CISSP Guide to Security Essentials pptx

XXXV CHAPTER 1 Information Security and Risk Management.. of the vast array of principles, practices, technologies, and tactics that are required toprotect an organization’s assets.The C

CISSP Guide to Security Essentials

Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United StatesPeter Gregory

CISSP Guide to Security Essentials

CISSP Guide to Security Essentials,

Peter Gregory

Vice President, Career and Professional

Editorial: Dave Garza

Executive Editor: Stephen Helba

Managing Editor: Marah Bellegarde

Senior Product Manager: Michelle Ruelos

Cannistraci

Editorial Assistant: Sarah Pickering

Vice President, Career and Professional

Marketing: Jennifer McAvey

Marketing Director: Deborah S Yarnell

Senior Marketing Manager: Erin Coffin

Marketing Coordinator: Shanna Gibbs

Production Director: Carolyn Miller

Production Manager: Andrew Crouth

Content Project Manager: Andrea Majot

Art Director: Jack Pendleton

Cover photo: iStock.com

Production Technology Analyst:

as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher.

For product information and technology assistance, contact us at Cengage Learning Customer & Sales Support, 1-800-354-9706 For permission to use material from this text or product, submit all requests online at cengage.com/permissions Further permissions questions can be emailed to permissionrequest@cengage.com

Library of Congress Control Number: 2009925212 ISBN-13: 978-1-435-42819-5

ISBN- 10: 1-435-42819-6

Course Technology

20 Channel Center Street Boston, MA 02210 USA

Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan Locate your local office at: international.cengage.com/region

Cengage Learning products are represented in Canada by Nelson Education, Ltd.

For your lifelong learning solutions, visit course.cengage.com Visit our corporate website at www.cengage.com

Notice to the Reader

Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered demarks of their respective manufacturers and sellers.

tra-Microsoft and the Office logo are either registered trademarks or trademarks of tra-Microsoft Corporation in the United States and/or other countries Course Technology, a part of Cengage Learning, is an independent entity from the Microsoft Corporation, and not affiliated with Microsoft in any manner Any fictional data related to persons or companies or URLs used throughout this book is intended for instructional purposes only At the time this book was printed, any such data was fictional and not belonging to any real persons or companies.

Course Technology, the Course Technology logo, and the Shelly Cashman Series ® are registered trademarks used under license.

Adobe, the Adobe logos, Authorware, ColdFusion, Director, Dreamweaver, Fireworks, FreeHand, JRun, Flash, and Shockwave are either registered marks or trademarks of Adobe Systems Incorporated in the United States and/or other countries All other names used herein are for identification purposes only and are trademarks of their respective owners.

trade-Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time in its content without notice The programs in this book are for instructional purposes only They have been tested with care, but are not guaranteed for any particular intent beyond educa- tional purposes The author and the publisher do not offer any warranties or representations, nor do they accept any liabilities with respect to the programs.

