Sybex SSCP (ISC) systems security certified practitioner official study guide

Practitioners who have proven hands-on technical abil- ity would do well to include the ISC2 Systems Security Certifi ed Practitioner SSCP ® credential in their arsenal of tools to comp

SSCP ® Systems Security Certified

Practitioner Study Guide

George B Murphy

Editorial Manager: Mary Beth Wakefield

Production Manager: Kathleen Wisor

Associate Publisher: Jim Minatel

Project Coordinator, Cover: Brent Savage Cover Designer: Wiley

Cover Image: ©Getty Images Inc./Jeremy Woodhouse Copyright © 2015 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

If professional assistance is required, the services of a competent professional person should be sought Neither the lisher nor the author shall be liable for damages arising herefrom The fact that an organization or Web site is referred to

pub-in this work as a citation and/or a potential source of further pub-information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S at (877) 762-2974, outside the U.S at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand Some material included with dard print versions of this book may not be included in e-books or in print-on-demand If this book refers to media such

stan-as a CD or DVD that is not included in the version you purchstan-ased, you may download this material at port.wiley.com For more information about Wiley products, visit www.wiley.com.

http://booksup-Library of Congress Control Number: 2015947763

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affiliates, in the United States and other countries, and may not be used without written permission SSCP, the SSCP logo, and the (ISC)2 logo are registered trademarks or service marks of the International Information Sys- tems Security Certification Consortium All other trademarks are the property of their respective owners John Wiley & Sons, Inc is not associated with any product or vendor mentioned in this book.

10 9 8 7 6 5 4 3 2 1

Disclaimer: Wiley Publishing, Inc., in association with (ISC)2 ® , has prepared this study guide for general information and for use as training for the Official (ISC)2 SSCP ® CBK ® and not as legal or operational advice This is a study guide only, and does not imply that any questions or topics from this study guide will appear on the actual (ISC)2 SSCP ® cer- tification examination The study guide was not prepared with writers or editors associated with developing the (ISC)2 ®

SSCP ® certification examination The study guide may contain errors and omissions (ISC)2 ® does not guarantee a ing score on the exam or provide any assurance or guarantee relating to the use of this study guide and preparing for the (ISC)2 ® SSCP ® certification examination

pass-The users of the Official SSCP ® : Systems Security Certified Practitioner Study Guide agree that Wiley Publishing, Inc and (ISC)2 ® are not liable for any indirect, special, incidental, or consequential damages up to and including negligence that may arise from use of these materials Under no circumstances, including negligence, shall Wiley Publishing Inc or (ISC)2 ® , its officers, directors, agents, author or anyone else involved in creating, producing or distributing these materials be liable for any direct, indirect, incidental, special or consequential damages that may result from the use of this study guide

ffi rs.indd 09/18/2015 Page iii

Attacks on organizations’ information assets and infrastructure continue to escalate while attackers refi ne and improve their tactics The best way to combat these assaults starts with qualifi ed information security staff armed with proven technical skills and practical security knowledge Practitioners who have proven hands-on technical abil- ity would do well to include the (ISC)2 Systems Security Certifi ed Practitioner (SSCP ® ) credential in their arsenal of tools to competently handle day-to-day responsibilities and secure their organization’s data and IT infrastructure

The SSCP certifi cation affi rms the breadth and depth of practical security knowledge expected of those in hands-on operational IT roles The SSCP provides industry-lead- ing confi rmation of a practitioner’s ability to implement, monitor and administer poli- cies and procedures that ensure data confi dentiality, integrity and availability (CIA)

Refl ecting the most relevant topics in our ever-changing fi eld, this new SSCP Study Guide is a learning tool for (ISC)2 certifi cation exam candidates This comprehensive study guide of the seven SSCP domains draws from a global body of knowledge, and prepares you to join thousands of practitioners worldwide who have obtained

the (ISC)2 SSCP credential The SSCP Study Guide will help facilitate the practical knowledge you need to

assure a strong security posture for your organization’s daily operations

As the information security industry continues to transition, and cybersecurity becomes a global focus, the

SSCP Common Body of Knowledge (CBK ® ) is even more relevant to the challenges faced by today’s frontline

information security practitioner While our Offi cial Guides to the CBK are the authoritative references, the

new study guides are focused on educating the reader in preparation for exams As an ANSI accredited

certi-fi cation body under the ISO/IEC 17024 standard, (ISC)2 does not teach the SSCP exam Rather, we strive to

generate or endorse content that teaches the SSCP’s CBK Candidates who have a strong understanding of the CBK are best prepared for success with the exam and within the profession

