Syngress systems security certification practitioner study guide kho tài liệu training

Robert is also a contributing author for Configuring and Troubleshooting Windows XP Professional Syngress Publishing, ISBN: 1-928994-80-6, BizTalk Server 2000 Developer’s Guide for .NET

Syngress knows what passing the exam means to you and to your career And we know that you are often financing your own training and certification; therefore, you need a system that is comprehensive, affordable, and effective.

Boasting one-of-a-kind integration of text, DVD-quality instructor-led training, and Web-based exam simulation, the Syngress Study Guide & DVD Training System guarantees 100% coverage of exam objectives.

The Syngress Study Guide & DVD Training System includes:

■ Study Guide with 100% coverage of exam objectives By reading this

study guide and following the corresponding objective list, you can be sure that you have studied 100% of the exam objectives.

■ Instructor-led DVD This DVD provides almost two hours of virtual

classroom instruction.

■ Web-based practice exams Just visit us at www.syngress.com/

certification to access a complete exam simulation.

Thank you for giving us the opportunity to serve your certification needs And

be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment We’re listening.

www.syngress.com/certification

Josh Jacobs SSCP, CISSP

Lee Clemmer SSCP, CISSP

Michael Dalton SSCP, CISSP

Russ Rogers CISSP

Jeffrey Posluns SSCP, CISSP, Technical Editor

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results

to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work

is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state

to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

SSCP Study Guide & DVD Training System

Copyright © 2003 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-931836-80-9

Technical Editor: Jeffrey Posluns Cover Designer: Michael Kavish

Technical Reviewer:Tony Piltzecker Page Layout and Art by: Shannon Tozier

Acquisitions Editor: Catherine B Nolan Copy Editor: Judy Eby

DVD Production: Michael Donovan Indexer: Odessa&Cie

Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.

Acknowledgments

v

We would like to acknowledge the following people for their kindness and support

in making this book possible

Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell,Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, AndreaTetrick, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer ofPublishers Group West for sharing their incredible marketing experience andexpertise

Duncan Enright, AnnHelen Lindeholm, David Burton, Febea Marinetti, and RosieMoss of Elsevier Science for making certain that our vision remains worldwide inscope

David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm withwhich they receive our books

Kwon Sung June at Acorn Publishing for his support

Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, DarleneMorrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associatesfor all their help and enthusiasm representing our product in Canada

Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks atJaguar Book Group for their help with distribution of Syngress books in Canada.David Scott, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley

of Woodslane for distributing our books throughout Australia, New Zealand, PapuaNew Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands

Winston Lim of Global Publishing for his help and support with distribution ofSyngress books in the Philippines

Lee Clemmer(SSCP, CISSP, RHCE, CCNA, SGCE, SGCA, MCSE,CCSA, Sun Solaris Certified Engineer) is a Founder and Chief SecurityConsultant with Higher Ground Networks, LLC His areas of expertiserange from Internet penetration testing and security auditing to informa-tion security systems architecture Headquartered in Atlanta, GA, HigherGround Networks delivers technical and strategic information securityexpertise to clients in the southeastern United States Lee’s experiencewith Linux and various versions of UNIX, coupled with his depth ofexperience with Microsoft’s offerings, make him the firm’s key resourcefor cross-platform security designs Lee’s background includes positionssuch as Senior Security Consultant with Kent Technologies, and Director

of Secure Networks with Xcelerate Corp Lee holds a bachelor’s degreefrom the University of Georgia, and is a member of the ISSA, USENIX,and SAGE organizations

Michael Dalton(SSCP, CISSP, CCNA, MCSE, CISA) is an InformationSecurity Specialist with a Fortune 500 insurance benefits company inNorth America Michael works in the Information Protection practice onthe Compliance Review Team His primary work responsibilities includeInternet and extranet firewall reviews, Information Protection SystemsDevelopment Lifecycle (SDLC) application reviews, and external serviceprovider security posture assessments Michael holds a bachelor’s degreefrom Central Connecticut State University and is an ISSA-CT and ISACAmember Michael currently resides in Weatouge, CT with his incrediblysupportive wife, Kimberly, and two sons, Benjamin and John Clark

Joshua G Jacobs (SSCP, MCSA, MCP, A+) is the TechnologyAdministrator for Reynolds, Bone & Griesbeck, PLC He has an extensivebackground in systems administration as well as Web application designand development Joshua provides support for the firm’s network as well

as client networks throughout the South His specialties include securityinformation management, Intranet development, firewall administration,

Contributors

vi

policy development, and support for various operating systems includingNovell NetWare,Windows 2000 and AIX Joshua’s recent work alsoincludes Web application development and custom software scripting toautomate application deployment Joshua, his wife, Heather, and their twosons, Owen and Joshua II, live in Collierville,TN He would like to thankhis wife for her love and continuous support that made it possible for him

to contribute to this book

Russ Rogers (CISSP, IAM) is the President of Security Horizon, Inc.Security Horizon is a veteran-owned small business, based in ColoradoSprings, CO, specializing in professional security services and training

It is one of only two companies with a Cooperative Research andDevelopment Agreement (CRADA) with the National Security Agency(NSA) to teach their INFOSEC Assessment Methodology (IAM) Russ’sbackground includes network vulnerability assessments, organizationalassessments using the NSA IAM, security policy development, andtraining assessors on the IAM His experience spans positions in militaryintelligence, system administration, security administration, commercialand Department of Defense assessments, and special security projectdevelopment Russ holds a master’s degree in Computer SystemsManagement from the University of Maryland and is a member of theInformation System Security Association (ISSA), International Who’s Who

in Information Technology, International Information Systems SecurityCertification Consortium (ISC)2, and a regular contributor to the annualBlack Hat Security conference

