Download Simple CISSP - Phil Martin PDF

TitleSimple CISSP - Phil Martin
File Size1.3 MB
Total Pages417
Table of Contents
                            About the Author
About the Exam
What’s in This Book
How to Use This Book
Security and Risk Management Domain
	From Vulnerability to Exposure
	Administrative, Technical and Physical Controls
	Security Frameworks
		ISO 27000 Series
		Enterprise Architecture Development
			The Open-Group Architecture Framework
			Department of Defense Architecture Framework
			Ministry of Defence Architecture Framework
			Sherwood Applied Business Security Architecture
		Architecture Framework Terms
			Strategic Alignment
			Business Enablement
			Process Enhancement
			Security Effectiveness
		Frameworks for Implementation
			NIST SP 800-53
		Process Development
			Six Sigma
			Capability Maturity Model Integration
		The Process Life Cycle
	Computer Crime Law
		Computer Crime
			Safe Harbor
			Import and Export Law
		Types of Legal Systems
			Civil (Code) Law System
			Common Law System
			Customary Law System
			Religious Law System
			Mixed Law System
		Intellectual Property
			Trade Secret
			Protection of Intellectual Property
			Federal Privacy Act of 1974
			Federal Information Security Management Act of 2002
			Department of Veterans Affairs Information Security Protection Act
			Health Insurance Portability and Accountability Act
			Health Information Technology for Economic and Clinical Health Act (HITECH)
			USA Patriot Act
			Gramm-Leach-Bliley Act
			Personal Information Protection and Electronic Documents Act
			Payment Card Industry Data Security Standard
			Economic Espionage Act of 1996
			International Data Breaches
	Policies, Standards, Baselines, Guidelines and Procedures
	All About Risk Management
		Information Systems Risk Management
		The Risk Management Team
		The Risk Management Process
	Modeling Threats
		Reduction Analysis
	Assessing and Analyzing Risk
		Risk Analysis Team
		Calculating Value
		Identifying Vulnerabilities and Threats
		Methodologies for Risk Assessment
		Risk Analysis Approaches
			Quantitative Risk Analysis
			Qualitative Risk Analysis
		Protection Mechanisms
		Total Risk vs. Residual Risk
	Managing Risk
		Categorize Information System
		Select Security Controls
		Implement Security Controls
		Assess Security Controls
		Authorize Information System
		Monitor Security Controls
	Business Continuity and Disaster Recovery
		Standards and Best Practices
		Making BCM Part of the Enterprise Security Program
		BCP Project Components
	Personnel Security
		Hiring practices
		Security-Awareness Training
	Security Governance
Asset Security Domain
	Information Life Cycle
	Information Classification
		Classification Levels
		Classification Controls
	Layers of Responsibility
		Executive Management
		Data Owner
		Data Custodian
		System Owner
		Security Administrator
		Change Control Analyst
		Data Analyst
	Retention Policies
	Protecting Privacy
		Data Owners
		Data Processors
		Data Remanence
		Limits on Collection
	Protecting Assets
		Data Security Controls
		Media Controls
	Data Leakage
		Data Leak Prevention
		Implementation, Testing and Tuning
		Network DLP
		Endpoint DLP
		Hybrid DLP
	Protecting Other Assets
		Protecting Mobile Devices
		Paper Records
Security Engineering Domain
	System Architecture
	Computer Architecture
		The Central Processing Unit
		Memory Types
			Random Access memory
			Read-Only Memory
			Cache Memory
			Memory Mapping
			Buffer Overflows
			Memory Leaks
	Operating Systems
		Process Management
		Thread Management
		Process Activity
		Memory Management
		Virtual Memory
		Input/Output Device Management
		CPU Architecture Integration
		Operating System Architectures
		Virtual Machines
	System Security Architecture
		Security Policy
		Security Architecture Requirements
			Trusted Computer Base
			Security Perimeter
			Reference Monitor
			Security Kernel
	Security Models
		Bell-LaPadula Model
		Biba Model
		Clark-Wilson Model
		Noninterference Model
		Brewer and Nash Model
		Graham-Denning Model
		Harrison-Ruzzo-Ullman Model
	Systems Evaluation
	Certification vs. Accreditation
	Open vs. Closed Systems
	Distributed System Security
		Cloud Computing
		Parallel Computing
		Web Applications
		Mobile Devices
		Cyber-Physical Systems
		Industrial Control Systems
	A Few Threats to Review
	The History of Cryptography
	Cryptography Definitions and Concepts
		Kerckhoff’s Principle
		The Strength of the Cryptosystem
		Services of Cryptosystems
		One-Time Pad
		Running and Concealment Ciphers
	Types of Ciphers
	Methods of Encryption
		Symmetric Cryptography
		Asymmetric Cryptography
		Block Ciphers
		Stream Ciphers
		Block vs. Stream Ciphers
		Initialization Vectors
		Strong Encryption Algorithm Techniques
	Types of Symmetric Systems
		Data Encryption Standard
		Advanced Encryption Standard
		International Data Encryption Algorithm
	Types of Asymmetric Systems
		Diffie-Hellman Algorithm
		El Gamal
		Elliptic Curve Cryptosystems
		Zero Knowledge Proof
	Message Integrity
		The One-Way Hash
			Cipher-Based Message Authentication Code
		Attacks Against One-Way Hash Functions
		Digital Signatures
		Digital Signature Standard
	Public Key Infrastructure
		Certificate Authorities
		PKI Steps
	Key Management
	Trusted Platform Module
	Attacks on Cryptography
		Ciphertext-Only Attacks
		Known-Plaintext Attacks
		Chosen-Plaintext Attacks
		Chosen-Ciphertext Attacks
		Differential Cryptanalysis
		Linear Cryptanalysis
		Side-Channel Attacks
		Replay Attacks
		Analytical Attacks
		Social Engineering Attacks
		Meet-in-the-Middle Attacks
	Site and Facility Security
	The Site Planning Process
		Crime Prevention Through Environmental Design
			Natural Access Control
			Natural Surveillance
			Natural Territory Reinforcement
		Designing a Physical Security Program
			Entry Points
			Computer and Equipment Rooms
	Protecting Assets
		Protecting Mobile Devices
		Using Safes
	Internal Support Systems
		Electric Power
