All-in-1 / CISSP All-in-One Exam Guide, Fourth...

All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0

INDEX

References to figures are in italics.

*-integrity axiom, 337*-property rule (star property rule),

334, 33610Base2, 51410Base5, 51410Base-T, 5143DES, 703802.11a, 624802.11b, 624802.11e, 625802.11f, 625802.11g, 625802.11h, 625802.11i, 625–626802.11j, 633802.11n, 633802.15, 634802.16, 633802.1X, 627–629

AAabsolute addresses, 303abstraction, 296, 962access, defined, 155access control administration, 222

centralized, 223decentralized, 230

Diameter, 227–229RADIUS, 223–224, 227TACAS, 224–227watchdog timers, 227

access control models, 210discretionary access control, 211identity-based, 212mandatory access control, 212–214role-based access control, 214–217sensitivity labels, 213–214

access controls, 670access control lists (ACLs),

220–221access control matrix, 219–220access criteria, 195–196accountability, 159, 243–246administrative controls, 232–233auditing, 237authentication, 158, 160–161authorization, 158, 195cabling, 234capability tables, 220computer controls, 234constrained user interfaces,

218–219content-dependent access

control, 221context-dependent access control,

221–222

1113

Index.indd 1113Index.indd 1113 10/9/2007 1:56:02 PM10/9/2007 1:56:02 PM

CISSP All-in-One Exam Guide

1114


control zone, 234, 250default to no access, 196–197directory services, 209emanation security, 248–250encryption, 237facilities, 447–454groups, 196identification, 158, 160–161, 162intrusion detection systems (IDSs),

250–260intrusion prevention systems (IPSs),

260–263Kerberos, 200–205layers, 231–232logical access controls, 160natural access control, 410–412need-to-know principle,

197–198network access, 236–237network architecture, 235–236network segregation, 233object reuse, 248overview, 155–156perimeter security, 233personnel, 454–455personnel controls, 232physical controls, 233practices, 246–250preventive, 239–240protocols, 237race condition, 159roles, 195rule-based, 217–218security domains, 206–208security-awareness training, 232SESAME, 205–206single sign-on, 198–200supervisory structure, 232system access, 235technical controls, 234–237Tempest, 249

testing, 233thin clients, 209–210threats, 263–269types of, 237–242unauthorized disclosure of

information, 247–248white noise, 249work area separation, 234See also identity management

access points (APs), 621access triple, 339accessing password files, 185account management, 174accountability, 159, 243–244

keystroke monitoring, 245–246

operations security, 1032–1033protecting audit data and log

information, 246review of audit information, 245

accreditation, 371–372ACLs, 220–221active attacks, 753ActiveX, 995ActiveX Data Objects (ADO), 921activity support, 415Address Resolution Protocol (ARP),

529–530administrative controls, 232–233administrative interfaces, 984–985Advanced Encryption Standard

(AES), 697, 703–704advisory policies, 112adware, 645aggregation, 927AIC triad, 59–61ALE. See annualized loss expectancy (ALE)algebraic attacks, 756algorithms, 666, 670analog transmission signals,

505–506, 525


Index

1115


analytic attacks, 756annualized loss expectancy (ALE), 95–97annualized rate of occurrence (ARO), 96anti-malware programs, 1005–1006

See also malwareantivirus software, 1001–1004

See also virusesappliances, 559application layer, 487, 494–495application owners, responsibilities, 132application security. See software securityapplication-level proxies, 554, 555–557Arabo, Jason Salah, 25architecture, 281

and access control, 235–236additional storage devices, 317architectural view of network

environments, 45–47central processing unit (CPU),

281–286CPU modes and protection rings,

308–310domains, 312enterprise architecture, 373–381firewalls, 560–563input/output device management,

317–320layered operating system architecture,

311, 312–314multiprocessing, 286–287open network architecture, 484operating systems, 287–294,

310–311process management, 287–292security architecture, 322Sherwood Applied Business Security

Architecture (SABSA), 378software, 966–967system architecture, 321–330terminology, 314–315three-tier, 40–42

two-tier, 40virtual machines, 315Zachman Architecture Framework,

376–378See also memory

arithmetic logic units (ALUs), 282ARO. See annualized rate of

occurrence (ARO)ARP table poisoning, 530artificial neural networks (ANNs),

977–979assembly code, 957asset identification and management,

1036–1037Associate CISSP, 10assurance, 355–356assurance levels, 1034asymmetric algorithms, 679

types of, 706–713asymmetric mode, 286–287Asymmetrical DSL (ADSL), 607asynchronous attacks, 383asynchronous communication,