Printed in the United States of America

1 2 3 4 5 6 7 12 11 10 09

Brief Table of Contents

INTRODUCTION XXVLAB REQUIREMENTS XXXVCHAPTER 1

Information Security and Risk Management 1CHAPTER 2

Access Controls 35CHAPTER 3

Application Security 77CHAPTER 4

Business Continuity and Disaster Recovery Planning 125CHAPTER 5

Cryptography 157CHAPTER 6

Legal, Regulations, Compliance and Investigations 199CHAPTER 7

Operations Security 233CHAPTER 8

Physical and Environmental Security 269CHAPTER 9

Security Architecture and Design 305CHAPTER 10

Telecommunications and Network Security 343APPENDIX A

The Ten Domains of CISSP Security 401APPENDIX B

The (ISC)2Code of Ethics 408GLOSSARY 411INDEX 428

vii

Table of Contents

INTRODUCTION XXV LAB REQUIREMENTS XXXV CHAPTER 1

Information Security and Risk Management 1

Organizational Mission, Objectives, and Goals 3

Mission 3

Objectives 3

Goals 4

Security Support of Mission, Objectives, and Goals 4

Risk Management 4

Risk Assessment 5

Qualitative Risk Assessment 5

Quantitative Risk Assessment 5

Quantifying Countermeasures 6

Geographic Considerations 7

Specific Risk Assessment Methodologies 7

Risk Treatment 7

Risk Avoidance 8

Risk Reduction 8

Risk Acceptance 8

Risk Transfer 8

Residual Risk 8

Security Management Concepts 8

Security Controls 9

The CIA Triad 9

Confidentiality 9

Integrity 10

Availability 10

Defense in Depth 10

Single Points of Failure 11

Fail Open, Fail Closed, Fail Soft 11

Privacy 12

Personally Identifiable Information 12

Security Management 12

Security Executive Oversight 13

Security Governance 13

Security Policy, Guidelines, Standards, and Procedures 14

Policies 14

Policy Standards 14

Policy Effectiveness 15

Requirements 15

Guidelines 15

Standards 15

Procedures 16

Security Roles and Responsibilities 16

Service Level Agreements 17

Secure Outsourcing 17

ix

Data Classification and Protection 17

Sensitivity Levels 18

Information Labeling 18

Handling 19

Destruction 20

Certification and Accreditation 20

Internal Audit 20

Security Strategies 20

Personnel Security 21

Hiring Practices and Procedures 21

Non-Disclosure Agreement 21

Consent to Background Verification 21

Background Verification 22

Offer Letter 22

Non-Compete 22

Intellectual Property Agreement 23

Employment Agreement 23

Employee Handbook 23

Formal Job Descriptions 23

Termination 23

Work Practices 24

Separation of Duties 24

Job Rotation 24

Mandatory Vacations 24

Security Education, Training, and Awareness 25

Professional Ethics 25

Chapter Summary 26

Key Terms 27

Review Questions 30

Hands-On Projects 32

Case Projects 34

CHAPTER 2 Access Controls 35

Controlling Access to Information and Functions 36

Identification and Authentication 37

Authentication Methods 37

How Information Systems Authenticate Users 38

How a User Should Treat Userids and Passwords 39

How a System Stores Userids and Passwords 39

Strong Authentication 39

Two-Factor Authentication 39

Biometric Authentication 41

Authentication Issues 42

Access Control Technologies and Methods 43

LDAP 43

Active Directory 44

RADIUS 44

Diameter 44

TACACS 44

Kerberos 44

Single Sign-On 45

Reduced Sign-On 45

Access Control Attacks 46

Buffer Overflow 46

Script Injection 47

Data Remanence 47

Denial of Service 48

Dumpster Diving 48

Eavesdropping 48

Emanations 49

Spoofing and Masquerading 49

Social Engineering 50

Phishing 50

Pharming 52

Password Guessing 52

Password Cracking 52

Malicious Code 53

Access Control Concepts 53

Principles of Access Control 53

Separation of Duties 54

Least Privilege 54

Least Privilege and Server Applications 54

User Permissions on File Servers and Applications 54

Least Privilege on Workstations 55

Types of Controls 55

Technical Controls 55

Physical Controls 55

Administrative Controls 56

Categories of Controls 56

Detective Controls 56

Deterrent Controls 57

Preventive Controls 58

Corrective Controls 58

Recovery Controls 58

Compensating Controls 59

Using a Defense in Depth Control Strategy 59

Example 1: Protected Application 60

Example 2: Protected Facility 60

Testing Access Controls 61

Penetration Testing 61

Application Vulnerability Testing 62

Audit Log Analysis 62

Chapter Summary 63

Key Terms 64

Review Questions 67

Hands-On Projects 69

Case Projects 75

CHAPTER 3

Application Security 77

Types of Applications 78

Agents 78

Applets 79

Client-server Applications 79

Distributed Applications 81

Web Applications 82

Application Models and Technologies 83

Control Flow Languages 83

Structured Languages 83

Object Oriented Systems 83

Object Oriented Programming 83

Class 84

Object 84

Method 84

Encapsulation 84

Inheritance 84

Polymorphism 84

Distributed Object Oriented Systems 84

Knowledge-based Applications 84

Neural Networks 85

Expert Systems 85

Threats in the Software Environment 85

Buffer Overflow 86

Types of Buffer Overflow Attacks 86

Stack Buffer Overflow 86

NOP Sled Attack 86

Heap Overflow 86

Jump-to-Register Attack 87

Historic Buffer Overflow Attacks 87

Buffer Overflow Countermeasures 87

Malicious Software 88

Types of Malicious Software 89

Viruses 89

Worms 90

Trojan Horses 90

Rootkits 91

Bots 92

Spam 92

Pharming 93

Spyware and Adware 93

Malicious Software Countermeasures 94

Anti-virus 94

Anti-rootkit Software 95

Anti-spyware Software 95

Anti-spam Software 95

Firewalls 96

Decreased Privilege Levels 96

Penetration Testing 97

Hardening 98

Input Attacks 98

Types of Input Attacks 99

Input Attack Countermeasures 99

Object Reuse 100

Object Reuse Countermeasures 100

Mobile Code 100

Mobile Code Countermeasures 101

Social Engineering 101

Social Engineering Countermeasures 101

Back Door 101

Back Door Countermeasures 102

Logic Bomb 102

Logic Bomb Countermeasures 102

Security in the Software Development Life Cycle 103

Security in the Conceptual Stage 103

Security Application Requirements and Specifications 104

Security in Application Design 104

Threat Risk Modeling 105

Security in Application Coding 105

Common Vulnerabilities to Avoid 105

Use Safe Libraries 106

Security in Testing 106

Protecting the SDLC Itself 107

Application Environment and Security Controls 108

Authentication 108

Authorization 108

Role-based Access Control 108

Audit Log 109

Audit Log Contents 109

Audit Log Protection 109

Databases and Data Warehouses 109

Database Concepts and Design 110

Database Architectures 110

Hierarchical Databases 110

Network Databases 110

Relational Databases 110

Object Oriented Databases 111

Distributed Databases 111

Database Transactions 111

Database Security Controls 112

Access Controls 112

Views 112

Chapter Summary 112

Key Terms 113

Review Questions 116

Hands-On Projects 119

Case Projects 122

CHAPTER 4

Business Continuity and Disaster Recovery Planning 125

Business Continuity and Disaster Recovery Planning Basics 126

What Is a Disaster? 126

Natural Disasters 127

Man-Made Disasters 127

How Disasters Affect Businesses 127

Direct Damage 127

Transportation 127