		Environmental Issues
		Fire Control
			Fire Prevention
			Fire Detection
			Fire Suppression
Communication and Network Security Domain
	Open Systems Interconnection Reference Model
		Application Layer
		Presentation Layer
		Session Layer
		Transport Layer
		Network Layer
		Data Link Layer
		Physical Layer
		Functions and Protocols in the OSI Model
			Data Link
		Other Protocols
		TCP/IP Model
		TCP and UDP
		The TCP Handshake
		Layer 2 Security Standards
		Converged Protocols
	Types of Transmission
		Analog and Digital
		Asynchronous and Synchronous
		Broadband and Baseband
		Pulling It All Together (So Far)
		Coaxial Cable
		Twisted-Pair Cable
		Fiber-Optic Cable
		Cabling Problems
		Media Access Technologies
			Token Passing
			Token Ring
		Transmission Methods
		Network Protocols and Services
			Address Resolution Protocol
			Dynamic Host Configuration Protocol
			Internet Control Message Protocol
			Simple Network Management Protocol
		Domain Name Service
		E-Mail Services
		Network Address Translation
		Routing Protocols
	Networking Devices
		Repeaters, Hubs, Bridges, Switches and Routers
			Dynamic Packet-Filtering
			Kernel Proxy
			Firewall Architectures
		Proxy Servers
		Honeypots and Tarpits
		Unified Threat Management
		Content Distribution Networks
		Software Defined Networking
	Intranets and Extranets
	Local Area Networks
	Wide Area Networks
	Metropolitan Area Networks
	Multiservice Access Technologies
	Remote Connectivity
		Communication Options
		Authentication Protocols
	Wireless Networks
		Wireless Communication Techniques
		WLAN Architecture
		Wireless Standards
		Other Wireless Networks
	Network Encryption
		Link and End-to-End Encryption
		Email Encryption
		Internet Security
	Network Attacks
		Denial of Service
		DNS Hijacking
		Drive-by Download
Identity and Access Management Domain
	Security Principles
	Identification, Authentication, Authorization, and Accountability
			Identity Management
				Web Access Management
			Managing Passwords
				Self-Service Password Reset
				Assisted Password Reset
				Single Sign-On
			Managing Accounts
			Access Criteria
			Default to No Access
			Security Domains
			Access Control and Markup Languages
		Identity Services
	Access Control Models
		Discretionary Access Control
		Mandatory Access Control
		Role-Based Access Control
		Rule-Based Access Control
	Access Control Techniques and Technologies
	Access Control Administration
		Centralized Access Control Administration
		Decentralized Access Control Administration
	Access Control Methods
	Implementing Access Control
	Monitoring and Reacting to Access Control
	Threats to Access Control
Security Assessment and Testing Domain
	Audit Strategies
		The Process
		Internal Audit Teams
		Third-Party (External) Audit teams
		Service Organization Controls
	Auditing Technical Controls
		Vulnerability Testing
		Penetration testing
		War Dialing
		Log Reviews
		Synthetic Transactions
		Misuse Case Testing
		Code Reviews
		Interface Testing
	Auditing Administration Controls
		Account Management
		Backup Verification
		Disaster Recovery and Business Continuity
		Security Training and Security Awareness Training
		Key Performance and Risk Indicators
		Technical Reporting
		Executive Summaries
	Management Review
Security Operations Domain
	Operations Department Roles
	Administrative Management
		Security and Network Personnel
		Clipping Levels
	Assurance Levels
	Operational Responsibilities
	Configuration Management
	Physical Security
		Personnel Access Controls
		External Boundary Protection Mechanisms
			Surveillance Devices
			Intrusion Detection Systems
			Patrol Force and Guards
		Auditing Physical Access
	Secure Resource Provisioning
	Network and Resource Availability
	Preventative Measures
	Managing Incidents
	Disaster Recovery
		Business Process Recovery
		Facility Recovery
		Supply and Technology Recovery
		Choosing a Software Backup Facility
		End-User Environment
		Data Backup Alternatives
		Electronic Backup Solutions
		High Availability
	Recovery and Restoration
		Developing Goals for the Plans
		Implementing Strategies
		Computer Forensics and Proper Collection of Evidence
		Motive, Opportunity and Means
		Computer Criminal Behavior
		Incident Investigators
		The Forensic Investigation Process
		What is Admissible in Court?
		Surveillance, Search and Seizure
		Interviewing Suspects
	Liability and Its Ramifications
Software Development Security Domain
	Defining Good Code
	Where Do We Place Security?
		Environment vs. Application
		Implementation and Default Issues
	Software Development Life Cycle
		Project Management
		Requirements Gathering Phase
		Design Phase
		Development Phase
		Testing/Validation Phase
		Release/Maintenance Phase
	Software Development Models
	Integrated Product Team
	Capability Maturity Model Integration
	Change Control
	Programming Languages and Concepts
		Assemblers, Compilers, Interpreters
		Object-Oriented Concepts
	Distributed Computing
		Distributed Computing Environment
		CORBA and ORBs
		COM and DCOM
		Java Platform, Enterprise Edition
		Service-Oriented Architecture
	Mobile Code
	Web Security
		Administrative Interfaces
		Authentication and Access Control
		Input Validation
		Parameter Validation
		Session Management
		Web Application Security Best Practices
	Database Management
		Database Management Software
		Database Models
		Database Programming Interfaces
		Relational Database Components
		Data Warehousing and Data Mining
	Malicious Software (Malware)
		Spyware and Adware
		Logic Bombs
		Trojan Horses
		Spam Detection
		Antimalware Programs
	Security and Risk Management Domain Outline
	Asset Security Domain Outline
	Security Engineering Domain Outline
	Communication and Network Security Domain Outline
	Identity and Access Management Domain Outline
	Security Assessment and Testing Domain Outline
	Security Operations Domain Outline
	Software Development Security Domain Outline
Document Text Contents
Page 1