Advancements in technology bring about the need for updates, and we work to ensure that our content is always relevant to the industry (ISC)2 is breaking new ground by partnering with Wiley, a recognized industry-leading brand Developing a partnership with renowned content provider Wiley allows (ISC)2 to grow its offerings on

the scale required to keep our content fresh and aligned with the constantly changing environment The power

of combining the expertise of our two organizations benefi ts certifi cation candidates and the industry alike

For more than 26 years, (ISC)2 has been recognized worldwide as a leader in the fi eld of information security

education and certifi cation Earning an (ISC) 2 credential also puts you in great company with a global network

of professionals who echo (ISC) 2 ’s focus to inspire a safe a secure cyber world

Congratulations on taking the fi rst step toward earning your certifi cation Good luck with your studies!

Regards,

David P Shearer

CEO

(ISC)2

To my beautiful wife, Cathy—thank you for your patience, understanding, and especially your encouragement You are and always will be my angel With much love.

It’s always amazing how many people are involved in the production of a book like this Everyone involved deserves a world of thanks for all of their hard work and efforts I espe-cially want to thank Carol Long, who was executive acquisitions editor for Wiley & Sons when we started this project I genuinely appreciate the opportunity that she afforded me

I also owe so much to many others, especially Tom Cirtin, for keeping everything on track,

as well as Christine O’Connor, who tied together all of the production efforts I want to thank Jim Minatel for herding all of the cats and keeping it all running Many thanks to Judy Flynn for her tireless efforts in making sure all of the copy worked, as well as the entire team of layout editors, graphic design folks, and others, all of whom provided their expertise to make this project come together I would like to express a big thanks to Brian McCarthy for his knowledge and his wonderful work as technical editor I would also like

to express my appreciation to both Mike Siok and Willie Williams for their friendship and inspiration through a great many projects over the years They have always been there to lend an ear and offer encouragement I want to recognize Chuck Easttom for giving me my break into the world of publishing a few years ago And, I want to especially thank all of the wonderful folks at (ISC)2 for their ongoing assistance in this and many other projects Thank you all very much

About the Author

George (Buzz) Murphy, CISSP, SSCP, CASP, is a public speaker, corporate trainer, author,

and cybersecurity evangelist who, over the past three decades, has touched the lives of thousands of adult learners around the world through hundreds of speaking and training events covering a variety of technical and cybersecurity topics A former Dell technology training executive and U.S Army IT networking security instructor, he has addressed audiences at national conferences, major corporations, and educational institutions, includ-ing Princeton University, and he has trained network and cybersecurity operators for the U.S military branches, various U.S government security agencies, and foreign military personnel

As a military data center manager in Europe, he held a top-secret security clearance in both U.S and NATO intelligence and through the years has earned 26 IT and cyberse-curity certifi cations from such prestigious organizations as (ISC)2, CompTIA, PMI, and Microsoft He is an (ISC)2 Authorized Instructor specializing in CISSP and Cloud Security certifi cation training He has authored, coauthored, and contributed to more than a dozen books on a wide range of topics, including network engineering, industrial technology, and

IT security, and recently served as technical editor for the (ISC) 2 CCFP – Certifi ed Cyber Forensics Professional Certifi cation Guide by Chuck Easttom (McGraw Hill, 2014) as well

as for the recent publication CASP: CompTIA Advanced Security Practitioner Study Guide

by Michael Greg (Sybex, 2014)

About the Technical Editor

Brian D McCarthy, founder and director of 327 Solutions, Inc., has been involved in

placement, consulting, and training since 1992 Brian is an entrepreneur, IT trainer, operations leader, certifi cation expert, recruiter, instructional designer, sales executive, formally trained project manager (PMP), and e-learning guru He has more than 20 years

of talent development expertise, has been working in building technical competency for decades, and has held multiple positions in operations, training facilitation, and sales with increasing responsibility for building a world-class national network of performance experts Brian has worked hand in hand with the Department of Defense to enable infor-mation assurance compliance for cybersecurity workers (8570.1-M / 8140) He also has experience working with cutting-edge e-learning, workshops, immersive environments, gamifi cation/contest design, method-of-action 3D animations, LMS tracking, portal sys-tems, and other learning assets to accelerate world-class corporate teams

Contents at a Glance

Certified Practitioner Certification 1

About the (ISC)2 Organization 2

Organizational Structure and Programs 3Exams, Testing, and Certification 6Certification Qualification: The SSCP Common

Certification Maintenance 9Types of IT Certifications? 10About the Systems Security Certified