Communications 128

Utilities 129

How BCP and DRP Support Data Security 129

BCP and DRP Differences and Similarities 129

Industry Standards 129

Benefits of BCP and DRP Planning 130

The Role of Prevention 130

Running a BCP/DRP Project 131

Pre-project Activities 131

Obtaining Executive Support 131

Defining the Scope of the Project 131

Choosing Project Team Members 132

Developing a Project Plan 132

Developing a Project Charter 133

Performing a Business Impact Analysis 133

Survey In-Scope Business Processes 133

Information Collection 134

Information Consolidation 135

Threat and Risk Analysis 135

Threat Analysis 135

Risk Analysis 135

Determine Maximum Tolerable Downtime (MTD) 136

Develop Statements of Impact 136

Recording Other Key Metrics 136

Ascertain Current Continuity and Recovery Capabilities 137

Developing Key Recovery Targets 137

Recovery Time Objective (RTO) 137

Recovery Point Objective (RPO) 137

Criticality Analysis 138

Establishing Ranking Criteria 138

Complete the Criticality Analysis 139

Improving System and Process Resilience 139

Identifying Risk Factors 139

Developing Business Continuity and Disaster Recovery Plans 139

Selecting Recovery Team Members 140

Emergency Response 141

Damage Assessment and Salvage 141

Notification 141

Personnel Safety 142

Communications 142

Public Utilities and Infrastructure 143

Electricity 143

Water 144

Natural Gas 144

Wastewater Treatment 144

Steam 144

Logistics and Supplies 144

Fire Protection 145

Business Resumption Planning 145

Restoration and Recovery 146

Improving System Resilience and Recovery 146

Off-Site Media Storage 146

Server Clusters 147

Data Replication 147

Training Staff on Business Continuity and Disaster Recovery Procedures 148

Testing Business Continuity and Disaster Recovery Plans 148

Document Review 148

Walkthrough 148

Simulation 149

Parallel Test 149

Cutover Test 149

Maintaining Business Continuity and Disaster Recovery Plans 149

Chapter Summary 150

Key Terms 151

Review Questions 153

Hands-On Projects 155

Case Projects 156

CHAPTER 5 Cryptography 157

Applications and Uses of Cryptography 158

Encryption Terms and Operations 159

Plaintext 159

Encryption 159

Decryption 159

Encryption Key 159

Encryption Methodologies 160

Methods of Encryption 160

Substitution 160

Transposition 160

Monoalphabetic 161

Polyalphabetic 161

Running Key Cipher 162

One-Time Pads 162

Types of Encryption 163

Block Ciphers 163

Block Cipher Modes of Operation 163

Electronic Codebook (ECB) 164

Cipher-block Chaining (CBC) 164

Cipher Feedback (CFB) 164

Output Feedback (OFB) 164

Counter (CTR) 166

Stream Ciphers 166

Types of Encryption Keys 167

Symmetric Keys 167

Asymmetric Key Cryptography 167

Key Exchange Protocols 168

Diffie-Hellman Key Exchange 168

Length of Encryption Keys 170

Protection of Encryption Keys 170

Protecting Symmetric Keys 170

Protecting Public Cryptography Keys 170

Protecting Encryption Keys Used by Applications 171

Cryptanalysis—Attacks on Cryptography 171

Frequency Analysis 172

Birthday Attacks 172

Ciphertext Only Attack 172

Chosen Plaintext Attack 172

Chosen Ciphertext Attack 172

Known Plaintext Attack 172

Man in the Middle Attack 172

Replay Attack 172

Application and Management of Cryptography 173

Uses for Cryptography 173

File Encryption 173

Disk Encryption 174

E-mail Security 174

Secure/Multipurpose Internet Mail Extensions (S/MIME) 174

PGP 174

PEM 174

MOSS 174

Secure Point to Point Communications 175

SSH 175

IPSec 175

SSL and TLS 175

Web Browser and e-Commerce Security 175

Secure Hypertext Transfer Protocol (S-HTTP) 176

Secure Electronic Transaction (SET) 176

Cookies: Used for Session and Identity Management 176

Virtual Private Networks 177

Key Management 178

Key Creation 178

Key Protection and Custody 178

Key Rotation 178

Key Destruction 178

Key Escrow 179

Message Digests and Hashing 179

Digital Signatures 179

Digital Certificates 180

Non-Repudiation 181

Public Key Infrastructure (PKI) 181

Encryption Alternatives 181

Steganography 181

Watermarking 182

Chapter Summary 183

Key Terms 184

Review Questions 187

Hands-On Projects 190

Case Projects 196

CHAPTER 6 Legal, Regulations, Compliance, and Investigations 199

Computers and Crime 200

The Role of Computers in Crime 200

The Trend of Increased Threats in Computer Crimes 201

Categories of Computer Crimes 202

Military and Intelligence 202

Financial 203

Business 203

Grudge 203

“Fun” 204

Terrorist 204

Computer Crime Laws and Regulations 204

Categories of U.S Laws 205

U.S Laws 205

U.S Intellectual Property Law 205

U.S Privacy Law 206

U.S Computer Crime Law 207

Canadian Laws 208

European Laws 209

Laws in Other Countries 210

Managing Compliance 210

Security Incident Response 212

Incident Declaration 212

Triage 213

Investigation 213

Analysis 213

Containment 214

Recovery 214

Debriefing 214

Incident Management Preventive Measures 215

Incident Response Training, Testing, and Maintenance 216

Incident Response Models 216

Reporting Incidents to Management 216

Investigations 217

Involving Law Enforcement Authorities 217

Forensic Techniques and Procedures 218

Identifying and Gathering Evidence 219

Evidence Collection Techniques 219

Preserving Evidence 220

Chain of Custody 220

Presentation of Findings 221

Ethical Issues 221

Codes of Conduct 221

RFC 1087: Ethics and the Internet 221

The (ISC)2Code of Ethics 222

Guidance on Ethical Behavior 223

Chapter Summary 224

Key Terms 225

Review Questions 227

Hands-On Projects 230

Case Projects 231

CHAPTER 7 Operations Security 233

Applying Security Operations Concepts 234

Need-to-Know 235

Least Privilege 236

Separation of Duties 236

Job Rotation 237

Monitoring of Special Privileges 237

Records Management Controls 238

Data Classification 239

Access Management 239

Record Retention 240

Backups 241

Data Restoration 241

Protection of Backup Media 241

Offsite Storage of Backup Media 241

Data Destruction 242

Anti-Virus and Anti-Malware 242

Applying Defense-In-Depth Malware Protection 243

Central Anti-Malware Management 243

Remote Access 243

Risks and Remote Access 244

Administrative Management and Control 245

Types and Categories of Controls 246

Employing Resource Protection 246

Facilities 246

Hardware 247

Software 248

Documentation 249

Incident Management 249

High Availability Architectures 250

Fault Tolerance 251

Clusters 251

Failover 252

Replication 252

Business Continuity Management 253

Vulnerability Management 253

Penetration Testing 253

Application Scanning 254

Patch Management 254

Change Management 255

Configuration Management 256

Operations Attacks and Countermeasures 256

Social Engineering 256

Sabotage 256

Theft and Disappearance 257

Extortion 257

Bypass 257

Denial of Service 257

Chapter Summary 258

Key Terms 260

Review Questions 262

Hands-On Projects 264

Case Projects 266

CHAPTER 8 Physical and Environmental Security 269

Site Access Security 270

Site Access Control Strategy 270

Site Access Controls 270