Robert J Shimonski(Security+, Sniffer SCP, Cisco CCDP, CCNP,Nortel NNCSS, MCSE, MCP+I, Master CNE, CIP, CIBS, CWP, CIW,GSEC, GCIH, Server+, Network+, i-Net+, A+, e-Biz+,TICSA, SPS) isthe Lead Network Engineer and Security Analyst for Thomson Industries,

a leading manufacturer and provider of linear motion products and neering One of Robert’s responsibilities is to use multiple network anal-ysis tools to monitor, baseline, and troubleshoot an enterprise networkcomprised of many protocols and media technologies

engi-Robert currently hosts an online forum for TechTarget.com and isreferred to as the “Network Management Answer Man,” where he offers

daily solutions to seekers of network analysis and management advice.Robert’s other specialties include network infrastructure design with theCisco and Nortel product line for enterprise networks Robert also pro-vides network and security analysis using Sniffer Pro, Etherpeek, theCiscoSecure Platform (including PIX Firewalls), and Norton’s AntiVirusEnterprise Software

Robert has contributed to many articles, study guides and certificationpreparation software,Web sites, and organizations worldwide, including

MCP Magazine,TechTarget.com, BrainBuzz.com, and SANS.org Robert

holds a bachelor’s degree from SUNY, NY and is a part time LicensedTechnical Instructor for Computer Career Center in Garden City, NYteaching Windows-based and Networking Technologies Robert is also a

contributing author for Configuring and Troubleshooting Windows XP

Professional (Syngress Publishing, ISBN: 1-928994-80-6), BizTalk Server

2000 Developer’s Guide for NET (Syngress, ISBN: 1-928994-40-7), Sniffer Pro Network Optimization & Troubleshooting Handbook (Syngress, ISBN:

1-931836-57-4), MCSE Implementing and Administering Security in a

Windows 2000 Network Study Guide & DVD Training System (Syngress,

ISBN: 1-931836-84-1) and is Technical Editor for Security+ Study Guide &

DVD Training System (Syngress, ISBN: 1-931836-72-8).

Norris L Johnson, Jr.(Security+, MCSA, MCSE, CTT+, A+, Linux+,Network +, CCNA) is a technology trainer and owner of a consultingcompany in the Seattle-Tacoma area His consultancies have includeddeployments and security planning for local firms and public agencies, aswell as providing services to other local computer firms in need ofproblem solving and solutions for their clients He specializes in Windows

NT 4.0,Windows 2000, and Windows XP issues, providing consultationand implementation for networks, security planning, and services In addi-tion to consulting work, Norris provides technical training for clients andteaches for area community and technical colleges He is co-author of

Security+ Study Guide & DVD Training System (Syngress Publishing, ISBN:

1-931836-72-8), Configuring and Troubleshooting Windows XP Professional (Syngress, ISBN: 1-928994-80-6), and Hack Proofing Your Network, Second

Edition (Syngress, ISBN: 1-928994-70-9) Norris has also performed

tech-nical edits and reviews on Hack Proofing Windows 2000 Server (Syngress,

Jeremy Faircloth (Security+, CCNA, MCSE, MCP+I, A+) is a Senior ITEngineer for Gateway, Inc., where he develops and maintains enterprise-wide client/server and Web-based technologies He also acts as a technicalresource for other IT professionals, using his expertise to help othersexpand their knowledge As an analyst with over 10 years of real world ITexperience, he has become an expert in many areas including Web develop-ment, database administration, enterprise security, network design, and pro-ject management Jeremy is a contributor to several Syngress publications

including Hack Proofing XML (ISBN: 1-931836-50-7), ASP NET

Developer’s Guide (ISBN: 1-928994-51-2), and Security+ Study Guide & DVD Training System (ISBN: 1-931836-72-8) Jeremy currently resides in

Dakota City, NE and wishes to thank Christina Williams and AustinFaircloth for their support in his various technical endeavors

Michael Cross (Security+, MCSE, MCP+I, CNA, Network+) is anInternet Specialist and Programmer with the Niagara Regional PoliceService, and has also served as their Network Administrator He performscomputer forensic examinations on computers involved in criminal inves-tigations, and has consulted and assisted in cases dealing with computer-related/Internet crimes He is responsible for designing and maintainingtheir Web site at www.nrps.com, as well as their Intranet Michael pro-grams applications used by various units of the Police Service, has beenresponsible for network security and administration, and continues toassist in this regard Michael is part of an Information Technology teamthat provides support to a user base of over 800 civilian and uniformusers His theory is that when the users carry guns, you tend to be moremotivated in solving their problems

Michael also owns KnightWare, a company that provides Web pagedesign and various other services In addition to this company, he hasbeen a freelance writer for several years, and published over three dozen

times in numerous books and anthologies He is a contributing author to

Scene of the Cybercrime: Computer Forensics Handbook (Syngress Publishing,

ISBN: 1-931836-65-5) and the Security+ Study Guide & DVD Training

System (Syngress, ISBN: 1-931836-72-8) He currently resides in St.