Practitioner Certification 12How Do I Use My SSCP Knowledge on the Job? 15

Summary 25

The Development of Security Techniques 28Understanding Security Terms and Concepts 29The Problem (Opportunity) and the Solution 29

AAA 45

ftoc.indd 08/18/2015 Page xvi

Privilege Management, Privilege Life Cycle 51Participating in Security Awareness Education 52Types of Security Awareness Education Programs 52Working with Human Resources and Stakeholders 53

What Should Be Protected? 63

Physical Access Controls 67

Administrative Access Controls 69Identification 70Authentication 72Factors of Authentication 74Single-Factor Authentication 84Multifactor Authentication 84Token-Based Access Controls 85System-Level Access Controls 86Discretionary Access Control (DAC) 86Nondiscretionary Access Control 87

Administering Mandatory Access Control 89

Mandatory Access Control Architecture Models 91

Contents xvii

ftoc.indd 08/18/2015 Page xvii

Account-Level Access Control 94Session-Level Access Control 104View-Based Access Control 104Data-Level Access Control 105Contextual- or Content-Based Access Control 106Physical Data and Printed Media Access Control 106Assurance of Accountability 107Manage Internetwork Trust Architectures 108

Security Policies and Practices 124

Information Life Cycle Management 144Information Classification Policy 144

Endpoint Health Compliance 148

Security Education and Awareness Training 150Employee Security Training Policy 153Employee Security Training program 154Business Continuity Planning 157Developing a Business Continuity Plan 160Disaster Recovery Plans 165Summary 173

ftoc.indd 08/18/2015 Page xviii

Risk Management Frameworks and Guidance for

NIST Special Publication 800-37 Revision 1 192NIST Special Publication 800-39 194Risk Analysis and Risk Assessment 194

Event and Incident Handling Policy 224Standards 225Procedures 225Guidelines 226Creating and Maintaining an Incident Response Plan 226Law Enforcement and Media Communication 229Building in Incident Response Team 231Incident Response Records 232Security Event Information 233Incident Response Containment and Restoration 233Implementation of Countermeasures 235Understanding and Supporting Forensic Investigations 235

Plan and the Disaster Recovery Plan 240Emergency Response Plans and Procedures 240Business Continuity Planning 240Disaster Recovery Planning 242Interim or Alternate Processing Strategies 245

Concepts and Requirements of Cryptography 263Terms and Concepts Used in Cryptography 263Cryptographic Systems and Technology 272Data Classification and Regulatory Requirements 297Public Key Infrastructure and Certificate Management 299

ftoc.indd 08/18/2015 Page xx

Access Control Protocols and Standards 343Remote Network Access Control 343Remote User Authentication Services 346RADIUS 347TACACS/TACACS+/XTACACS 347Local User Authentication Services 348LDAP 348Kerberos 348

Subnetting 352Virtual Local Area Networks 353

Network Address Translation 354

MAC Filtering and Limiting 356

Spam Filter to Prevent Email Spam 368Telecommunications Remote Access 368

Wireless & Cellular Technologies 369IEEE 802.11x Wireless Protocols 370

Traffic Shaping Techniques and Devices 381

Understand Malicious Code and Apply Countermeasures 390Malicious Code Terms and Concepts 393Managing Spam to Avoid Malware 401Cookies and Attachments 402Malicious Code Countermeasures 405

ActiveX 410User Threats and Endpoint Device Security 410General Workstation Security 411

Data Warehouse and Big Data Deployment and Operations 450Securing the Data Warehouse and Data Environment 451

ftoc.indd 08/18/2015 Page xxii

Secure Software-Defined Networks and Virtual Environments 451Software-Defined Networks 452Security Benefits and Challenges of Virtualization 455Summary 457

Microsoft Baseline Security Analyzer 488

Microsoft Password Checker 491

Internet Explorer Phishing and Malicious Software Filter 492

Observing Logs with Event Viewer 495

Viewing a Digital Certificate 497

Monitoring PC Activities with Windows Performance Monitor 500

Contents xxiii

ftoc.indd 08/18/2015 Page xxiii

Analyzing Error Messages in Event Viewer 504

Introduction

What a wonderful time to be involved with IT security The role of security practitioner is expanding almost on a daily basis Challenges abound as we all try to get our arms around not only traditional hardwired networks but also everything involved with wireless com-munication and the virtualization of everything in the cloud There is so much to know and understand, and the growth potential seemingly has no bounds Keeping up with this pace

is (ISC)2, the creators of the Certifi ed Information Systems Security Professional (CISSP) certifi cation, along with several other certifi cations