507, 525asynchronous token device, 189–190Asynchronous Transfer Mode. See ATMATM, 594–596attacks

cramming, 1087data diddling, 885denial-of-service attacks,

1010, 1086distributed denial-of-service,

1013–1014dumpster diving, 886–887emanations capturing, 887evolution of, 842–844excessive privileges, 885fake login screens, 1086file descriptor attacks, 1096fraggle, 1011



1116


IP spoofing, 886mail bombing, 1086man-in-the-middle

attacks, 1086password sniffing, 885–886ping of death, 1086salami attacks, 884slamming, 1087smurf, 1010–1011SYN floods, 1011–1012teardrop, 1012–1013, 1087traffic analysis, 1087wardialing, 1086wiretapping, 887–888See also hacking

attenuation, 512, 522–523audit committee, responsibilities, 130auditing, 237

physical access, 468–469protecting audit data and log

information, 246review of audit information, 245

auditorscompliance auditors, 90responsibilities, 134

authentication, 158, 160–161, 669open system authentication

(OSA), 623protocols, 614–616shared key authentication

(SKA), 623Authentication Header (AH), 750authoritative sources, 175authorization, 158, 195, 669

access criteria, 195–196creep, 197

availability, 59–60and access control, 157

Available Bit Rate (ABR), 595awareness, security-awareness training,

139–142

BBbackdoors, 1085–1087background checks, 137–138backups, 1066–1067

choosing a software backup facility, 806

data backup alternatives, 801–803

differential process, 802electronic backup solutions,

803–806full backup, 802hardware, 796incremental process, 802software, 796–797

bandwidth, 506, 519Bank of America, 27base registers, 297, 298baseband, 507–508, 525Basel II Accord, 858baselines, 113–114

See also security policiesBasic Security Theorem, 335bastion hosts, 560BCP. See business continuity plan (BCP)BEDO DRAM, 300Bell-LaPadula model, 333–336

vs. Biba model, 338Biba model, 336–338

vs. Bell-LaPadula model, 338biometrics, 179–182, 183–184

crossover error rate (CER), 179–180

facial scans, 183fingerprints, 182hand geometry, 182hand topography, 183iris scans, 182keyboard dynamics, 183palm scans, 182


Index

1117


processing speed, 181retina scans, 182signature dynamics, 182–183Type I and Type II errors,

179, 180voice prints, 183

blackout, 434block ciphers, 685–687blocked state, 290Blowfish, 704–705Bluejacking, 634blueprints, 78–79Bluetooth, 634board of directors, responsibilities,

123–124, 125–126Boeing, 36bollards, 458Boot Protocol (BOOTP), 531boot sector viruses, 996Border Gateway Protocol (BGP),

534–535botnets, 839, 999Brewer and Nash model,

348–349bridges, 536–538

vs. routers, 540British Standard 7799 (BS7799), 71broadband, 507–508, 525broadcast storms, 537broadcast transmission, 524–525brownout, 434browsing, 1082–1083brute force attacks, 185, 264–265buffer overflows, 384–388, 1096burst EDO DRAM (BEDO

DRAM), 300bus topology, 510business continuity, 770–771

planning, 771steps, 772–774

business continuity coordinator, 776

business continuity plan (BCP), 770business impact analysis (BIA),

778–783business process recovery,

788–789checklist test, 818choosing a software backup

facility, 806continuity planning policy

statement, 777damage assessments, 810data backup alternatives, 801–803data recovery solutions, 807–808development products, 813disk shadowing, 804documentation, 798–799electronic backup solutions,

803–806electronic vaulting, 804–805emergency response, 820–821end-user environment, 800–801facility recovery, 789–795full-interruption test, 819goals, 814–815hardware backups, 796human resources, 799–800implementing strategies,

815–816insurance, 808–809interdependencies, 783–785life cycles, 824maintaining the plan, 821–823maximum tolerable downtime

(MTD), 781–782parallel test, 819as part of the security policy and

program, 774–775preventive measures, 786, 787project initiation, 776–777recovery and restoration, 809–813recovery strategies, 786–788



1118


remote journaling, 805requirements, 778restoration team, 810salvage team, 810simulation test, 819software backups, 796–797storing the BCP, 798structured walk-through test,

818–819supply and technology recovery,

795–800tape vaulting, 805–806testing and revising the plan,

816–821training, 820types of, 817

business enablement, 380business impact analysis (BIA),

778–783

CCCA. See certificate authoritiescable modems, 606–608cabling, 234, 519

attenuation, 522–523bandwidth, 519coaxial, 520crosstalk, 523data throughput rate, 519fiber-optic, 522fire rating, 523–524noise, 522twisted-pair, 520–521

cache memory, 302Caesar ciphers, 677caller ID, 617Canadian Information Processing Society.