Catharines, Ontario, Canada with his lovely wife, Jennifer, and his darlingdaughter, Sara

F William Lynch(Security+ SCSA, CCNA, LPI-I, MCSE, MCP,

Linux+, A+) is co-author for Hack Proofing Sun Solaris 8 (Syngress Publishing, ISBN: 1-928994-44-X), Hack Proofing XML (Syngress, ISBN: 1-931836-50-7), Security+ Study Guide & DVD Training System (Syngress, ISBN: 1-931836-72-8), and Hack Proofing Your Network, Second Edition

(Syngress, ISBN: 1-928994-70-9) He is an independent security and tems administration consultant and specializes in firewalls, virtual privatenetworks, security auditing, documentation, and systems performanceanalysis.William has served as a consultant to multinational corporationsand the Federal government including the Centers for Disease Controland Prevention headquarters in Atlanta, GA as well as various airbases ofthe United States Air Force He is also the Founder and Director of theMRTG-PME project, which uses the MRTG engine to track systemsperformance of various UNIX-like operating systems.William holds abachelor’s degree in Chemical Engineering from the University ofDayton in Dayton, OH and a master’s of Business Administration fromRegis University in Denver, CO

sys-Debra Littlejohn Shinder (MCSE) is author of Scene of the Cybercrime:

Computer Forensics Handbook (Syngress Publishing, ISBN: 1-931836-65-5),

co-author of Configuring ISA Server 2000: Building Firewalls for Windows

2000 (Syngress, ISBN: 1-928994-29-6) and Troubleshooting Windows 2000 TCP/IP (Syngress, ISBN: 1-928994-11-3), as well as a contributor to

numerous other technical books Along with her husband, Dr.Thomas W.

Shinder, Deb does network consulting in the Dallas-Ft.Worth area, designsWeb sites for businesses, municipalities and non-profit organizations, andteaches in the Dallas County Community College District’s technicaltraining programs As a former police officer and Police Academy instructor,she specializes in computer/network security and forensics

x

Deb has written hundreds of articles for Web and print publications

such as TechRepublic, CNET, Swynk.com, BrainBuzz.com, and WinXP

News She has also written numerous online courses for DigitalThink, Inc.

and prepared curricula for classroom instruction She has contributed to

Microsoft’s TechNet, and speaks at conferences such as the Black Hat

Security briefings and Certification Expo She edits the A+ weekly

newsletter for CramSession and writes a weekly feature for the Net

Admin News.

Deb has been writing since she finished her first (still unpublished)novel in ninth grade She edited her high school and college newspapersand wrote and edited newsletters for city employees and police associa-tions Prior to entering the tech field, she had articles published in lawenforcement and self-help psychology publications She is a member ofthe IEEE’s IPv6 Working Group and has written and tech edited ques-tions for various certification practice exams

Tony Piltzecker (Security+, CISSP, MCSE, CCNA, Check Point

CCSA, Citrix CCA), author of the CCSA Exam Cram, is a Network

Architect with Planning Systems Inc., providing network design and port for federal and state agencies.Tony’s specialties include network secu-rity design, implementation, and testing.Tony’s background includespositions as a Senior Networking Consultant with Integrated InformationSystems and a Senior Engineer with Private Networks, Inc.Tony holds abachelor’s degree in Business Administration, and is a member of ISSA

sup-Tony is a contributing author to Security+ Study Guide & DVD Training

System (Syngress Publishing, ISBN: 1-931836-72-8) and MCSE Implementing and Administering Security in a Windows 2000 Network Study Guide & DVD Training System (Syngress, ISBN: 1-931836-84-1).Tony

currently resides in Leominster, MA with his wife, Melanie, and hisdaughter, Kaitlyn

Technical Reviewer

Jeffrey Posluns(SSCP, CISSP, CISA, CCNP, CCDA, GSEC) is theFounder of SecuritySage, a leading-edge information security and privacyconsulting firm Jeffrey oversees and directs the professional servicesteams, product reviews, and innovative product development Jeffrey hasover 11 years experience specializing in security methodologies, auditsand controls He has extensive expertise in the analysis of hacker tools andtechniques, intrusion detection, security policies, forensics, and incidentresponse Jeffrey is an industry-recognized leader known for his ability toidentify trends, resolve issues, and provide the highest quality of customerservice, educational seminars, and thought-provoking presentations Prior

to SecuritySage, Jeffrey founded and co-founded several e-commerce andsecurity initiatives, where he served as President and/or Chief TechnologyOfficer His responsibilities included such areas as the strategy and imple-mentation of corporate initiatives, project management, professional andmanaged services, as well as research and development He has alsoauthored a variety of security-specific books, white papers, financial andsecurity-related software, and security toolkits Jeffrey is looked to as anauthority to speak on IT security related issues and trends at conferences,

in the media, and law enforcement forums He is a regular speaker atindustry conferences organized by such groups as the InformationSystems Audit and Control Association (ISACA) and the Association ofCertified Fraud Examiners (ACFE) Jeffrey is also a trainer for the CISSPcertification course

Technical Editor

■ Damage and Defenserelate real-world experiences to security exploitswhile outlining defensive strategies.