(ISC)2 is renowned for offering industry-leading cybersecurity and other types of ing courses around the world Achieving the Systems Security Certifi ed Practitioner (SSCP) from (ISC)2 indicates mastery of a broad-based body of knowledge in IT security From network engineering to application development and from cybersecurity to physical secu-rity, the prestigious SSCP certifi cation indicates that an individual is an accomplished and knowledgeable security practitioner The certifi cation is not a vendor-specifi c certifi cation but a comprehensive broad-based certifi cation

train-Candidates for this certifi cation will take a 125-question exam over a period of three hours The exam covers questions from seven separate and distinct areas of knowledge called domains Upon passing the examination with a score of 700 or better out of a possible 1,000, successful candidates also must agree to adhere to the (ISC)2 Code of Ethics Applications must also be endorsed by a current (ISC)2 member or by the organization This sets SSCP certifi cation holders apart because they are true accomplished professionals who adhere to a clear set of standards of conduct and are in the forefront of the IT security industry

This book is intended to thoroughly prepare you for the SSCP examination It pletely covers all of the new material introduced by (ISC)2 in early 2015 The changes and additional information place increasing importance on subjects such as the cloud, virtual-ization, big data, and security monitoring and detection as well as the importance of personal privacy protection and its enforcement by new laws and legislation

com-Although the requirement for the SSCP certifi cation is one year of employment in the industry, it is assumed that that year of employment will aid in the individual’s ability to apply the various concepts covered in this book The exciting thing about being a security practitioner is the diversity of the assignments and required knowledge of the job This certifi cation indicates a broad range of knowledge and capabilities and can be a fi rst major step forward in a rewarding career in IT security

Who Should Read This Book?

Although the Systems Security Certifi ed Practitioner certifi cation has been offered by (ISC)2

for many years, in 2015 the Common Body of Knowledge (CBK), which forms the tion for the exam, was substantially modifi ed To keep the certifi cation relevant with the rapid developments in the industry, the (ISC)2 organization regularly undertakes a program

founda-fl ast.indd 08/17/2015 Page xxvi

to ascertain the new skills required by the individuals holding its certifi cation It has been estimated that as much as 25 to 30 percent of new information has been added to vari-ous (ISC)2 certifi cations during this process As should be expected, the SSCP exam was changed to refl ect the additional information and knowledge required of candidates These changes were announced as recently as the fi rst quarter of 2015 Although other exam preparation sources may contain adequate information for past examinations, they may not offer the complete scope of the new information as contained in this book

The SSCP: Systems Security Certifi ed Practitioner Study Guide is intended for

candi-dates wishing to achieve the Systems Security Certifi ed Practitioner certifi cation It is a comprehensive exam preparation guide to assist you in understanding the various concepts that will be included on the exam Although deep technical knowledge and work experi-ence are not required to pass the examination, it is necessary to have a basic understanding

of security technologies such as networking, client/server architecture, and the devices and controls used to reduce risk to organizations This book covers items such as network tele-communications as well as cryptography in very down-to-earth, easy-to-understand lan-guage that makes comprehension and information retention easy and painless

What Is Covered in This Book

This textbook is a comprehensive review of all of the subjects you should be familiar with prior to taking the SSCP certifi cation exam It generally follows the exam outline

as expressed by the (ISC)2 organization Various learning tools will be used, such as examples and typical applications of many of the concepts You will also read case stud-ies of successful and sometimes not-so-successful real-world examples Each chapter will include notes that will elaborate in a little more detail about a concept as well as a number

of exam points that serve as detailed reminders of important concepts that are important to remember

As you will see, this book is not a condensed “exam notes guide” type of book Instead,

it comprehensively covers the different subjects and categories of information that a practicing SSCP should know, not only to pass the certifi cation examination but also to apply in the workplace

To successfully pass this certifi cation examination as well as any future (ISC)2 certifi tion examination, it is important not to just memorize the material but to learn and under-stand the topics If you understand the material and how it’s applied, you will always be successful on an examination

ca-Chapter 1: Information Security: The Systems Security Certified Practitioner

Certification This chapter introduces the SSCP examination candidate to the

require-ments and preparation required to sit for the exam It familiarizes the you with the (ISC)2

organization, the requirements you must meet to take the examination, examination registration procedures, the (ISC)2 SSCP endorsement requirements, the continuing educa-tion requirements (CEU), and the annual fee

Introduction xxvii

fl ast.indd 08/17/2015 Page xxvii

In this chapter you will learn what to expect at the examination center and how to plan for your examination day Through the years, many other individuals have taken technical examinations similar to the SSCP certification examination In this chapter, you will learn many of their successful study techniques so that you may be equally as successful when preparing for the examination