See CIPSCanadian Trusted Computer Product

Evaluation Criteria (CTCPEC), 49

CAP, 11Capability Maturity Model (CMM),

955–956capability tables, 220care-of addresses, 228carrier sense multiple access with collision

avoidance. See CSMA/CAcarrier sense multiple access with collision

detection. See CSMA/CDcascading errors, 87CBC-MAC, 717, 718CBK security domains, 5, 6–7

ISO 17799 domains, 71–72See also security domains

CCTA Risk Analysis and Management Method (CRAMM), 89

CCTV, 461–464, 465CD-ROM, accompanying this book, 1109

Final mode, 1111installing test software, 1111navigation, 1111Practice mode, 1111running the QuickTime cryptography

video sample, 1110system requirements, 1112technical support, 1112troubleshooting, 1111

cell phone cloning, 637cell suppression, 929central processing units, 281–286

See also processorsCER. See crossover error rate (CER)certificate authorities, 726–729certificates, 729, 730certification, 370–371

other certification exams, 11reasons for getting, 1–2recertification requirements, 9–10requirements, 2–4, 9

Certification and Accreditation Professional. See CAP


Index

1119


Certified Information Systems Security Professional. See CISSP

Challenge Handshake Authentication Protocol (CHAP), 615, 616

change control analysts, responsibilities, 132–133

change control documentation, 1047–1048

change control process, 1045–1047Channel Service Unit/Data Service Unit.

See CSU/DSUChief Executive Officer (CEO),

responsibilities, 124–125Chief Financial Officer (CFO),

responsibilities, 125Chief Information Officer (CIO),

responsibilities, 126–127Chief Information Security

Officer (CISO), responsibilities, 129Chief Privacy Officer (CPO),

responsibilities, 127Chief Security Officer (CSO),

responsibilities, 128–129Chinese Wall model, 348–349Choicepoint, 26–27chosen-ciphertext attacks, 754CIA triad. See AIC triadcipher locks, 451–452cipher-only attacks, 753ciphers, 670

block, 685–687confusion and diffusion,

685–686initialization vectors, 688stream, 687–688, 689types of, 676–679

ciphertext, 665CIPS, 8circuit switching, 590–591circuit-level proxies, 554, 556CISO. See security officer

CISSPcertification requirements,

2–4, 9history of, 8reasons for getting certification, 1–2recertification requirements, 9–10See also Associate CISSP

CISSP exam, 4–7other certification exams, 11registering for, 8–9tips for taking, 10–12

Clark-Wilson model, 338–342classification, 117

controls, 120–122private business vs. military

classifications, 117–120procedures, 121

classless interdomain routing (CIDR), 504

clean power, 433cleanroom, 952client/server model, 908clipping levels, 1033clock speed, 288closed environments, 19–20closed systems, 372–373

See also open systemsclosed-circuit TV, 461–464, 465clustering, 1064–1065coaxial cable, 520CobiT, 69–72cognitive passwords, 160, 187cohesion, 967–968collision domains, 527–528collusion, 136COM, 971commits, 926committed information rate

(CIR), 592Common Criteria, 49, 366–369

components of, 370



1120


compartmented security mode, 352–353

compliance auditors, 90compression viruses, 996Computer Ethics Institute, 889Computer Fraud and Abuse Act,

856–857Computer Security Act of 1987, 859Computer Security Institute. See CSIcomputer-aided software engineering

(CASE), 952concealment ciphers, 674concentrators, 536confidentiality, 60–61, 669

and access control, 157–158configuration management, 954,

986–987, 1045–1048Constant Bit Rate (CBR), 595constrained data items (CDIs), 338constrained user interfaces, 218–219construction, 418–421contact smart cards, 191–192contactless smart cards, 192content-dependent access control,

221, 928context-dependent access control,

221–222, 928contingency planning, 1070Control Objectives for Information and

related Technology. See CobiTcontrol units, 283control zone, 234, 250controlling unauthorized downgrading of

information, 335cookies, 747–748cooperative multitasking, 289copyright, 850CORBA, 969–970corporate ethics programs, 891Corporate Information Security Officer

(CISO). See security officer

corporate security, 29–31management, 35–37

Corporate Security Officer (CSO). See security officer

COSO framework, 69–70cost/benefit analysis, 102–103cost/benefit comparisons, 84countermeasures, 46–47

to brute force attacks, 265to buffer overflow attacks, 388to covert channels, 344defined, 62to dictionary attacks, 264to distributed denial-of-service

attacks, 1014to fraggle attacks, 1011functionality and effectiveness of,

104–105to maintenance hooks, 382–383selection, 102–103to smurf attacks, 1010–1011to SYN floods, 1012to teardrop attacks, 1013to time-of-check/time-of-use attacks,

