …………………221
Self Test …………………………………………………………223
Self Test Quick Answer Key………………………………………228
Chapter 5 Risk, Response, and Recovery ……………………229
Domain 4: The risk, response and recovery area encompasses the roles of a security administrator in the risk analysis,
emergency response, disaster recovery and business continuity
processes, including the assessment of system vulnerabilities,
the selection and testing of safeguards, and the testing of
recovery plans and procedures. It also addresses knowledge of
incident handling include the acquisition, protection and
storage of evidence.

xxi



241_SSCP_TOC.qxd

xxii

1/27/03

2:44 PM

Page xxii

Contents

Introduction ………………………………………………………230
Risk Management Cycle …………………………………………230
Education ……………………………………………………235
Methods of Providing Education …………………………237
Analysis ………………………………………………………238
Testing ………………………………………………………241
Validation ……………………………………………………243
Risks and Threats …………………………………………………245
Different Types of Risks and Threats …………………………246
Environmental Risks and Threats …………………………247
Deliberate Risks and Threats ……………………………247
Accidental Risks and Threats ……………………………251
Risk Mitigation …………………………………………………254
Identifying the Risks that Need Mitigating …………………257
Asset Identification ………………………………………258
Risk Mitigation Analysis ……………………………………261
Disaster Recovery and Business Continuity Plans ………………268
Disaster Recovery Plan ………………………………………271

Backups……………………………………………………273
Alternate Sites ……………………………………………279
Incident Investigation ……………………………………………282
The Goals ……………………………………………………282
The Tools ……………………………………………………285
Policies ……………………………………………………285
Tracing Tools………………………………………………289
Log Analysis ………………………………………………292
Crime Scene Analysis ……………………………………292
Documentation ……………………………………………293
Investigation Steps ……………………………………………294
Preparation ………………………………………………294
Detection …………………………………………………296
Containment………………………………………………298
Eradication ………………………………………………298
Recovery …………………………………………………299
Follow Up…………………………………………………299
Computer Forensics………………………………………………300
What Your Role Is ………………………………………301


241_SSCP_TOC.qxd

1/27/03

2:44 PM

Page xxiii

Contents xxiii


Chain of Custody ……………………………………………305
Preservation of Evidence ……………………………………307
Collection of Evidence ………………………………………309
Summary of Exam Objectives ……………………………………314
Exam Objectives Fast Track ………………………………………315
Exam Objectives Frequently Asked Questions …………………317
Self Test …………………………………………………………319
Self Test Quick Answer Key………………………………………324
Chapter 6 Cryptography …………………………………………325
Domain 5: The cryptography area addresses the principles,
means and methods used to disguise information to ensure its
integrity, confidentiality, authenticity and non-repudiation.

Introduction ………………………………………………………326
What Cryptography Offers ………………………………………328
Steganography ………………………………………………329
Encryption Algorithms …………………………………………330
Asymmetric Encryption Algorithms …………………………330
Diffie-Hellman Algorithm ………………………………331
RSA Algorithim …………………………………………332
Digital Signature Algorithm ………………………………333
Symmetric Encryption Algorithms …………………………333
Data Encryption Standard Algorithm ……………………334
Triple DES Algorithm ……………………………………335
Advanced Encryption Standard Algorithm ………………335
International Data Encryption Algorithm ………………337
SkipJack……………………………………………………337
Hashing Algorithm Functions ………………………………337
Message Digest 4 …………………………………………338

Message Digest 5 …………………………………………338
SHA-1 (160-bit) …………………………………………339
Encryption Methods ……………………………………………342
Stream Ciphers ………………………………………………346
Block Ciphers ………………………………………………346
Cipher Block Chaining Mode ……………………………347
Cipher Feedback Mode …………………………………348


241_SSCP_TOC.qxd

xxiv

1/27/03

2:44 PM

Page xxiv

Contents

Electronic Code Book Mode ……………………………349
Output Feedback Mode …………………………………350
Digital Signatures ……………………………………………350
Key Types ……………………………………………………352
Private Key ………………………………………………352
Public Key…………………………………………………352
Hybrid Key ………………………………………………353
Key Management Issues………………………………………353
Problems with Key Selection…………………………………354

Public Key Infrastructure …………………………………………355
Certificates ……………………………………………………358
X.509 ……………………………………………………359
Certificate Policies ………………………………………361
Certificate Practice Statements ……………………………362
Revocation……………………………………………………362
Certificate Revocation List ………………………………363
Trust Models …………………………………………………364
Single CA Model …………………………………………364
Standards and Protocols ………………………………………366
Key Management Lifecycle …………………………………368
Centralized versus Decentralized ……………………………368
Storage ………………………………………………………369
Hardware Key Storage versus Software Key Storage ……369
Private Key Protection ……………………………………371
Escrow ………………………………………………………371
Expiration ……………………………………………………373
Revocation……………………………………………………373
Recovery ……………………………………………………374
Key Recovery Information ………………………………374
Renewal………………………………………………………375
Destruction …………………………………………………376
Key Usage ……………………………………………………376
Multiple Key Pairs (Single, Dual) …………………………377
Using a Short Password to Generate a Long Key…………377
Cryptographic Attacks ……………………………………………380
Brute Force …………………………………………………380