Chapter 2: Security Basics: A Foundation The SSCP certifi cation examination consists of

125 multiple-choice questions concerning the (ISC)2 organization’s SSCP Common Body of Knowledge (CBK) This body of knowledge consist of seven domains, or separate sections

of information Chapter 2 introduces you to the concepts of access control and a large ber of related terms and defi nitions It begins with a description of the CIA triad, which is the foundation for enterprise IT security The discussion includes an understanding of secu-rity terms and concepts You will see that some of these concepts have various permutations over time such as the wireless security protocols of WEP, WPA, and eventually WPA2 that

num-we use today

Chapter 3: Domain 1: Access Controls Protecting enterprise resources is a major part of

the job description of an IT security professional In this chapter, you will learn in detail how access controls are selected and implemented to protect resources from unauthorized use or entry You will learn the importance of identifi cation, authentication, authorization, logging, and accountability You will understand that various access control techniques, such as discretionary access control as well as nondiscretionary access control in the form

of mandatory access control and roll-based access control may be implemented in various situations throughout an enterprise

Chapter 4: Domain 2: Security Operations and Administration Every enterprise must have

policies, standards, procedures, and guidelines that provide documented information that guides the actions of the organization as well as the individuals it employs or interacts with Chapter 4 will introduce you to the concept of information availability, integrity, and confi -dentiality as it applies to management personnel, system owners, information managers, and end users throughout an organization In this chapter, you will come to understand change management as well as applying patches and updates to software and systems and complying with data management policies This chapter will also cover data classifi cation and the importance of validating that a security control is operating effectively

Chapter 5: Domain 3: Risk Identification, Monitoring, and Analysis Potential threats

pose risks to every organization This chapter introduces organized assessment techniques

to provide ongoing threat identifi cation and monitoring You will learn the importance

of implementing controls to mitigate or reduce threats or vulnerabilities, which thereby reduces overall risk to the organization

This chapter includes a discussion of risk management concepts, the assessment of risk,

and typical techniques organizations use to address risks, such as buying insurance, reducing risk, and possibly avoiding risk altogether You will also learn the importance of discovering events and incidents as they are occurring through monitoring and reviewing log files as well

as the techniques of participating in both risk reduction and risk response activities

Chapter 6: Domain 4: Incident Response and Recovery There are several key tasks that

may become the responsibility or assignment of the security practitioner Some of these tasks can involve actions and activities in response to an incident or emergency situation In this chapter, you will be introduced to the techniques of incident handling (which include investigations, reporting, and escalation) as well as digital forensic concepts You will learn the actions required of a fi rst responder, including the requirements concerning protection

of an incident scene, evidence acquisition and handling, and restoring the environment to a state prior to the incident

This chapter will also cover the creation of a business continuity plan as well as a disaster recovery plan, both of which are required by an enterprise to be used during a disaster event And finally, the importance of testing the plans and providing exercises and drills for the participants will be discussed

Chapter 7: Domain 5: Cryptography Confi dentiality, as a leg of the CIA triad, is a major

responsibility of all of the individuals in IT security as well as the SSCP This chapter will introduce you to the concepts and requirements of confi dentiality and how to provide it using cryptographic methods Cryptographic algorithms, the use of keys, and the types of cryptographic systems will be discussed in detail, but in a way that will be easy to under-stand You will discover that every time an individual logs into an e-commerce website, most

of the concepts covered in this chapter, such as public-key infrastructure, will be utilized You will gain an understanding of the use of digital certificates, how to provide integrity for data, and what techniques can be used so that data is protected when it is at rest or in transit Finally, you will learn how authentication can be provided by cryptographic means

as well as how to ensure that the sender of a message can’t deny that they sent the message, which is referred to as nonrepudiation

Chapter 8: Domain 6: Networks and Communications IT networks comprise

numer-ous hardware devices that are assembled using varinumer-ous methods and resulting in network models called topologies Network devices make use of signaling techniques referred to as telecommunications to transfer data between users and through devices In Chapter 8, you will be introduced to network models and hardware devices as well as the structure of data that fl ows over the networks and through these devices

This chapter will cover wireless and cellular technologies including the concepts of Bring Your Own Device and the connection of personal digital devices to the enterprise network

It will conclude with a discussion of converged network communications such as voice and media over the digital network and the prioritization of information that transverses a network

Chapter 9: Domain 7: Systems and Application Security Forming the termination point

of a network connection are endpoints such as, for example, host workstations, digital wireless devices, printers, scanners, and devices like point-of-sale equipment Chapter 9 will introduce you to the importance of securing endpoints against many types of mali-cious code attacks and how to apply various countermeasures to mitigate the threat of end-point attacks