383–384counter-synchronization, 188–189coupling, 968–969covert channels, 343–344covert timing channel, 344CPTED, 409–414

activity support, 415CPUs, 281–286

modes and protection rings, 308–310

See also processorsCRAMM, 89cramming, 1087crime

common Internet crime schemes, 843

complexities, 839–841


Index

1121


computer-assisted crime, 836–838computer-targeted crime, 836–838defining and protecting electronic

assets, 842evolution of attacks, 842–844investigations, 866–872other jurisdictions, 844–846See also laws

Crime Prevention Through Environmental Design (CPTED), 409–414

activity support, 415crossover error rate (CER), 179–180crosstalk, 523cryptanalysis, 664, 670

differential cryptanalysis, 755linear cryptanalysis, 755

cryptographic keys, 190cryptography, 659–660, 670

asymmetric, 681–684attacks, 753–757concealment ciphers, 674digital envelopes, 693government involvement,

675–676hardware vs. software systems, 737history of, 660–665notation, 705out-of-band method, 680quantum cryptography,

741–742running key ciphers, 673–674security through obscurity, 64substitution ciphers, 660symmetric, 679–681terminology, 665–667See also ciphers; encryption;

steganographycryptology, 670cryptosystems, 665, 666, 670

services, 669–670strength, 668–669work factor, 668

CSI, 8CSMA, 526–527CSMA/CA, 527CSMA/CD, 526–527CSO. See security officerCSU/DSU, 589Cyber Czar, 33, 49cybercrime. See crimecyberlaw. See lawscyberterrorism, 28–29

DDDAC, 211, 217data analysts, responsibilities, 133data buses, 285–286data centers, 424–428Data Circuit-Terminating Equipment

(DCE), 592data custodians, responsibilities, 131data definition language (DDL), 921data dictionary, 922data diddling, 885Data Encryption Algorithm (DEA), 696Data Encryption Standard (DES),

696–698Cipher Block Chaining (CBC) mode,

699–700Cipher Feedback mode, 700–701Counter Mode (CTR), 702Electronic Code Book (ECB) mode,

698–699Output Feedback mode, 701–702See also Triple-DES (3DES)

data hiding, 295, 312data inspection, 560data leakage, 1054–1055data link layer, 492–494, 496data manipulation language (DML), 922data mining, 933–935data modeling, 966data origin authentication, 670, 717



1122


data owners, 57responsibilities, 130, 131

Data Processing Management Association. See DPMA

data remanence, 1050data structures, 503, 967Data Terminal Equipment (DTE), 592data throughput rate, 519data warehousing, 932–933data width, 288database management, 912–913

ActiveX Data Objects (ADO), 921data mining, 933–935data warehousing, 932–933Extensible Markup Language

(XML), 921integrity, 924–927Java Database Connectivity

(JDBC), 921models, 914–919Object Linking and Embedding

Database (OLE DB), 920–921Open Database Connectivity

(ODBC), 920programming interfaces, 919–921relational database components,

921–924security issues, 927–932software, 913–914terminology, 918

database views, 929–930databases, roles, 42–44datagrams, 503DCOM, 47, 972DDR SDRAM, 300decipher, 670dedicated security mode, 352degaussing, 1049delayed loss, 88Delphi technique, 100demilitarized zones (DMZs), 549denial-of-service attacks, 1010, 1086

DES. See Data Encryption Standard (DES)device locks, 452dialog management, 489Diameter, 227–229dictionary attacks, 185, 263–264differential cryptanalysis, 755differential power analysis, 193Diffie-Hellman algorithm, 706–708digital envelopes, 693Digital Forensics Science (DFS), 873

See also forensicsdigital identities, 177digital signals, 506, 525Digital Signature Standard (DSS), 725digital signatures, 722–725Digital Subscriber Line. See DSLDirect Access Storage Devices,

1060–1061direct memory access (DMA), I/O

using, 320Direct Sequence Spread Spectrum (DSSS),

620–621directories, 165–167

object organization, 166role in identity management,

167–168directory services, 165, 209, 575–576disaster recovery, 770–771disaster recovery plan, life cycles, 824discretionary access control (DAC),

211, 217ORBs, 970–971

Discretionary Security Property (ds-property), 336

disk shadowing, 804distance-vector routing protocols, 533Distributed Component Object Model.