■ Head of the Classdiscussions are based on the author’s interactions withstudents in live classrooms and the topics covered here are the ones studentshave the most problems with

Each chapter also includes hands-on exercises It is important that you workthrough these exercises in order to be confident you know how to apply the con-cepts you have just read about

You will find a number of helpful elements at the end of each chapter For

example, each chapter contains a Summary of Exam Objectives that ties the topics

dis-cussed in that chapter to the published objectives Each chapter also contains an

Exam Objectives Fast Track, which boils all exam objectives down to manageable

sum-maries that are perfect for last minute review The Exam Objectives Frequently Asked

Questions answers those questions that most often arise from readers and students

regarding the topics covered in the chapter Finally, in the Self Test section, you will

find a set of practice questions written in a multiple-choice form similar to those you

will encounter on the exam.You can use the Self Test Quick Answer Key that follows the Self Test questions to quickly determine what information you need to review again.The Self Test Appendix at the end of the book provides detailed explanations of

both the correct and incorrect answers

About the Study Guide &

DVD Training System

Additional Resources

There are two other important exam preparation tools included with this StudyGuide One is the DVD included in the back of this book.The other is the practiceexam available from our website

■ Instructor-led training DVD provides you with almost two hours

of virtual classroom instruction. Sit back and watch as an author andtrainer reviews all the key exam concepts from the perspective of someonetaking the exam for the first time Here, you’ll cut through all of the noise

to prepare you for exactly what to expect when you take the exam for thefirst time.You will want to watch this DVD just before you head out to thetesting center!

■ Web based practice exams. Just visit us at www.syngress.com/

certification to access a complete Exam Simulation.These exams are written to test you on all of the published certification objectives.The exam simulator runs in both “live” and “practice” mode Use “live” modefirst to get an accurate gauge of your knowledge and skills, and then usepractice mode to launch an extensive review of the questions that gave you trouble

Chapter 1 SSCP Certification Overview ………1

Introduction………2

(ISC)2 ………2

Systems Security Certified Practitioner ………3

Certified Information Systems Security Professional………4

Overview of the SSCP Domains………5

Domain One: Access Controls ………6

Specialty Areas ………6

Product Types ………9

Standards and Methodologies ………9

Domain Two: Administration ………9

Specialty Areas ………10

Product Types ………11

Standards and Methodologies ………12

Domain Three: Audit and Monitoring ………12

Specialty Areas ………13

Product Types ………14

Standards and Methodologies ………14

Domain Four: Risk, Response, and Recovery………15

Specialty Areas ………16

xv

Common Body of Knowledge (CBK)

All seven domains of (ISC) 2 ’s published Common Body

of Knowledge (CBK) for the SSCP Exam are covered

in this book We’ve devoted one, complete chapter to each of the seven domains To help you easily find coverage for each, we’ve refer-enced each domain under the corresponding chapter title in the following Table of Contents By reading this study guide and following the corre-sponding domain list, you can be sure that you have studied 100% of (ISC) 2 ’s SSCP CBK.

Product Types ………19

Standards and Methodologies ………20

Domain Five: Cryptography ………20

Specialty Areas ………20

Product Types ………22

Standards and Methodologies ………22

Domain Six: Data Communications ………23

Specialty Areas ………23

Product Types ………24

Standards and Methodologies ………25

Domain Seven: Malicious Code or Malware ………25

Specialty Areas ………26

Product Types ………27

Standards and Methodologies ………27

Summary ………28

Chapter 2 Access Controls ………29

Domain 1: The access controls area includes the mechanisms that allow a system manager to specify what users and processes can do, which resources they can access, and what operations they can perform. Introduction ………30

Access Control Objectives ………31

Obtaining Access ………32

Identification ………33

Authentication ………34

Authorization ………34

Assurance ………37

Confidentiality ………37

Integrity ………38

Availability ………38

Accountability and Logging ………38

Authentication Types ………40

Something You Know ………40

Something You Have ………42

Something You Are ………43

Authentication Type Combinations ………44

Enterprise Authentication ………45

Single Sign-On ………45

Remote Access Authentication ………50

Password Administration ………52

Selecting a Password ………52

Managing Passwords ………54

Auditing Passwords ………55

Access Control Policies ………56

Access Control Policy Types ………56

Preventive ………56

Corrective ………57

Detective………57

Access Control Policy Implementations ………58

Administrative ………58

Logical/Technical ………59

Physical ………59

Access Control Methodologies ………60

Centralized ………60

Decentralized ………60

Access Control Models ………61

Discretionary Access Control ………63

Mandatory Access Control ………64

Non-Discretionary ………65

Formal Models………67

Bell-LaPadula ………67

Biba………67

Clark-Wilson ………68

Administrating Access Control ………68

Account Administration ………68

Determining Rights and Permissions ………70

Management of Access Control Objects ………70

Monitoring ………71

Securing Removable Media ………72

Management of Data Caches ………72

Methods of Attack ………73

Dictionary Attack………73

Brute Force Attack ………74

Denial of Service Attacks………77

Spoofing ………78

Man In The Middle Attacks………79

Spamming ………81

Sniffers ………81

Monitoring ………82

Intrusion Detection Systems ………83

Alarms ………83

Audit Trails ………84

Violation Reports ………84

Penetration Testing………85

Methodology ………85

Identifying Weaknesses………87

Summary of Exam Objectives ………88

Exam Objectives Fast Track ………89

Exam Objectives Frequently Asked Questions ………93

Self Test ………94

Self Test Quick Answer Key………100

Chapter 3 Administration ………101

Domain 2: The administration area encompasses the security principles, policies, standards, procedures and guidelines used to identify, classify and ensure the confidentiality, integrity and availability of an organization’s information assets It also includes roles and responsibilities, configuration management, change control, security awareness, and the application of accepted industry practices. Introduction ………102