Key Cards 271

Biometric Access Controls 274

Metal Keys 275

Mantraps 276

Security Guards 276

Guard Dogs 277

Access Logs 277

Fences and Walls 278

Video Surveillance 278

Camera Types 278

Recording Capabilities 280

Intrusion, Motion, and Alarm Systems 280

Visible Notices 281

Exterior Lighting 281

Other Physical Controls 282

Secure Siting 282

Natural Threats 284

Man-Made Threats 285

Other Siting Factors 286

Protection of Equipment 286

Theft Protection 286

Damage Protection 287

Fire Protection 288

Fire Extinguishers 288

Smoke Detectors 288

Fire Alarm Systems 289

Automatic Sprinkler Systems 289

Gaseous Fire Suppression 290

Cabling Security 291

Environmental Controls 292

Heating and Air Conditioning 292

Humidity 292

Electric Power 293

Line Conditioner 293

Uninterruptible Power Supply (UPS) 293

Electric Generator 294

Redundant Controls 294

Chapter Summary 295

Key Terms 297

Review Questions 298

Hands-On Projects 301

Case Projects 302

CHAPTER 9 Security Architecture and Design 305

Security Models 306

Bell-LaPadula 307

Biba 307

Clark-Wilson 308

Access Matrix 308

Multi-level 309

Mandatory Access Control (MAC) 309

Discretionary Access Control (DAC) 309

Role-Based Access Control (RBAC) 310

Non-Interference 310

Information Flow 310

Information Systems Evaluation Models 310

Common Criteria 311

TCSEC 312

Trusted Network Interpretation (TNI) 312

ITSEC 312

SEI-CMMI 312

SSE-CMM 313

Certification and Accreditation 314

FISMA 314

DITSCAP 314

DIACAP 315

NIACAP 315

DCID 6/3 315

Computer Hardware Architecture 316

Central Processor 316

Components 316

Operations 316

Instruction Sets 317

Single Core and Multi-Core Designs 317

Single and Multi Processor Computers 318

CPU Security Features 318

Bus 318

Storage 320

Main Storage 320

Secondary Storage 320

Virtual Memory 321

Swapping 321

Paging 321

Communications 322

Firmware 322

Trusted Computing Base (TCB) 323

Reference Monitor 323

Security Hardware 323

Trusted Platform Module 323

Hardware Authentication 323

Security Modes 324

Software 324

Operating Systems 324

Subsystems 325

Programs, Tools, and Applications 326

Software Security Threats 327

Covert Channels 327

Side-Channel Attacks 328

State Attacks (TOCTTOU) 328

Emanations 328

Maintenance Hooks and Back Doors 328

Privileged Programs 328

Software Security Countermeasures 329

Sniffers and Other Analyzers 329

Source Code Reviews 329

Auditing Tools 329

Penetration Testing Tools 330

Chapter Summary 330

Key Terms 332

Review Questions 336

Hands-On Projects 339

Case Projects 341

CHAPTER 10 Telecommunications and Network Security 343

Telecommunications Technologies 344

Wired Telecom Technologies 344

DS-1 345

SONET 345

Frame Relay 346

ATM 346

DSL 346

MPLS 347

Other Wireline Technologies 348

Wireless Telecom Technologies 348

CDMA2000 348

GPRS 348

EDGE 349

UMTS 349

WiMAX 349

Other Wireless Telecom Technologies 349

Network Technologies 349

Wired Network Technologies 349

Ethernet 349

Ethernet Cable Types 349

Ethernet Frame Layout 350

Ethernet Error Detection 351

Ethernet MAC Addressing 351

Ethernet Devices 352

Token Ring 352

USB 353

RS-232 353

Other Wired Network Technologies 353

Network Cable Types 354

Network Topologies 355

Wireless Network Technologies 355

Wi-Fi 355

Wi-Fi Standards 356

Wi-Fi Security 356

Bluetooth 357

IrDA 357

Wireless USB 357

Near Field Communication 357

Network Protocols 357

The OSI Network Model 358

Physical 358

Data Link 358

Network 359

Transport 360

Session 360

Presentation 360

Application 360

TCP/IP 360

TCP/IP Link Layer 360

TCP/IP Internet Layer 361

Internet Layer Protocols 362

Internet Layer Routing Protocols 362

Internet Layer Addressing 363

TCP/IP Transport Layer 365

TCP Transport Protocol 365

UDP Transport Protocol 365

TCP/IP Application Layer 366

TCP/IP Routing Protocols 367

RIP 367

IGRP 368

EIGRP 368

OSPF 368

IS-IS 368

BGP 368

Remote Access/Tunneling Protocols 368

VPN 369

SSL/TLS 369

SSH 370

IPsec 370

L2TP 370

PPTP 370

PPP 370

SLIP 370

Network Authentication Protocols 370

RADIUS 371

Diameter 371

TACACS 371

802.1X 371

CHAP 371

EAP 372

PEAP 372

PAP 373

Network-Based Threats, Attacks, and Vulnerabilities 373

Threats 373

Attacks 373

DoS 373

DDoS 373

Teardrop 373

Sequence Number 373

Smurf 374

Ping of Death 374

SYN Flood 374

Worms 374

Spam 375

Phishing 375

Vulnerabilities 376

Unnecessary Open Ports 376

Unpatched Systems 376

Poor and Outdated Configurations 376

Exposed Cabling 376

Network Countermeasures 376

Access Control Lists 377

Firewalls 377

Intrusion Detection Systems (IDS) 377

Intrusion Prevention Systems (IPS) 378

Protect Network Cabling 378

Anti-Virus Software 378

Private Addressing 378

Close Unnecessary Ports and Services 378

Install Security Patches 378

UTM 379

Gateways 379

Chapter Summary 379

Key Terms 381

Review Questions 388

Hands-On Projects 391

Case Projects 398

APPENDIX A The Ten Domains of CISSP Security 401

Changes in the CBK 403

The Common Body of Knowledge 403

Domain 1: Access Controls 403

Domain 2: Application Security 404

Domain 3: Business Continuity and Disaster Recovery Planning 404

Domain 4: Cryptography 405

Domain 5: Information Security and Risk Management 405

Domain 6: Legal, Regulations, Compliance, and Investigations 405

Domain 7: Operations Security 406

Domain 8: Physical (Environmental) Security 406

Domain 9: Security Architecture and Design 406

Domain 10: Telecommunications and Network Security 406

Key Terms 407

APPENDIX B The (ISC)2Code of Ethics 408

GLOSSARY 411

INDEX 428

The information security industry is barely able to keep up Cybercriminals and hackers alwaysseem to be one step ahead, and new threats and vulnerabilities crop up at a rate that often exceedsour ability to continue protecting our most vital information and systems Like other sectors in IT,security planners, analysts, engineers, and operators are expected to do more with less Cybercri-minals have never had it so good.

There are not enough good security professionals to go around As a profession, information rity in all its forms is relatively new Fifty years ago there were perhaps a dozen information securityprofessionals, and their jobs consisted primarily of making sure the doors were locked and that keyswere issued only to personnel who had an established need for access Today, whole sectors of com-merce are doing virtually all of their business online, and other critical infrastructures such as publicutilities are controlled online via the Internet It’s hard to find something that’s not online thesedays The rate of growth in the information security profession is falling way behind the rate ofgrowth of critical information and infrastructures going online This is making it all the morecritical for today’s and tomorrow’s information security professionals to have a good understanding

secu-xxv

of the vast array of principles, practices, technologies, and tactics that are required toprotect an organization’s assets.