See DCOMdistributed computing, 969

COM, 971CORBA, 969–970DCOM, 972


Index

1123


Distributed Computing Environment (DCE), 974–975

Enterprise JavaBeans (EJB), 972–973

object linking and embedding (OLE), 973

distributed denial-of-service attacks, 1013–1014

DNS, 569–570Internet DNS and domains,

570–571poisoning, 572

dogs, 468Domain Name Service. See DNSdomains, 312doors, 421–423double data rate SDRAM (DDR

SDRAM), 300DPMA, 8DRAM, 299drills, 469–470DSL, 606DSW Shoe Warehouse, 27dual control, 138dual-homed firewalls, 560due care, 57–58, 116, 861, 1028due diligence, 116, 861, 1028dumpster diving, 886–887dynamic analysis, 1002Dynamic Host Configuration Protocol

(DHCP), 530–531dynamic keys, 629–631dynamic link libraries (DLLs), 297dynamic mapping, 578dynamic packet filtering, 557–558dynamic RAM (DRAM), 299dynamic routing protocol, 533

EEEAP, 616Economic Espionage Act of 1996, 859EDO DRAM, 300

education, 51–52security-awareness training,

139–142EEPROM, 301EF. See exposure factor (EF)El Gamal algorithm, 711electric power, 430–436electrically erasable programmable

ROM, 301electromagnetic analysis, 193–194electromagnetic interference (EMI),

432, 433electronic access control (EAC)

tokens, 455electronic monitoring, 185Electronic Registry Systems, 36–37electronic vaulting, 804–805elliptic curve cryptosystems, 712e-mail, 1072–1073

how it works, 1074Message Security Protocol

(MSP), 739Multipurpose Internet Mail Extension

(MIME), 738Pretty Good Privacy (PGP),

739–740Privacy-Enhanced Mail (PEM),

738–739quantum cryptography,

741–742relaying, 1075–1076standards, 737–742

emanation security, 248–250emanations capturing, 887emergency system restart, 1038Emory University, 36employee controls, 138Encapsulating Security Payload

(ESP), 750encapsulation, 295,

484–485, 503encipher, 670



1124


encryption, 237asymmetric and symmetric

algorithms used together, 689–695

defined, 665at different layers, 735Enigma machine, 663–664link vs. end-to-end, 735–736one-time pads, 671–673, 689ROT13, 662session keys, 692–695symmetric vs. asymmetric algorithms,

679–684See also cryptography

end-to-end encryption, vs. link encryption, 735–736

end-user environment, 800–801Enigma machine, 663–664enterprise architecture, 373–381Enterprise JavaBeans (EJB), 972–973enticement, 262, 883entity authentication, 670entity integrity, 925entrapment, 262, 883entry points, 421–423environmental issues, 436–438EPROM, 301erasable and programmable

ROM, 301Ethernet, 513–515ethics, 888–889

Computer Ethics Institute, 889corporate ethics programs, 891Internet Architecture Board (IAB),

890–891European Union Principles on Privacy,

845–846evaluation

accreditation, 371–372certification, 370–371Common Criteria,

366–369, 370

Information Technology Security Evaluation Criteria (ITSEC), 364–366

reasons for evaluation, 356–357

See also Orange BookEvaluation Assurance Levels (EALs), 367exam. See CISSP examexcessive privileges, 885execution domain switching, 325execution domains, 324executive succession planning, 799expert systems, 975–977exposure, defined, 62exposure factor (EF), 96extended data out DRAM (EDO

DRAM), 300Extensible Authentication Protocol.

See EAPExtensible Markup Language. See XMLextranets, 579–580

FFfacial scans, 183

See also biometricsFacilitated Risk Analysis Process (FRAP),

88–89facilities, 416–417

access controls, 447–454cold sites, 790–791hot sites, 790–791multiple processing centers, 794offsite locations, 793reciprocal agreements, 793–794recovery, 789–795redundant sites, 794–795rolling hot sites, 794tertiary sites, 792warm sites, 790–791

Failure Modes and Effect Analysis (FMEA), 89–92


Index

1125


failure states, 912fake login screens, 1086Faraday cage, 249Fast Ethernet, 514–515fault generation, 193fault tree analysis, 91–92fax security, 1076–1078FDDI, 517–518Federal Communications Commission

(FCC), 482Federal Privacy Act, 853, 857–858Federal Sentencing Guidelines for

Organizations, 891federated identities, 178fencing, 456–458Fiber Distributed Data Interface.

See FDDIfiber-optic cable, 522file access protection, 45file descriptor attacks, 1096financial fraud, 980fingerprints, 182, 716

See also biometricsfire

detection, 438, 439–442prevention, 438suppression, 439, 442–446testing and drills, 469–470

fire resistant ratings, 439firewalls, 548–550, 563–566

architecture, 560–563best practices, 559packet-filtering, 550–551proxy, 552–557stateful, 551–552web application, 982

flash memory, 301Flury, Kenneth J., 25FMEA, 89–92footprint, 640foreign key, vs. primary key,

922–924

forensics, 872–873best evidence, 881circumstantial evidence, 881conclusive evidence, 881corroborative evidence, 881direct evidence, 881enticement, 883entrapment, 883evidence admissible in court,

880–882exigent circumstances, 883field kits, 878forensics investigation process,

876–879hearsay evidence, 882incident investigators, 875International Organization on