Principles ………103

System Accountability ………103

Multifactor Authentication ………104

Principle of Least Privilege ………107

Goals of Information Security ………110

Confidentiality ………110

Integrity ………111

Availability ………112

Access Control ………112

Mandatory Access Control ………112

Discretionary Access Control ………113

Role-based Access Control ………113

Consider the Entire Life Cycle of Information………115

Terms and Definitions ………117

Involvement with Development Groups ………119

Quality Assurance, Audit, and InfoSec Need to be Involved ………119

Ensuring that Policies, Laws, and Contractual Obligations are Respected ………120

Certifying the Security Functionality ………120

Certifying Processing Integrity ………121

Operational Testing ………121

Separation of Duties ………122

Control Mechanisms and Policies ………123

Development Staff Should Not Conduct Evaluation or Testing ………124

Security Administrators Should Not Perform Audit Tasks……124

Individuals Should Not Be Responsible for Approving Their Own Work ………124

Risk Assessment ………125

Potential Vulnerabilities ………130

Malicious Code ………130

Data Problems ………131

Access Problems ………132

System Architecture: Modes of Operation ………133

System High Mode ………134

Compartment Mode ………134

Multilevel Secure Mode ………134

Change Control ………135

Tools ………139

System Security Architecture Concepts ………139

Hardware Segmentation………139

Reference Monitor ………140

High Security Mode ………140

Data Protection Mechanisms ………140

Data Classification ………142

Employment Policies and Practices ………144

Separation of Duties ………144

The Hiring Process ………144

Background Checks ………144

Employment Agreements ………145

Termination Policies ………147

Awareness………148

Security Management Planning ………150

Define the Mission and Determine Priorities ………151

Determine the Risks and Threats to Priority Areas …………151

Create a Security Plan to Address Threats ………152

Develop Security Policies ………152

Perform Security Assessments ………153

Identify Security Solutions ………153

Identify Costs, Benefits, and Feasibility ………153

Get Upper Management Buy-In ………153

Summary of Exam Objectives ………155

Exam Objectives Fast Track ………159

Exam Objectives Frequently Asked Questions ………164

Self Test ………167

Self Test Quick Answer Key………174

Chapter 4 Audit and Monitoring ………175

Domain 3: The monitoring area includes those mechanisms, tools and facilities used to identify, classify, prioritize, respond to, and report on security events and vulnerabilities The audit function provides the ability to determine if the system is being operated in accordance with accepted industry prac-tices, and in compliance with specific organizational policies, standards, and procedures. Introduction ………176

Security Audits………181

Internal versus External Auditors ………185

Auditing Process ………188

Auditing Methods ………190Audit Data Sources ………192

Sampling and Data Extraction ………195Retention Periods ………196Audit Trails………196Audit Trail Integrity ………196Checklist Audits ………198Penetration Testing ………201Wardialing ………206Social Engineering………210Monitoring Methods and Mechanisms ………211Scorecards ………212Intrusion Detection Systems ………212Pattern Recognition (Signature Based)………213Anomaly Detection ………213Log Watching ………214Event Monitoring ………215Trend Analysis ………215Summary of Exam Objectives ………216Exam Objectives Fast Track ………218Exam Objectives Frequently Asked Questions ………221

Self Test Quick Answer Key………228

Chapter 5 Risk, Response, and Recovery ………229 Domain 4: The risk, response and recovery area encom-

passes the roles of a security administrator in the risk analysis, emergency response, disaster recovery and business continuity processes, including the assessment of system vulnerabilities, the selection and testing of safeguards, and the testing of recovery plans and procedures It also addresses knowledge of incident handling include the acquisition, protection and storage of evidence.

Introduction ………230Risk Management Cycle ………230Education ………235Methods of Providing Education ………237Analysis ………238Testing ………241Validation ………243Risks and Threats ………245Different Types of Risks and Threats ………246Environmental Risks and Threats ………247Deliberate Risks and Threats ………247Accidental Risks and Threats ………251Risk Mitigation ………254Identifying the Risks that Need Mitigating ………257Asset Identification ………258Risk Mitigation Analysis ………261Disaster Recovery and Business Continuity Plans ………268Disaster Recovery Plan ………271Backups………273Alternate Sites ………279Incident Investigation ………282The Goals ………282The Tools ………285Policies ………285Tracing Tools………289Log Analysis ………292Crime Scene Analysis ………292Documentation ………293Investigation Steps ………294Preparation ………294Detection ………296Containment………298Eradication ………298Recovery ………299Follow Up………299Computer Forensics………300What Your Role Is ………301

Chain of Custody ………305Preservation of Evidence ………307Collection of Evidence ………309Summary of Exam Objectives ………314Exam Objectives Fast Track ………315Exam Objectives Frequently Asked Questions ………317

Self Test Quick Answer Key………324

Chapter 6 Cryptography ………325 Domain 5: The cryptography area addresses the principles, means and methods used to disguise information to ensure its integrity, confidentiality, authenticity and non-repudiation