The CISSP (Certified Information Systems Security Professional) is easily the most nized security certification in the business CISSP is also one of the most difficultcertifications to earn, because it requires knowledge in almost every nook and cranny ofinformation technology and physical security The CISSP is a jack-of-all-trades certificationthat, like that of a general practitioner physician, makes us ready for any threat that couldcome along

recog-The required body of knowledge for the CISSP certification is published and updated larly This book covers all of the material in the published body of knowledge, with eachchapter clearly mapping to each of the ten categories within that body of knowledge.With the demand for security professionals at an all-time high, whether you are a securityprofessional in need of a reference, an IT professional with your sights on the CISSP certifi-cation, or a course instructor, CISSP Guide to Security Essentials has arrived just in time

regu-Intended Audience

This book is written for students and professionals who want to expand their knowledge ofcomputer, network, and business security It is not necessary that the reader specificallytarget CISSP certification; while this book is designed to support that objective, the student

or professional who desires to learn more about security, but who does not aspire to earnthe CISSP certification at this time, will benefit from this book as equally as a CISSP candi-date

CISSP Guide to Security Essentials is also ideal for someone in a self-study program Theend of each chapter has not only study questions, but also Hands-On Projects and CaseProjects that you can do on your own with a computer running Windows, MacOS, orLinux

The structure of this book is designed to correspond with the ten domains of knowledge forthe CISSP certification, called the Common Body of Knowledge (CBK) While this align-ment will be helpful for the CISSP candidate who wants to align her study with the CBK,this is not a detriment to other readers This is because the CBK domains align nicely withprofessional practices such as access control, cryptography, physical security, and other sen-sibly organized categories

This book’s pedagogical features will help all readers who wish to broaden their skills andexperience in computer and business security Each chapter contains several Hands-On Pro-jects that guide the reader through several key security activities, many of which are trulyhands-on with computers and networks Each chapter also contains Case Projects that takethe reader into more advanced topics to help them apply the concepts in the chapter

Chapter Descriptions

Here is a summary of the topics covered in each chapter of this book:

information and business security—security and risk management—by explaining how an

chapter continues with risk management, security management and strategies, personnel rity, and professional ethics.

continues with descriptions of the types of attacks that are carried out against access controlsystems The chapter also discusses how an organization can test its access controls to makesure they are secure

soft-ware, application models, and technologies The chapter continues by exploring threats tosoftware applications and countermeasures to deal with them It explores how to securethe software development life cycle—the process used for the creation and maintenance ofapplication software The chapter discusses application environment and security controls,and concludes with a discussion of the security of databases and data warehouses

and practices in business continuity planning and disaster recovery planning The chapterprovides a lengthy discourse on a practical approach to running a BCP / DRP project.Next, the chapter describes several approaches to testing BCP and DRP plans, and howsuch plans are maintained over time

practice of hiding data in plain sight The chapter continues with a discussion of the cations and uses of cryptography, and on the methodologies used by cryptographic algo-rithms The chapter also includes a discussion of cryptography and key management

the different types of computer crime and the various ways that computers are involved incriminal activity The next discussion focuses on the types and categories of laws in theU.S and other countries, with a particular focus on computer-related laws The chaptercontinues with a discussion of security incident response, investigations, and computerforensics, and concludes with a discussion of ethical issues in the workplace

secu-rity controls, concepts, and technologies into operation in an organization The specifictopics discussed includes records management, backup, anti-virus, remote access, adminis-trative access, resource protection, incident management, vulnerability management, changemanagement, and configuration management The chapter discusses resource protection,high-availability application architectures, and attacks and countermeasures for IToperations

controls for the physical protection of worksites that may include IT systems The chapterdiscusses secure siting, which is the process of identifying risk factors associated with thelocation and features of an office building The chapter provides an overview of fire preven-tion and suppression, theft prevention, and building environmental controls including elec-tric power and heating, ventilation, and air conditioning

developed and are still in use from the 1970s to the present The chapter continues with

a discussion of information system evaluation models including the Common Criteria

The chapter discusses computer hardware architecture and computer software, includingoperating systems, tools, utilities, and applications Security threats and countermeasures inthe context of computer software are also explored.

tele-communications and network technologies The chapter examines the TCP/IP and OSIprotocol models, and continues with a dissection of the TCP/IP protocol suite The chapteraddresses TCP/IP network architecture, protocols, addressing, devices, routing, authentica-tion, access control, tunneling, and services The chapter concludes with a discussion ofnetwork-based threats and countermeasures

certification, and then describes the ten domains in the CISSP Common Body of Knowledge

Ethics, which every CISSP candidate is required to support and uphold The Code of Ethics

is a set of enduring principles to guide the behavior of every security professional

Glossary, lists common information security and risk management terms that are found inthis book

• Common Body of Knowledge objectives included Each chapter begins with the

the CISSP certification This helps to remind the reader of the CISSP certificationrequirements for that particular topic

• Chapter Objectives Each chapter begins with a detailed list of the concepts to bemastered within that chapter This list provides you with both a quick reference to thechapter’s contents and a useful study aid

• Illustrations and Tables Numerous illustrations of security vulnerabilities, attacks,and defenses help you visualize security elements, theories, and concepts In addition,the many tables provide details and comparisons of practical and theoretical

information

• Chapter Summaries Each chapter’s text is followed by a summary of the conceptsintroduced in that chapter These summaries provide a helpful way to review the ideascovered in each chapter

• Key Terms All of the terms in each chapter that were introduced with bold text aregathered in a Key Terms list with definitions at the end of the chapter, providingadditional review and highlighting key concepts

• Review Questions The end-of-chapter assessment begins with a set of review tions that reinforce the ideas introduced in each chapter These questions help you

ques-evaluate and apply the material you have learned Answering these questions willensure that you have mastered the important concepts and provide valuable practicefor taking the CISSP exam.