Computer Evidence (IOCE), 873–874

interviewing and interrogating, 884

means, 874motive, 874opinion evidence, 882opportunity, 874search and seizure,

883–884secondary evidence, 881surveillance, 883

forking, 289forwarding tables, 537–538fraggle, 1011frame relay, 592–593frameworks, 69–73FRAP, 88–89frequency analysis, 678Frequency Hopping Spread Spectrum

(FHSS), 619–620, 621frequency-division multiplexing, 588full-duplex, 490fully mapped I/O, 320functional requirements evaluation, 61



1126


GGgap in the WAP, 636gateways, 545–546

H323 gateways, 600–601general registers, 283Generic Security Services Application

Programming Interface (GSS-API), 205governance, 73–75Graham-Denning model, 349Gramm-Leach-Bliley Act (GLBA),

124, 856grid computing, 1065–1066ground, 433ground connectors, 419groups, 196GSS-API, 205guards, 353, 467–468guidelines, 114

See also security policies

HHH323 gateways, 600–601hacker intrusion, liability for,

865–866hacking, 1078–1082

backdoors, 1085–1087browsing, 1082–1083and companies, 29–31evolution of, 23–27, 34–35Loki attacks, 1084–1085and military actions, 27–28password cracking, 1085session hijacking, 1084sniffers, 1083–1084See also attacks; cyberterrorism

half-duplex, 490halon, 443–444hand geometry, 182

See also biometricshand topography

See also biometrics

hardware backups, 796Harrison-Ruzzo-Ulman model, 349hashes, 718hashing algorithms, 716,

718–720hashing values, 716HAVAL, 720HDLC, 597Health Insurance Portability and

Accountability Act (HIPAA), 856heat-activated fire detectors, 441heuristic detection, 1001–1002heuristic IDSs, 254hierarchical data model, 915–916Hierarchical Storage Management (HSM),

1067–1069High-bit-rate DSL (HDSL), 607High-level Data Link Control. See HDLCHigh-Speed Serial Interface. See HSSIhiring practices, 136–138

See also personnelHMAC, 715–717, 718honeypots, 262, 566hops, 736host-based IDSs (HIDSs), 251HSSI, 597HTTP, 743–744HTTP Secure (HTTPS), 744–745hubs, 536

IIIdaho State University, 8identification, 158, 160–161

component requirements, 162identifying threats, 87–88identity management

account management, 174assisted password reset,

172–173biometrics, 179–184cryptographic keys, 190


Index

1127


digital identities, 177directories, 165–168federation, 178legacy single sign-on, 173memory cards, 191overview, 162–165passphrases, 190–191password management, 171password synchronization,

171–172passwords, 184–190profile update, 176–177provisioning, 175–176self-service password reset, 172smart cards, 191–194web access management (WAM),

168–171what companies need identity

management, 178identity repository, 175identity theft, 268–269Identity Theft Resource Center, 27illogical processing, 87IMAP, 1075immunizers, 1002i-Mode, 636–637incident response, 866–869

incident investigators, 875procedures, 869–872

inference, 927inference attacks, 345information classification.

See classificationinformation flow model, 342–344information gathering, 983–984information owners, 57information risk management (IRM),

80–81policy, 82team, 82–83

Information Sharing and Analysis Centers. See ISACs

Information Systems Audit and Control Association (ISACA), 69

Information Systems Security Association. See ISSA

Information Technology Security Evaluation Criteria (ITSEC), 49, 364–366

information warfare, 23informative policies, 112initialization vectors, 629–631, 688input validation, 987–989input/output device management,

317–320in-rush current, 433–434instant messaging (IM), 645–646insurance, 107, 808–809Integrated Services Digital Network.

See ISDNintegrity, 60, 669

and access control, 157integrity models, goals of, 341–342integrity verification procedures

(IVPs), 339intellectual property laws, 849

copyright, 850internal protection of intellectual

property, 851patent, 851software piracy, 852–853trade secrets, 849–850trademark, 850–851

Interior Gateway Routing Protocol (IGRP), 534

internal compartments, 423International Data Encryption Algorithm

(IDEA), 704International Electrotechnical Commission

(IEC), 73International Information Systems Security

Certification Consortium. See (ISC)2

International Organization on Computer Evidence (IOCE), 873–874



1128


International Standards Organization. See ISO

International Telecommunication Union (ITU), 482

Internet, 37–40architecture, 40–42database roles, 42–44

Internet Architecture Board (IAB), 890–891Internet Assigned Numbers Authority

(IANA), 569Internet Control Message Protocol (ICMP),

531–532Internet Haganah, 29Internet security, 743

cookies, 747–748HTTP, 743–744HTTP Secure, 744–745Internet Security Protocol (IPSec),