Page 2

Overview of Contents

Security and Risk Management Domain

Asset Security Domain

Security Engineering Domain

Communication and Network Security Domain

Identity and Access Management Domain

Security Assessment and Testing Domain

Security Operations Domain

Software Development Security Domain



Page 208

• The number of remote administrators should be limited

Physical Security
Physical security should always be layered – for example, using outdoor lighting, fences, locked doors
and a vault provides 4 layers of defense. Even more protection is afforded when the controls are
diversified. An example of diversity of controls might be requiring unique keys for all locks, instead of
having a single key. Facilities should define two modes of operation – one for ‘open’ hours during which
people are actively entering and exiting the facility, and another mode for ‘closed’ hours with
significantly reduced traffic. Physical security access controls require both physical and technical
components. By far the best security mechanisms are personnel, but they are also the most expensive.
Security personnel need to be trained on not only what activity is considered to be suspicious, but also
how to report that activity.

Access control points can be in 1 of 3 categories:

• Main (primary personnel entrance and exit)
• Secondary (such as side doors)
• External (such as doors for delivery)

Many people often consider door locks to be a secure mechanism, but they really are only considered to
be delaying devices – they will only slow down a determined intruder. When considering the strength of
locks, the surrounding area must also be examined such as the door, door frame, hinges and the
surrounding wall. For example, the strongest lock on the heaviest door does not good if you can simply
punch a hole in the wall next to the door. There are quite a few different types of mechanical locks. A
warded lock is the simplest, and is represented by your basic padlock with a key. The next step up is a
tumbler lock which comes in 3 flavors:

• Wafer tumbler lock – file cabinet locks - uses wafers instead of pins and is fairly easy to beat
• Pin tumbler lock – door lock - the key raises individual pins, allowing the cylinder to rotate
• Lever tumbler lock – safe locks - uses moving levers to unlock

Locks vary in degrees of ability to resist destructive forces:

• Grade 1 - Commercial and industrial
• Grade 2 - Heavy-duty residential/light-duty commercial
• Grade 3 - Residential/consumer

Cylinder locks come in 3 levels of security in terms of their resistance to lock picking (opening a lock
without the required key):

• Low security – no resistance
• Medium security – some resistance
• High security –resistance provided through multiple mechanisms (Grade 1 or Grade 2 locks


There are multiple methods an attacker can use to defeat locks, but the most common are:

• Tension wrench – an L-shaped tool that manipulates pins
• Raking – a tool that applies pressure against pins while quickly removing
• Bumping – a tool that uses a bump key to force pins into the right position

Page 209

Keys must be properly managed throughout their lifetime from being assigned, periodic inventory and
final destruction. Most facilities will possess a master key that opens all locks, and one or more
submaster keys that open a specific range of doors.