• Hands-On Projects Although it is important to understand the theory behind networksecurity, nothing can improve upon real-world experience To this end, each chapterprovides several Hands-On Projects aimed at providing you with practical securitysoftware and hardware implementation experience These projects can be completed

on Windows XP or Vista (and, in some cases, Windows 2000, MacOS, Linux) Somewill use software downloaded from the Internet

• Case Projects Located at the end of each chapter are several Case Projects In theseextensive exercises, you implement the skills and knowledge gained in the chapterthrough real analysis, design, and implementation scenarios

book It is this author’s opinion that the security professional’s effectiveness in theworkplace is a direct result of one’s professional ethics and conduct

Text and Graphic Conventions

Wherever appropriate, additional information and exercises have been added to this book

to help you better understand the topic at hand Icons throughout the text alert you to tional materials The icons used in this textbook are described below

addi-The Note icon draws your attention to additional helpful material related tothe subject being described

Hands-On Projects in this book are preceded by the Hands-On icon anddescriptions of the exercises that follow

Case Project icons mark Case Projects, which are scenario-based assignments

In these extensive case examples, you are asked to implement independentlywhat you have learned

Companion CD-ROM

The accompanying CD includes 250 sample exam questions

Information Security Community Site

The Information Security Community Site was created for students and instructors to findout about the latest in information security news and technology

Visit www.community.cengage.com/security to:

■ Learn what’s new in information security through live news feeds, videos, and podcasts

■ Connect with your peers and security experts through blogs and forums

■ Download student and instructor resources, such as additional labs, instructionalvideos, and instructor materials

■ Browse our online catalog

Instructor ’s Materials

The following additional materials are available when this book is used in a classroomsetting All of the supplements available with this book are provided to the instructor on asingle CD-ROM (ISBN: 143542820X) You can also retrieve these supplemental materialsfrom the Course Technology Web site, www.course.com, by going to the page for this

Electronic Instructor’s Manual—The Instructor’s Manual that accompanies this textbookprovides additional instructional material to assist in class preparation, including sugges-tions for lecture topics, suggested lab activities, tips on setting up a lab for the hands-onassignments, and solutions to all end-of-chapter materials

ExamView Test Bank—This Windows-based testing software helps instructors design andadminister tests and pretests In addition to generating tests that can be printed and admin-istered, this full-featured program has an online testing component that allows students totake tests at the computer and have their exams automatically graded

PowerPoint Presentations—This book comes with a set of Microsoft PowerPoint slides foreach chapter These slides are meant to be used as a teaching aid for classroom presenta-tions, to be made available to students on the network for chapter review, or to be printedfor classroom distribution Instructors are also at liberty to add their own slides to coveradditional topics

How to Earn and Maintain a CISSP Certification

In order to become CISSP certified, you must:

2 Register for an examination by completing and returning an application and paying theregistration fee

3 Take and pass the CISSP certification exam

4 Provide evidence of the required five years of work experience

5 Submit a completed endorsement form

6 Have a criminal record that is free of disqualifying criminal convictions

7 Be in good standing in the information security industry

Note that some candidates will be audited, in order to confirm the facts of their application,before the CISSP certification is issued

You will also be required to sign an agreement of support of the (ISC)2 code of ethics.Every CISSP is required to support the code of ethics; violations may result in the loss ofyour certification.

Once you earn your CISSP certification, you are required to earn CPE credits in order toretain your certification You are required to complete 120 CPE credits every three years,

that security practices and technologies constantly change, which is why staying current is

a requirement for keeping your CISSP You will also be required to pay an annual fee tomaintain your certification

You are encouraged to volunteer your time and talent in the CISSP community nities include proctoring CISSP exams, writing CISSP exam questions, public speaking, at

org A document called the CISSP Candidate Bulletin of Information is a helpful document

at (703) 891-6781

Photo and Image Credits

Figure 2-4 Courtesy of xkcd.com

Figure 2-6 Image copyright, 2009 Used under license with istockphoto.com

Figure 3-5 Redrawn with permission from S Staniford, V Paxon, and N Weaver, "How to own the

Internet In Your Spare Time, "Proc USENIX Security Symposium 2002.

Figure 4-1 Courtesy of US Geological Survey

Figure 6-1 Copyright 2002 Carnegie Mellon University with special permission from the Software

Engineering Institute Figure 8-3 Courtesy of Rebecca Steele

Figure 8-4 Courtesy of Rebecca Steele

Figure 8-5 Image copyright, 2009 Used under license from istock.com

Figure 8-6 Courtesy of U.S Army Research Laboratory

Figure 8-8 Image copyright, 2009 Used under license from istock.com

Figure 8-9 Image copyright, 2009 Used under license from istock.com

Figure 8-12 Courtesy of Delta Scientific

Figure 9-2 Courtesy of Rebecca Steele

Figure 9-3 Courtesy of Rebecca Steele

Figure 9-4 Courtesy of Rebecca Steele

Figure 10-2 Courtesy of Rebecca Steele

Figure 10-3 Courtesy of Rebecca Steele

cert.org/archive/ppt/cyberterror.ppt, Copyright 2002 Carnegie Mellon University with cial permission from the Software Engineering Institute

spe-ANY CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING TUTE MATERIAL CONTAINED HEREIN IS FURNISHED ON AN "AS-IS" BASIS.CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOTLIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL.CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANYKIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPY-RIGHT INFRINGEMENT

INSTI-The Software Engineering Institute and Carnegie Mellon University do not directly or rectly endorse this publication

Special recognition goes to the book’s technical reviewers These are industry and academicsubject matter experts who carefully read through the manuscript to make sure that it isboth technically accurate and also well organized, with accurate and understandabledescriptions and explanations This book’s technical reviewers are:

• Dr Barbara Endicott-Popovsky, the Director for the Center of Information Assuranceand Cybersecurity at the University of Washington, designated by the NSA as a Cen-ter for Academic Excellence in Information Assurance Education

• Michael Simon, a leading expert in computer security, information assurance, andsecurity policy development Mike and I have also written two books together

• Jim Drennan at Pensacola Junior College Center for Information and EngineeringTechnology, who provided valuable and thoughtful feedback in several importantareas

• Faisal Abdullah at Lewis University also provided valuable information that prompted

me to produce additional content

Special thanks to Kirk Bailey for his keen insight over the years and for fighting the goodfight

I am honored to have had the opportunity work with this outstanding and highly sional group of individuals at Cengage Learning, together with the reviewers and others ofyou who never compromised on the pursuit of excellence

profes-About the Author

Peter H Gregory, CISA, CISSP, DRCE, is the author of twenty books on information rity and technology, including IT Disaster Recovery Planning For Dummies, Biometrics ForDummies, Securing the Vista Environment, and Solaris Security He has spoken at numer-ous security conferences, including RSA, SecureWorld Expo, InfraGard, and the WestCoast Security Forum

secu-Peter is the security and risk manager at a financial management services firm in Seattle He

is the lead instructor and advisory board member for the University of Washington’s cate program in information security, and an advisory board member and guest lecturer forthe University of Washington’s certificate program in information assurance He is on theboard of directors for the Washington State chapter of InfraGard, a graduate of the FBICitizens Academy, and is active in the FBI Citizens Academy Alumni Association

certifi-In his free time he enjoys the outdoors in Washington State with his wife and family

This page intentionally left blank

in these non-technical labs, a computer with word processing, spreadsheet, or illustrationsoftware will be useful for collecting and presenting information.