749–753Secure Electronic Transaction (SET),

745–747Secure HTTP, 745Secure Shell (SSH), 748–749

Internet Security Association and Key Management Protocol (ISAKMP), 752

internetwork, 538interrupt-driven I/O, 319interrupts, 290–292, 318–319intranets, 579–580intrusion detection systems (IDSs), 250,

464–467characteristics, 467host-based IDSs (HIDSs), 251knowledge- or signature-based IDSs,

251–252network traffic, 259network-based IDSs (NIDSs),

250–251protocol anomaly–based IDSs,

254–255rule-based IDSs, 255–257

sensors, 46, 258–259, 260state-based IDSs, 252–253statistical anomaly–based IDSs,

253–254traffic anomaly–based IDSs, 255types of, 257

intrusion prevention systems (IPSs), 260–261, 982

honeypots, 262network sniffers, 262–263

invocation property, 337, 338I/O device management, 317–320IP, 498IP addressing, 504IP spoofing, 886IP telephony. See Voice over IP (VoIP)IPSec, 46, 610, 749–753IPv6, 505iris scans, 182

See also biometricsIrish Republican Army, 28IRM. See information risk

management (IRM)ISACs, 32(ISC)2, 8, 888

process for earning credential, 4–5

scenario-based exam questions, 4ISDN, 604–606ISDN DSL (IDSL), 607ISO, 482, 483ISO 17799, 71–73ISO/IEC 14443, 194isolation, 567ISSA, 8issue-specific policies, 111–112IT Governance Institute (ITGI), 69iterated tunneling, 610ITSEC. See Information Technology

Security Evaluation Criteria (ITSEC)IVs. See initialization vectors


Index

1129


JJJava, 993–994Java Database Connectivity (JDBC), 921Java Virtual Machine (JVM), 316Joint Analysis Development (JAD), 952

KKKerberos, 200–201

Key Distribution Center (KDC), 201and password-guessing attacks, 205principals, 201process, 201–204tickets, 201weaknesses, 204

Kerckhoffs’ Principle, 64, 668kernel flaws, 1095kernel mode, 285kernel proxy firewalls, 558key clustering, 671key management, 732–733

principles of, 733–734rules, 734

keyboard dynamics, 183See also biometrics

keys, 666, 667, 670asymmetric, 681session keys, 692–695

keyspaces, 666, 667, 671keystroke monitoring, 245–246KGB, 28knapsack algorithms, 713knowledge discovery in database (KDD).

See data miningknowledge-based IDSs, 251–252knowledge-based systems, 975–977Kosovo Air Campaign (1999), 28

LLL2TP, 613–614LAN networking, 508

broadcast transmission, 524–525cabling, 519–524collision domains, 527–528CSMA, 526–527Ethernet, 513–515FDDI, 517–518media access technologies,

512–519, 525–529multicast transmission,

524–525polling, 529protocols, 529–532token passing, 526Token Ring, 516topologies, 509–512unicast transmission,

524–525LANs, 46

protocols, 583See also Virtual LANs (VLANs)

laptop theft, 428–429last mile, 506lattice model, 346–347laws

administrative/regulatory laws, 848–849

Basel II Accord, 858civil law, 846, 848common law, 846–847computer crime laws, 836–838Computer Fraud and Abuse Act,

856–857Computer Security Act of

1987, 859criminal law, 848customary law, 847Economic Espionage Act of

1996, 859Federal Privacy Act, 853, 857–858Gramm-Leach-Bliley Act (GLBA), 856Health Insurance Portability and

Accountability Act (HIPAA), 856



1130


intellectual property laws, 849–853

mixed law systems, 847–848overview, 836Payment Card Industry Data Security

Standards (PCI DSS), 858–859and politics, 49–51privacy, 853–861religious law systems, 847Sarbanes-Oxley Act of 2002 (SOX),

855–856See also crime

layered approach to security, 44–45an architectural view, 45–47bringing layers together, 48–49a missed layer, 48

layering, 312–314LDAP. See Lightweight Directory Access

Protocol (LDAP)least privilege, 329–330LexisNexis, 27liability, 861–864

hacker intrusion, 865–866personal information, 864–865

licensing, 1043lighting, 459–460Lightweight Directory Access Protocol

(LDAP), 576–577limit registers, 297, 298line conditioners, 434linear cryptanalysis, 755link encryption, 735–736link-state routing protocols, 533load, 418local area networks. See LANslocal bridges, 537local loop, 506locks, 448–454log scrubbers, 644logic bombs, 1000logical addresses, 303logical location restrictions, 196

logonlimiting logon attempts, 187spoofing at logon, 265

Loki attacks, 532, 1084–1085loss

annualized loss expectancy (ALE), 95–97

delayed, 88exposure factor (EF), 96single loss expectancy (SLE),

95–97loss potential, 88LUC algorithm, 713Lucifer, 644, 696

MMMAC, 212–214, 217machine language, 957macro languages, 997MAID, 1063mail bombing, 1086mainframes, 21, 22, 1070–1072maintenance hooks, 382–383malware, 995–996

anti-malware programs, 1005–1006components, 998

mandatory access control (MAC), 212–214, 217

mandatory vacation policy, 138man-in-the-middle attacks, 1086maskable interrupts, 291–292masquerading, 530, 563massive array of inactive disks. See MAIDmaximum tolerable downtime (MTD),