Introduction ………326What Cryptography Offers ………328Steganography ………329

Asymmetric Encryption Algorithms ………330

RSA Algorithim ………332Digital Signature Algorithm ………333Symmetric Encryption Algorithms ………333Data Encryption Standard Algorithm ………334Triple DES Algorithm ………335Advanced Encryption Standard Algorithm ………335International Data Encryption Algorithm ………337SkipJack………337Hashing Algorithm Functions ………337Message Digest 4 ………338Message Digest 5 ………338SHA-1 (160-bit) ………339Encryption Methods ………342Stream Ciphers ………346Block Ciphers ………346Cipher Block Chaining Mode ………347Cipher Feedback Mode ………348

Electronic Code Book Mode ………349Output Feedback Mode ………350Digital Signatures ………350Key Types ………352Private Key ………352Public Key………352Hybrid Key ………353Key Management Issues………353Problems with Key Selection………354Public Key Infrastructure ………355Certificates ………358X.509 ………359

Certificate Practice Statements ………362Revocation………362Certificate Revocation List ………363Trust Models ………364Single CA Model ………364Standards and Protocols ………366Key Management Lifecycle ………368Centralized versus Decentralized ………368Storage ………369Hardware Key Storage versus Software Key Storage ……369Private Key Protection ………371Escrow ………371Expiration ………373Revocation………373Recovery ………374Key Recovery Information ………374Renewal………375

Key Usage ………376Multiple Key Pairs (Single, Dual) ………377Using a Short Password to Generate a Long Key…………377Cryptographic Attacks ………380Brute Force ………380

Ciphertext-only Attack ………380Known Plaintext Attack………380

Man-in-the-Middle Attack ………381Summary of Exam Objectives ………383Exam Objectives Fast Track ………384Exam Objectives Frequently Asked Questions ………386

Self Test Quick Answer Key………391

Chapter 7 Data Communications………393 Domain 6: The data communications area encompasses the structures, transmission methods, transport formats and secu- rity measures used to provide integrity, availability, authentica- tion and confidentiality for data transmitted over private and public communications paths.

Introduction ………394The Seven Layer OSI Model ………394Layer One: Physical Layer ………396Wireless Ethernet Radio Waves ………397Twisted-Pair Copper Cable ………398Coaxial Cable ………398Fiber-Optic Cable………399Hubs and Switches ………400Repeaters ………401Layer Two: Data Link Layer ………401Layer Three: Network Layer ………402Layer Four:Transport Layer ………403Layer Five: Session Layer ………405Layer Six: Presentation Layer ………406Layer Seven: Application Layer ………407Local Area Networks ………408Topologies ………409

Tree Topology ………412

Token Ring Topology ………414Mesh Topology ………415Ethernet ………417Binary to Hex to Decimal Translation ………417Signaling Types ………418Carrier Sense Multiple Access/Collision Detect …………418Token Ring ………419Frame Detail ………419Token Passing ………421Active Monitor ………421FDDI Elements………423Wide Area Networks ………424Cabling ………425X.25 ………426Integrated Services Digital Network ………426

Protocols ………427Internet Protocol ………427Transmission Control Protocol ………429Multi-Purpose Internet Mail Extensions ………429Secure Multi-Purpose Internet Mail Extensions ………430Secure Socket Layer ………431SSL and TLS ………431Secure Electronic Transaction ………432Authentication Protocols ………433Password Authentication Protocol ………433Challenge Handshake Authentication Protocol …………433Remote Access Protocols ………434Point-to-Point Protocol ………434Serial Line Interface Protocol ………435Network Devices ………435Network Interface Cards ………436Common Problems ………436Hubs ………437Switches ………437

Firewalls ………440Network Address Translation ………440Demilitarized Zone ………441Packet Filtering Firewalls ………443Screened Host Firewall ………444Screened Subnet Firewall with a DMZ ………445Stateful Inspection………446Routers ………447Access Control Lists ………448Proxies ………449Remote Authentication Service Servers ………449Remote Authentication Dial-In User Service ………449Terminal Server Controller Access Control Systems ……450Terminal Server Controller Access Control Systems Plus…450Intrusion Detection Systems ………451Host-Based IDS ………451Network-Based IDS ………451Virtual Private Networks ………452Point-to-Point Tunneling Protocol ………452Layer 2 Tunneling Protocol ………453Secure Shell ………453

IP Security ………454

Transport Mode versus Tunnel Mode ………455Typical Attacks Against Network Resources ………455Spoofing………456Sniffing ………456Session Hijacking ………458

IP Fragmentation ………458

SYN Floods ………459Private Branch Exchange Attacks:Wardialing ………460Summary of Exam Objectives ………462Exam Objectives Fast Track ………463Exam Objectives Frequently Asked Questions ………466

Self Test Quick Answer Key………476

Chapter 8 Malicious Code and Malware ………477 Domain 7: The malicious code area encompasses the princi-

ples, means and methods used by programs, applications and code segments to infect, abuse or otherwise impact the proper operation of an information processing system or network

Introduction ………478Types of Hackers ………479

Malicious Code ………481Viruses ………483Logic Bombs………491Worms ………491Trojan Horses………493

“Melissa” and “I Love You” ………499Nimda Worm ………505Prevention and Response ………508Networking Exploits ………509Denial of Service Attacks ………510DoS Attacks that Exploit TCP/IP ………511DNS DoS Attack ………512

The Ping of Death ………514Ping Flood/Fraggle/Smurf ………515UDP Bomb/UDP Snork ………517Teardrop Attacks ………517SNMP Exploits………518Source Routing Attacks ………519Other Protocol Exploits ………519Spoofing………520