Hardware and Software Requirements

These are all of the hardware and software requirements needed to perform the end-of-chapterHands-On Projects:

• Windows XP Professional (in some projects, Windows 2000, MacOS, or a currentLinux distribution are sufficient)

• An Internet connection and Web browser (e.g., Firefox or Internet Explorer)

• Anti-virus software

xxxv

Specialized Requirements

The need for specialized hardware or software is kept to a minimum However, the ing chapters do require specialized hardware or software:

follow-• Chapter 2: Zone Labs’ Zone Alarm firewall

• Chapter 3: Secunia Personal Software Inspector (PSI), IBM/Watchfire AppScan

• Chapter 10: Notebook or desktop computer with Wi-Fi NIC compatible withthe Netstumbler tool

Free Downloadable Software is Required in the Following

Chapters

Chapter 2:

• Zone Labs’ Zone Alarm firewall

• WinZip version 9 or newerChapter 3:

• Secunia Personal Software Inspector (PSI)

• Microsoft Threat Analysis & Modeling toolChapter 5:

• Wireshark

• SuperScan

• Netstumbler

Information Security

and Risk Management

Topics in this Chapter:

• How Security Supports Organizational Mission, Goals and Objectives

The International Information Systems Security Certification Consortium (ISC)2 CommonBody of Knowledge (CBK) defines the key areas of knowledge for Information Security andRisk Management in this way:

Information Security and Risk Management entails the identification of an organization’sinformation assets and the development, documentation, and implementation of policies, stan-dards, procedures and guidelines that ensure confidentiality, integrity, and availability Man-agement tools such as data classification, risk assessment, and risk analysis are used to identifythe threats, classify assets, and to rate their vulnerabilities so that effective security controlscan be implemented

Risk management is the identification, measurement, control, and minimization of loss ated with uncertain events or risks It includes overall security review, risk analysis; selectionand evaluation of safeguards, cost benefit analysis, management decision, safeguard imple-mentation, and effectiveness review

associ-The candidate will be expected to understand the planning, organization, and roles of duals in identifying and securing an organization’s information assets; the development anduse of policies stating management’s views and position on particular topics and the use ofguidelines, standards, and procedures to support the policies; security awareness training tomake employees aware of the importance of information security, its significance, and the spe-cific security-related requirements relative to their position; the importance of confidentiality,proprietary and private information; employment agreements; employee hiring and termina-tion practices; and risk management practices and tools to identify, rate, and reduce the risk

indivi-to specific resources

Key areas of knowledge:

• Understand and document the goals, mission, and objectives of

the organization

• Establish governance

• Understand concepts of availability, integrity, and confidentiality

• Apply the following security concepts in planning: defense in depth, avoid singlepaths of failure

• Develop and implement security policy

• Define the organization’s security roles and responsibilities

• Secure outsourcing

• Develop and maintain internal service level agreements

• Integrate and support identity management

• Understand and apply risk management concepts

• Evaluate personnel security

• Develop and conduct security education, training, and awareness

• Understand data classification concepts

• Evaluate information system security strategies

• Support certification and accreditation efforts

• Design, conduct, and evaluate security assessments

• Report security issues to management

• Understand professional ethics

Even though this domain is positioned as number 5 in the Certified Information Systems rity Professional (CISSP) common body of knowledge, it is placed first in this book because allsecurity activities should take place as a result of security and risk management

Secu-Organizational Mission, Objectives, and Goals

In order to be able to protect an organization’s assets, it is first necessary to understand eral basic characteristics of the organization, including its goals, mission, and objectives Allare statements that define what the organization desires to achieve and how it will proceed toachieve them These three terms are described in more detail here

sev-Mission

The mission of an organization is a statement of its ongoing purpose and reason for tence An organization usually publishes its mission statement, so that its employees, custo-mers, suppliers, and partners are aware of the organization’s stated purpose Some examplemission statements:

exis-“Promote professionalism among information system security practitioners

through the provisioning of professional certification and training.”—(ISC)²

“Empower and engage people around the world to collect and develop

educa-tional content under a free license or in the public domain, and to disseminate it

effectively and globally.”—Wikimedia Foundation

“Help civilize the electronic frontier; to make it truly useful and beneficial not

just to a technical elite, but to everyone; and to do this in a way which is in

keep-ing with our society’s highest traditions of the free and open flow of information

and communication.”—Electronic Frontier Foundation

An organization’s security professionals need to be aware of their organization’s mission,because it will, in part, influence how we will approach the need to protect the organization’sassets

Objectives

The objectives of an organization are statements of activities or end-states that the tion wishes to achieve Objectives support the organization’s mission and describe how theorganization will fulfill its mission

organiza-Objectives are observable and measurable People can determine whether the organizationmet its objectives or not Also, objectives do not necessarily specify how they will be com-pleted, or by whom.

Sample organization objectives include:

“Obtain ISO 27001 certification by the end of third quarter.”

“Reduce development costs by twenty percent in the next fiscal year.”

“Complete the integration of CRM and ERP systems by the end of November.”