A different type of mechanical lock is called a combination lock. This lock uses one or more internal
spinning wheels that require an external spin control to be rotated both clockwise and counterclockwise
by the operator. An electrical version has a keypad instead of a spin control.

Cipher locks somewhat resemble electric combination locks in that they also have a keypad, but are
actually small programmable computers. Some features they provide are:

• Door delay – if door is held open an alarm triggers
• Key override –a specific code can be used to override normal procedures
• Master keying –supervisors can change access codes and features
• Hostage alarm – a special code can be used to communicate duress

Cipher locks normally support a fail-safe mode in which the door automatically unlocks in the event of a
power failure to allow people to escape. Changing codes on this type of locks is important, as the keys
will eventually appear faded or worn from overuse of the same code, making it much easier for an
attacker to guess the actual code. Upper-end cipher locks are called smart locks capable of intelligently
making access decisions based on specific conditions such as time of day or specific user codes.

Device locks prevent hardware devices from being stolen or accessed in specific ways:

• Switch controls – covers on/off switches
• Slot locks – secures mobile systems to a stationary component using a steel cable
• Port controls – blocks access to disk drives or USB ports
• Peripheral Switch controls – inserts an on/off switch between a peripheral and the system
• Cable traps – prevent removal of I/O devices by passing the device’s cable through a lockable


Personnel Access Controls
Electronic devices that require authorization before allowing a person into a secured area are called
personnel access controls. These devices usually read some type of card, but can be biometric-enabled
and require 2 factors of authentication. The cards may be memory cards or smart cards, which we have
already covered both previously. A user-activated reader is a device that requires a user to initiate
interaction, such as by swiping a card. A system sensing access control reader (transponders)
automatically senses an approaching person and reads the card wirelessly. A proximity detection device
that identifies and authenticates a person is called an electronic access control token (EAC token).

The biggest threat to personnel access control mechanisms is that a form of piggybacking, in which an
unauthorized person gains accessing by using another person’s credentials. Normally the individual
simply follows an authorized person through a door without providing credentials. Sometimes the term
tailgating will also be used - the difference between the two is that piggybacking can occur with the
authorized individual’s consent, while with tailgating the authorized individual is not aware. Tailgating
is a type of piggybacking. In either case the best preventative is to have a security guard present.

External Boundary Protection Mechanisms
Boundary protection mechanisms are used to control pedestrian and vehicle flow, provide different
security zones, to provide delaying mechanisms and to control entry points. There are 6 types of control

• Access control mechanisms – locks, card access systems, personnel awareness

Page 416

voice over IP, 169
voice print, 195
voicemail system, 169
VoIP, 169
volatile, 67, 269
volatile memory, 269
voltage instability, 117
voltage regulators, 118
volumetric system, 250
VPLS, 167
VPN, 173
VRRP, 154
VSAT, 182
v-shaped model, 283
vulnerability, 14
vulnerability mapping (pen testing), 228
vulnerability testing, 225


wafer tumbler lock, 245
WAM, 191
WAN, 164
war dialing, 172, 228
warded lock, 245
war-dialing, 222
warez, 29
warm site, 261
Wassenaar Arrangement, 26
watchdog timer, 70
waterfall model, 282
wave-pattern motion detector, 250
WBS, 278
weaponization (kill chain), 257
web access management, 191
web services, 203
well-formed transaction, 78
well-known port, 131
WEP, 177
wet chemical (fire suppression), 120
wet pipe (fire suppression), 121
whaling attack, 151
white box test, 225
white noise, 216
wide-area network, 164
Wi-Fi protected access, 178
wired equivalent protocol, 177
wireless network, 176
wireless personal area network, 181
work breakdown structure, 278

Page 417

work factor, 88
work recovery time, 259
working image, 272
worm, 300
wormhole attack, 154
WPA, 178
WPA2, 178
WPAN, 181
WRT, 259


X.25, 166, 167
X.500, 190, 193
X.509, 105
XACML, 203
Xmas attack, 218
XML, 202
XOR, 89
XP, 284
XSS, 293


Zachman, 17
zero knowledge, 228
zero knowledge proof, 102
zero-day vulnerability, 281
zombie, 24, 187
zoom, 249

Similer Documents