IP Spoofing ………520ARP Spoofing ………521DNS Spoofing ………521Application Exploits………522Poor Coding ………523Back Doors ………523

Buffer Overflows ………523The Out-of-Band Attack ………524Social Engineering ………525Protecting the Network Against Social Engineers………526Modems ………527Reconnaissance Attacks ………528Sniffing ………528Scanning………532Antivirus Software ………535Web Browser Security ………536Antivirus Research………537Summary of Exam Objectives ………538Exam Objectives Fast Track ………538Exam Objectives Frequently Asked Questions ………541

Self Test Quick Answer Key………548

Appendix A: Self Test Questions, Answers, and Explanations ………549 Index ………611

SSCP Certification Overview

Chapter 1

S S C P

As we begin to prepare for the Systems Security Certified Practitioner (SSCP)examination, let’s first take a look at how the preparation for this exam can helpyou to prepare and qualify for higher-level certifications that you might want topursue later in your career Fortunately, much of the preparation and learning thatyou will do for the SSCP examination and certification will help give you thefundamental background information you can apply to the next level of certifica-tion, the Certified Information Systems Security Professional (CISSP) Here webriefly review the history and development of the credentials and the organiza-tion responsible for them, and then we review the requirements and areas ofstudy that we’ll be discussing throughout the book

(ISC)2

(ISC)2 is the International Information Systems Security Certification

Consortium, Inc.This organization was originally formed to collect and define a

common body of knowledge (CBK) for the information security (IS) community

internationally.The (ISC)2 works to keep that information relevant to the ments of the international IS community by regularly updating and verifying theCBK contents.The CBK consists of the general information that defines orexplains the areas of concentration in a very broad sense, rather than being arepository of specific information that might be studied in preparation for anexamination Instead of specific technical information that would be found in avendor-specific or task-specific exam, this information forms the guidelines for

require-study.The CBK has been defined and grouped in a total of 10 domains, or areas of

knowledge, that contain the information that is relevant to the IS professional.(ISC)2 is the governing organization that has developed the SSCP and CISSPcertifications and examinations.This effort was undertaken in response to

industry demand and concerns that a measurable benchmark was needed toassure the competency of the individuals participating in the defense of informa-tion systems

This book and its contents have been written by a talented, experienced team

of professionals who have had experience in each of the domains that are covered

in the SSCP exam Although no individual resource can provide 100 percent erage of each domain, we believe that this study guide and your study and knowl-edge of the information it contains will lead to your success in taking the test

cov-Systems Security Certified Practitioner

The first of two certification tracks that are offered by (ISC)2 is the SystemsSecurity Certified Practitioner (SSCP) certification.The SSCP examination con-tains content that originates in seven domains that have been identified by (ISC)2

as areas of concentration.We’ll be looking at each of these domains and how theyare derived, as well as the distinct requirements and knowledge areas within thosedomains, as we progress through the chapters that follow:

■ Access Controls

■ Administration

■ Audit and Monitoring

■ Risk, Response, and Recovery

■ Cryptography

■ Data Communications

■ Malicious Code/MalwareThe certification is aimed at security professionals who have direct workexperience in two or more of the domains that total at least one year of actualwork performed.This time may include systems administration, teaching, con-sulting, or other disciplines, but it must be security-related work time It is reflec-tive of actual time worked, and the time is cumulative, so it may be compiledover a longer period of time than a calendar year Candidates for the certification

must have accumulated one year of direct experience in one of the domains.

NOTE

The certification itself requires one year of experience in two domains.

This requirement means that you may study for and attempt the nation with a lower level of experience, but you will have to attain the certification experience level and attest to your compliance with that requirement before you receive the certification.

exami-(ISC)2 also requires that candidates and certified individuals accept the (ISC)2code of ethics.The code of ethics contains four sections, which (ISC)2 defines as

canons The code of ethics canons are:

■ Protect society, the commonwealth, and the infrastructure.

■ Act honorably, honestly, justly, responsibly, and legally

■ Provide diligent and competent service to principals

■ Advance and protect the profession

These definitions, by nature, are very broad in scope.The code of ethicsdefines a level of correct and proper action that you should be (and very probablyare) following as you pursue a career in IS.The four canons remind us that weare required in our profession to be above reproach as much as is possible in ahuman environment.We must promote protection of information, truthfulness,and public trust in information and information systems, and we must treatclients and the public fairly and within the laws of the commonwealth in which

we serve Additionally, we must educate and promote these ideas throughout theenvironment in which we operate.You can view this information in its entirety atwww.isc2.org/cgi-bin/content.cgi?category=12

Successful candidates are additionally required to participate in continuingeducation and accumulate continuing education credits Credential renewal can

be attained through this process over a three-year period or by retaking the fication exam every three years Specific information about examination sched-ules, costs, and updates of requirements can be found on the (ISC)2 site at

certi-www.isc2.org

Certified Information

Systems Security Professional

The Certified Information Systems Security Professional (CISSP) certification isdesigned to measure management-level skills and expertise in areas of policy andoverall system design rather than the more technical skills that are measured inthe SSCP examination.The CISSP exam includes more comprehensive knowl-edge and experience requirements than does the SSCP examination