Introduction xxix

fl ast.indd 08/17/2015 Page xxix

You will also become familiar with cloud security and many of the new requirements

concerning data transmission between a user and the cloud and data storage in a cloud environment The chapter includes a discussion about the importance of virtualization, not only in a local IT data center but also throughout the cloud environment

The chapter will conclude with a discussion of data warehousing and big data

environ-ments, including a description of the use of thousands of processors in parallel to analyze big data and derive usable information, including trend analysis, the analysis of weather, and scientific applications

Appendix A: Answers to the Written Labs As an additional learning technique, you will

fi nd at the end of each chapter a series of fi ve questions that require you to think through

an answer in an essay-type format You will be asked to defi ne the difference between two techniques, for example, or to explain the use of something covered in the chapter This is

an opportunity for you to write out a brief description of your understanding of the cepts that were covered in the chapter In Appendix A, you will fi nd brief answers to each

con-of the written lab questions You can compare your answers with these as a review and to determine if further reading and studying is required

Appendix B: Answers to Review Questions In this appendix, you will fi nd the answers to

each of the review questions found at the end of each chapter

Appendix C: Diagnostic Tools The role of the security practitioner can be that of a

hands-on technician who utilizes various tools and techniques to analyze and solve lems This appendix outlines a number of diagnostic tools that are available to the security practitioner You can practice using any of these tools to gain a better understanding of their application when used in analysis and problem solving

prob-How Do I Use This Book?

This book is simple to use and simple to read It offers straightforward explanations of all

of the SSCP exam topics Along the way, there are many Exam Points, which are tidbits of information that are important to understand and remember while preparing for the exam

Pre-study Assessment Exam The pre-study assessment exam is a short 10-question quiz

on some basic topics that are contained in the book This will give you an idea of not only

of some of the topics in the book but also your current level of understanding Don’t worry, after reading the book, you’ll understand every question on the assessment exam

Notes and Case Studies Various notes and case studies are included throughout each

chapter to point out relevant, real-world applications of some of the topics The notes will draw your attention to important issues and changes in the security landscape or specifi c items of interest concerning the topics in each chapter

Exam Points Exam Points are important facts and pieces of information that are

important to know for the examination They are sprinkled throughout this book in

fl ast.indd 08/17/2015 Page xxx

every chapter You should understand the fact or the theory but also consider the tion of the technique

applica-Chapter Review Questions To test your knowledge as you proceed through the book,

there are 20 review questions at the end of each chapter As you fi nish each chapter, answer the review questions and then check your answers Should you get a question wrong, you can go back to reread the section that deals with the subject to ensure that you answer correctly the next time

Electronic Flashcards Flashcards are excellent for memory and information retention

They may be used to rapidly test your memory and recall of various topics, terms, and defi nitions These are similar to the fl ashcards you might have used when you were in school You can answer them on your PC or download them onto a personal device for convenient reviewing

-Test Engine The website also contains the Sybex -Test Engine Using the sample exam and

this custom test engine, you can identify areas in which you might require additional study You’ll notice that the practice examination is worded a little differently than the questions

at the end of the chapters The SSCP examination might give you a short scenario and require you to think about the application of the concept rather than just provide a term and ask you to defi ne it

An examination question quite often will ask you to apply the concept For example, a question might be worded, “Bill is in the Dallas office of ABC Corporation while Tom is

in their sales office in Chicago Bill needs to send data over an untrusted network to Tom Which of the following options best describes the technique he should use?”

Glossary of Terms An extensive glossary of terms is included on the website You can

view these on your PC or easily download them to a personal device for quick and easy reference I suggest, in the fi rst pass, read the question and respond with the answer In the next pass, read the answers and determine what the topic is Remember, exam questions might be phrased by giving you the defi nition and asking for the term or by giving you the term and asking for the defi nition For instance, an exam question may be as follows: When using IPsec, which of the following best describes the services performed by the authentication header (AH)? Or, it may be worded like this: When using IPsec, authentica-tion and integrity is performed by which of the following? Authentication header is the cor-rect answer Notice that both of these questions refer to the same information

Assessment Test

1 Jim wants to place a device in the network demilitarized zone that may be broken into by

an attacker so that he can evaluate the strategies that hackers are using on his systems

Which of the following best describes what he would use?