Security personnel need to know the organization’s objectives and be involved in theirfruition, so that the organization can achieve its objectives with the lowest reasonable level

of risk

Goals

While objectives describe desired end-states for an organization, goals specify specific plishments that will enable the organization to meet its objectives

accom-Security Support of Mission, Objectives, and Goals

Security professionals in an organization ought to be concerned with the reduction of riskthrough the proper activities and controls that protect assets and activities We need to be

involved in the key activities that the organization is undertaking

management This support comes in the form of priorities and resources that permit securityprofessionals to be closely involved with key activities This is discussed in greater detail later

Risk Management

Risk management is the process of determining the maximum acceptable level of overall risk

to and from a proposed activity, then using risk assessment techniques to determine the initiallevel of risk and, if this is excessive, developing a strategy to ameliorate appropriate individualrisks until the overall level of risk is reduced to an acceptable level In the vernacular thismeans, find the level of risk (associated with a given activity or asset) and do somethingabout it if needed

Two basic steps are performed in risk management: risk assessment and risk treatment Riskassessment is used to identify risks, and risk treatment is used to manage the identified risks.These are discussed in the remainder of this section

NIST 800-30, Risk Management Guide for Information Technology Systems, is an ing, high quality standard for risk management This document was developed by the U.S.National Institute of Standards and Technology, which develops all of the security standardsfor the U.S federal government

A qualitative risk assessment will typically identify a number of characteristics about anasset or activity, including:

• Vulnerabilities These are weaknesses in design, configuration, documentation,

procedure, or implementation

• Threats These are potential activities that would, if they occurred, exploit specific

vulnerabilities

• Threat probability An expression of the likelihood that a specific threat will be carried

• Countermeasures These are actual or proposed measures that reduce the risk

associated with vulnerabilities or threats

Here is an example A security manager is performing a qualitative risk assessment on theassets in an IT environment For each asset, the manager builds a chart that lists each threat,along with the probability of realization The chart might resemble the list in Table 1.1

This is an oversimplified example, but sometimes qualitative risk analysis won’t be muchmore complicated than this—although a real risk analysis should list many more threats andcountermeasures

Quantitative Risk Assessment A quantitative risk assessment can be thought of as

an extension of a qualitative risk assessment A quantitative risk assessment will include theelements of a qualitative risk assessment but will include additional items, including:

• Asset value Usually this is a dollar figure that may represent the replacement cost of

an asset, but could also represent income derived through the use of the asset

Earthquake damage M M Lateral rack bracing; attach all assets to

racks

L

Logical intrusion H M Network-based intrusion detection system;

host-based intrusion detection system

L

Table 1-1 Risk assessment chart

• Exposure factor (EF) The proportion of an asset’s value that is likely to be lostthrough a particular threat, usually expressed as a percentage Another way to thinkabout exposure factor is to consider the impact of a specific threat on an asset.

• Single loss expectancy (SLE) This is the cost of a single loss through the realization of

a particular threat This is a result of the calculation:

• Annualized rate of occurrence (ARO) This is the probability that a loss will occur in ayear’s time This is usually expressed as a percentage, which can be greater than 100%

if it is believed that a loss can occur more than once per year

• Annual loss expectancy (ALE) This is the yearly estimate of loss of an asset, calculated

as follows:

Let’s look at an example: an organization asset, an executive’s laptop computer, that isworth $4,000 The asset value is $4,000

Now we will calculate the exposure factor (EF), which is the proportion of the laptop’svalue that is lost through a particular threat The threat of theft will, of course, result in theentire laptop’s value to be lost For theft, EF = 100% For sake of example, let’s addanother threat, that of damage, if the executive drops the laptop and breaks the screen For

Now we need to calculate how often either of these scenarios might occur in a single year.For theft, let us presume that there is a 10% probability that this executive’s laptop will bestolen (he’s a popular individual) Thus, the ARO = 10% This particular executive is reallyclumsy and drops his laptop computer a lot, so the ARO for that threat is 25%

This all means that the organization will lose $900 ($400 for theft and $500 for damage)each year in support of the executive’s laptop computer Knowing this will help manage-ment make more intelligent spending decisions for any protective measures that they feelwill reduce the probability or impact of these and other threats This is discussed in thenext section on countermeasures

Quantifying Countermeasures Annual loss expectancy (ALE) is the cost that the nization is likely to bear through the loss of the asset Because ALE is expressed in dollars (orother local currency), the organization can now make decisions regarding specific investments

orga-in countermeasures that are designed to reduce the risk The risk analysis can be extended toinclude the impact of countermeasures on the overall risk equation:

• Costs of countermeasures Each countermeasure has a specific cost associated with it.This may be the cost of equipment, software, or labor costs

• Changes in exposure factor A specific countermeasure may have an impact on a

specific threat For example, the use of an FM-200-based fire extinguishment system

will mean that a fire in a business location will cause less damage than a

sprinkler-based extinguishment system

• Changes in single loss expectancy Specific countermeasures may influence the

probability that a loss will occur For instance, the introduction of an anti-virus

network appliance will reduce the frequency of malware attacks

Geographic Considerations Organizations can take quantitative risk analysis a step ortwo further by calculating SLE, ALE, and ARO values in specific geographic locations This

is useful in organizations with similar assets located in different locations where the ity of loss or the replacement cost of these assets varies enough to matter

probabil-Specific Risk Assessment Methodologies The risk assessment steps described inthis section are intentionally simplistic, with the intention of illustrating the concepts of identi-fying the value of assets and by using formulas to arrive at a quantitative figure that repre-sents the probable loss of assets in a year’s time For some organizations, this simple approachmay be sufficient On the other hand, there are several formal approaches to risk assessmentthat may be suitable for larger or more complex efforts Among these approaches are:

• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)

Developed by Carnegie Mellon University’s Software Engineering Institute (SEI),

OCTAVE is an approach where analysts identify assets and their criticality, identify

vulnerabilities and threats, evaluate risks, and create a protection strategy to reduce

risk

• FRAP (Facilitated Risk Analysis Process) This is a qualitative risk analysis

methodology that can be used to pre-screen a subject of analysis as a means to

determine whether a full blown quantitative risk analysis is needed

• Spanning Tree Analysis This can be thought of as a visual method for identifying

categories of risks, as well as specific risks, using the metaphor for a tree and its

branches This approach would be similar to a Mind Map for identifying categories

and specific threats and/or vulnerabilities

• NIST 800-30, Risk Management Guide for Information Technology Systems This

document describes a formal approach to risk assessment that includes threat and

vulnerability identification, control analysis, impact analysis, and a matrix depiction ofrisk determination and control recommendations

Risk Treatment

When a qualitative or quantitative risk assessment has been performed, an organization’s agement can begin the process of determining what steps, if any, need to be taken to managethe risks identified in the risk assessment The four general approaches to risk treatment are:

man-• Risk acceptance

• Risk avoidance

• Risk reduction