As we mentioned earlier, (ISC)2has identified a total of 10 domains that haverelevance to the CISSP credential.The CISSP credential also requires a more ver-ifiable amount of time working directly with computer and network security, aswell as testing the candidate’s ability to design and implement a security defenseplan As announced on the (ISC)2site, the requirements for candidates testingafter January 1, 2003, have changed.The new requirements include a minimumexperience requirement for certification of four years, or three years with a col-lege degree or equivalent life experience Further information about the new

requirements can be found the (ISC)2 site at www.isc2.org If you are interested

in pursuing this certification in the future, you’ll be involved in an in-depth study

to gain knowledge of the following 10 domains:

■ Access Control Systems and Methodology

■ Telecommunications and Network Security

■ Security Management Practices

■ Applications and Systems Development Security

In the next sections, we begin to describe the content areas of the ination You will undoubtedly find some new terminology and references with which you are not familiar Throughout this book, we try to expose you to terminology and definitions that are used in the examination pro- cess Be sure to note terms with which you are not familiar and learn their usages in the various contexts we examine.

exam-Overview of the SSCP Domains

The SSCP certification exam consists of 125 questions derived from sevendomains.The test is arranged in a multiple-choice format.The domains are often

large and contain many subsections that you need to understand and successfullywork with in order to pass the exam.To increase your understanding of theoverall scope of these domains, we have described and defined their content inthe following sections Each of the domains contains topics that are possiblesources of test questions, and each will be fully discussed in the chapters thatfollow in this book Although the candidate and certification qualifications do notrequire work experience in all the domains, your examination will require

answering questions from all seven of the SSCP domains

Domain One: Access Controls

First among the domains that we explore is access controls In this domain, we will

work to develop an understanding of the concepts of implementing and

enforcing access methods and policies we have planned and chosen to use.We’lllearn the procedures that give administrators the ability to control access to sys-tems and resources and many of the methods that can be used to monitor andenforce the security rules that are put in place to limit access to those who areentitled to use the resources Access controls are fully discussed in Chapter 2

As we begin to look at the areas that could be tested in the access controlsdomain, we have to define what we are working on Access control involves your

organization’s ability to choose the methods of access and the level of access for

individuals, groups, or machines to use resources such as files or directories

located on your file servers or other network or system services Additionally,access controls allow management or IT staff the ability to control the type ofactivity that is allowed, when it is allowed, where it is allowed, and who is

allowed to perform the activity or task.The access controls domain is very prehensive Success on the examination requires a good working knowledge ofthe concepts, technologies, and methodologies that are involved In the accesscontrols domain, we’ll look at methods of control, such as hardware-based tokensand smart cards, and other methods such as the use of certificates and biometrics.Additionally, we’ll look at password policies and administration, access rights andpermissions, and access control administration In the next section, we’ll lookbriefly at each of these areas and the specialty areas within them that you need toknow about

com-Specialty Areas

Within the focus areas of the access control domain, we need to look also at thecomponents that make up those sections that you need to understand to effectively

work as a SSCP In this domain, you’ll need to be familiar with a number of maintopic areas, including these large areas:

■ Accountability

■ Identification and authentication techniques

■ Password administration

■ Access control techniques

■ Access control administration

■ Access rights and permissions

■ Access control models, methodologies, and implementation

■ Methods of attack

■ Monitoring

■ Penetration testingWithin these broad areas, you must be comfortable with a number of otherconcepts Many of the main topics contain additional concepts and working areasthat you must know and understand In the next section, we’ll briefly detail theadditional concepts that are involved

The identification and authentication techniques area has sublevels that include

knowledge of the types of identification that can be used.These include:

■ Use of passwords

■ Smart cards

■ Biometrics

■ Kerberos tickets

■ Single sign-on (SSO)

■ One-time passwords in everything (OPIE)

The password administration topic includes coverage of:

■ Password selection

■ Password management

■ Password control

The access control techniques area contains concepts that might be new to you;

within this section we consider the methods that may be used to achieve accesscontrol, including:

■ Discretionary Access Control (DAC)

■ Mandatory Access Control (MAC)

■ Access control lists (ACLs)

■ The principle of least privilege

■ The practice of separation of duties and responsibilities

Access control administration includes:

■ The methods and practices for account administration

■ The duties of monitoring journals, logs, and accounts

Access rights and permissions detail procedures to deal with access; we will also

review the methodologies involved In this area, you need to understand ways to:

■ Implement access rights and permissions

■ Maintain access rights and permissions

■ Revoke access rights and permissions

Access control models, methodologies, and implementation requires that we examine:

■ Centralized and remote access authentication controls

■ Decentralized access controls

■ Concepts of control, including what to consider in relation to file anddata owners, custodians, and users

We’ll also begin to look at concepts that are involved in the methods of attack

As we proceed through the chapter, we’ll mention in each of the domains some

of the types of products that can be utilized relative to the topic for the domain,with the goal of giving you a frame of reference from your experience In thecase of access controls, you could use a number of network devices that involveaccess controls technologies and knowledge Among these are such items as fire-walls, routers, smart cards, and biometric devices Each of these products would

be used within the access controls area to define rules and methods for access tosystems

Standards and Methodologies

The access controls domain emphasizes the methods we use to control access

Additionally, it is concerned with planning, permissions, access auditing, andmonitoring of the conditions of our developed and implemented plan and thecontrols—whether policy, software, or hardware—that we use to grant or denyaccess to various systems and networks in our control

Domain Two: Administration

The next domain we must address is the administration domain In this domain,

we’ll see that we need to develop an understanding of methods to performsystem and machine administration tasks that provide a secure system and a secu-rity plan to maintain the integrity of our operation, including networks and