A Honeypot

B Decoy system

C Honeybucket

D Spoofing system

2 Frank calls you from the Los Angeles office to inform you of an attack he has discovered

Due to a vulnerability in an application, an attacker has the ability to intervene in a munications session by inserting a computer between the two participants To each partici-pant, the attacker appears to be the other participant Which of the following best describes this type of attack?

com-A Man-in-the-middle attack

B DNS hijacking

C Trojan worm

D Backdoor attack

3 Susan has been alerted that applications on the network are executing very slowly Which

type of attack uses more than one computer to attack network devices with a result of slowing the network down?

A DoS

B DDoS

C Worm

D TCP/IP attack

4 Sam has determined that there are social engineering attacks happening in his company

What is the most effective means of protecting against social engineering attacks?

A Stateful inspection firewalls

B Trusted certificate lists

C Rule-based access control

D User education

5 Aeroflight Instrument Company has just completed a risk assessment It has implemented a

complete risk management program What is the primary goal of risk management?

A Reduce risk to an acceptable level.

B Remove all risks from an environment.

C Minimize security cost expenditures.

D Assign responsibilities to job roles.

6 Which of the following best describes the use of passwords for access control?

A Authentication

B Authorization

C Auditing

D Identification

7 Francine is director of accounting for Infosure Systems Corporation She is proposing that

the company start moving some the accounting applications to a cloud provider She wants them to be accessible from various client devices through either a thin client interface, such

as a web browser, or a program interface Which cloud service model would best fit this description?

A BaaS

B IaaS

C PaaS

D SaaS

8 Ken’s boss is asking him what ARO stands for in regard to risk What should he reply?

A Automatic review of operations

B Acceptable rate of output

C Authorized reduction of options

D Annualized rate of occurrence

9 As a defense contractor, Juan’s company must comply with strict access control regulations

Juan’s supervisor tells him to implement an access control based on the company’s users’ physical characteristics Under which type of access security would hand scanning and retina scanning fall?

Answers to Assessment Test xxxiii

Answers to Assessment Test

1 A Honeypots are systems that allow investigators to evaluate and

analyze the attack strategies used by attackers A honeypot is a hardened system that is placed in a demilitarized zone and is intended to be sacrifi ced to gain knowledge or simply

to distract attackers A demilitarized zone is usually created between two fi rewalls and provides access to servers and other devices from the untrusted external network while protecting the internal enterprise network Complete networks can be simulated in a single honeypot server, with fake data traffi c as well as simulated databases

2 A A man-in-the-middle attack attempts to fool both ends of a communications session

into believing the system in the middle is actually the other end

3 B A distributed denial of service (DDoS) attack uses multiple computer systems to attack a

server or host in the network

4 D User education is the most effective means of protecting against social engineering

attacks

5 A The primary goal of risk management is to reduce risk to an acceptable level

6 A Passwords are the most common form of authentication.

7 D With the Software as a Service (SaaS) model, applications are accessible from various

client devices through a thin client interface, a web browser, or an API

8 D ARO stands for annualized rate of occurrence, which is the number of times an event

might occur during the period of a year, drawn on historical data This is used when lating the cost of the loss of an asset due to a successful attack

calcu-9 C A biometric control is any access control method based on a user’s physical

characteristics

10 A A fi rewall is added to a network to fi lter traffi c and secure the infrastructure Firewalls

are used to protect networks from each other, most specifi cally an internal trusted network from an external untrusted network such as the Internet Firewalls fi lter on a number of traffi c attributes, including IP address, destination and source address, and port address

Information Security: The Systems Security Certified Practitioner Certification

Chapter

1

registration procedures, endorsement requirements, and continuing education and annual fee requirements In addition to introducing you to the requirements, this chapter will help you prepare for the examination You will learn about various successful study techniques used by other candidates as well as how to register for the exam

It is important for you to relax and do your best work By knowing what to expect ing your time at the examination center and by being prepared, you will be at ease and will

dur-be able to concentrate on the examination subject

The International Information Systems Security Certifi cation Consortium (ISC)2 is a for-profi t organization formed in 1989 to offer standardized vendor-neutral certifi cation programs for the computer security industry The fi rst certifi cation offered by the organiza-tion was the Certifi ed Information Systems Security Professional (CISSP) certifi cation It was based upon a Common Body of Knowledge (CBK) The original CBK was intended

not-to be all-encompassing, taking innot-to consideration every aspect of information security from technical networking, information security models, and theory to physical security, such as fi re extinguishers, perimeter lighting, and fences The Systems Security Certifi ed Practitioner (SSCP) credential was launched in 2001 It was intended as a foundational security credential requiring slightly less in-depth knowledge and a much more limited job experience criteria

A key element central to the foundation of (ISC)2 is a Code of Ethics Every member of the (ISC)2 organization, including candidates sitting for any of the certifi cation examinations, must agree to and sign the Code of Ethics It warrants that the members of the (ISC)2 organi-zation adhere to the highest standards of conduct in the performance of their security duties.Today, (ISC)2 is a global entity spanning more than 150 countries worldwide with membership totaling in excess of 100,000 members The organization has been referred to

as the “largest IT security organization in the world.”

About the (ISC) Organization 3

As the stand-alone PC era evolved into an era of networking during the early 1980s, it became evident that there was a need for network security standardization Security profes-sionals required the ability to describe their problems and solutions with common terminol-ogy Concepts, tools, and techniques had to be shared between individuals on a worldwide basis to solve common problems and take advantage of shared opportunities Although during this time various vendors coined terms and defi nitions specifi c to their products or sector of the industry, a desire arose for a vendor-neutral body of knowledge and a method-ology for granting credentials for individuals who exhibited the knowledge and competence required of the IT security industry

(ISC)2 was founded during the summer of 1989 as a nonprofi t organization to address the needs of IT security industry The organization immediately began organizing a collection of topics relevant to the IT security industry These topics were structured into a framework of concepts and terminology, with contributions from IT professionals around the world The framework of ideas, terms, and concepts now known as the Common Body

of Knowledge (CBK) allowed individuals from security practitioners to those in academia

to discuss, create, and improve the IT security industry as it has evolved through the years

Organizational Structure and Programs

(ISC)2 has evolved into a multifaceted organization offering numerous certifi cations and credential programs The organization also offers an outreach program where members can use (ISC)2 tools and information to educate themselves and others and to increase the awareness of cyber crime in their local communities Every year, tens of thousands attend

an annual (ISC)2 Security Congress, which features seminars and exhibits Central to the organization is the continuous education of its members During the year, numerous semi-nars, webinars, and other training sessions are available for (ISC)2 members

Certifications Offered

The award of a CISSP certifi cation is a global recognition that an individual has proven knowledge in the security information fi eld and has attained a high level of information understanding and professional competence The CISSP certifi cation has met all of the requirements of the ISO/IEC 17024 standard

CISSP – Certified Information Systems Security Professional The CISSP certifi cation is

recognized around the world as a standard of achievement that recognizes an individual’s knowledge in the fi eld of information security These individuals generally serve in IT management and information assurance and may be employed as managers who assure the security of a business environment

SSCP – Systems Security Certified Practitioner The SSCP certifi cation is ideal for

individu-als with at least one year of experience These individuindividu-als may be employed as security titioners in a network operations center, security operations center, or data center The SSCP certifi cation is the perfect starting point for somebody beginning an IT security career

prac-Additional certifications (ISC)2 offers several additional certifi cations in the area of healthcare, computer forensics, and system authorization professional and a variety of CISSP certifi cations Additional information is available on the (ISC)2 website

Worldwide Recognition

(ISC)2 has principal offi ces in the United States and additional offi ces in London, Hong Kong, and Tokyo Major corporations around the world seek out and employ individuals with (ISC)2 certifi cations

With over 93,000 certifi ed IT professionals located in over 135 countries worldwide, the (ISC)2 organization has set the standard around the world as the leader in IT security certifi cations

Industrial and Government Standards

The SSCP certifi cation has been accredited by the American National Standards

Institute (ANSI) The certifi cation is in compliance with the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 17024 standard

DoD Directive 8570.1 and DoD Directive 8140

In the aftermath of the September 11, 2001, terrorist attacks and with cybersecurity threats surfacing virtually every day around the world, the United States Department of Defense (DoD) has determined that information security and assurance is of paramount importance

to the national security of United States To provide a basis for enterprise-wide ization to train, certify, and manage the DoD Information Assurance (IA) workforce, The department issued DoD Directive (DoDD) 8570.1

standard-DoDD 8570.1, enacted in 2004 and rolled out in 2005, is always evolving Since 2005, major advancements in technology and cybersecurity have occurred, leading to the newest DoDD, 8140 DoDD 8140 was launched in the fi rst quarter of 2015, retiring 8570.1 in full DoDD 8140 is based on the National Institute of Standards and Technology (NIST) National Initiative for Cybersecurity Education (NICE) standard DoDD 8140 will update DoDD 8570.1, adding additional categories and further defi ning job roles for better training

The 8140 directive stipulates a much broader scope than the original 8570.1 document

by stating that a person that comes in contact with DoD information must abide by 8140 framework standards The 8140 document does not concentrate on specifi c job roles as in the 8570.1 but instead lists categories of job tasks that may be performed by any individual throughout the defense industry