781–782MD2, 719MD4, 719MD5, 719–720mean time between failures (MTBF), 1057mean time to repair (MTTR), 1058mechanical locks, 449–452


Index

1131


media controls, 1048–1053meme viruses, 997memory

burst EDO DRAM (BEDO DRAM), 300

cache, 302double data rate SDRAM (DDR

SDRAM), 300dynamic RAM (DRAM), 299electrically erasable programmable

ROM, 301erasable and programmable

ROM, 301extended data out DRAM (EDO

DRAM), 300flash, 301leaks, 305–306management, 296–298mapping, 302–305programmable ROM, 301protection issues, 298random access memory (RAM),

299–300read-only memory (ROM),

300–301static RAM (SRAM), 299synchronous DRAM

(SDRAM), 300virtual, 306–307

memory cards, 191mesh topology, 510–511message authentication code (MAC),

714–715message digest, 716message integrity, 713–714

CBC-MAC, 717, 718HMAC, 715–717, 718one-way hash, 714–715

message integrity code (MIC), 716Message Security Protocol (MSP), 739messages, 503meta-directories, 167, 168, 575

methods, 960metropolitan area networks (MANs),

581–582microkernel, 311microns, 288MIME, 738MIPS, 288misuse-detection systems, 254mobile code, 992

ActiveX, 995botnets, 999Java, 993–994logic bombs, 1000malware, 995–996Trojan horses, 1000–1001viruses, 996–997worms, 999–1000

Mobile IP, 228mobile phone security, 637–638mobile technology generations, 643modems, 606–608modes. See security modes of operationmodification detection code (MDC), 716monolithic kernel, 314Moore’s Law, 320multicast transmission, 524–525multihomed firewalls, 553,

560–561multilayered switches, 542multilevel security mode, 353multilevel security policies, 329multipart viruses, 997multiplexing, 583

frequency-division multiplexing, 588statistical time-division multiplexing

(STDM), 588multiprocessing, 286–287, 293multiprogramming, 288–289, 293Multiprotocol Label Switching

(MPLS), 542Multipurpose Internet Mail Extension

(MIME), 738



1132


multiservice access technologies, 597–600Multistation Access Units (MAUs), 516multitasking, 289, 293multithreaded applications, 293multithreading, 293MyDoom virus, 25–26

NNnamespaces, 165naming distinctions, 295NAT. See network address translation (NAT)National Institute of Standards and

Technology (NIST), 772natural access control, 410–412natural surveillance, 413network access, 236–237network address translation (NAT),

46, 577–579network database model, 916Network Information System (NIS),

573–575network layer, 491–492, 495network operating systems (NOS),

567–568network segregation, 233, 567network sniffers, 262–263, 1083–1084network-based IDSs (NIDSs), 250–251

and switched environments, 258Next-Generation Secure Computing Base

(NGSCB), 324nexus, 324NIS. See Network Information

System (NIS)NIS+. See Network Information

System (NIS)NIST SP 800-30 and 800-66, 88noise, 433, 434–435, 522noise and perturbation, 929nondisclosure agreements, 136

nondiscretionary access control. See role-based access control (RBAC)

noninterference model, 345nonkeyed message digests, 716non-maskable interrupts, 292nonplenum cables, 523nonrepudiation, 669

OOObject Linking and Embedding Database

(OLE DB), 920–921object linking and embedding (OLE), 973object organization in directories, 166object reuse, 248object-oriented analysis (OOA), 966object-oriented database model,

917–918object-oriented design (OOD), 966object-oriented programming (OOP),

958–964object-relational database model,

918–919objects, defined, 155obscurity, security through, 63–64OCTAVE, 89Office of Homeland Security. See ISACsone-time pads, 671–673

vs. stream ciphers, 689one-time passwords, 187–190one-way functions, 710–711one-way hash, 714–715

attacks against, 721–722Online Certificate Status Protocol

(OCSP), 729online encryption. See link encryptiononline transaction processing (OLTP),

931–932OOP. See object-oriented

programming (OOP)


Index

1133


Open Database Connectivity (ODBC), 920open network architecture, 484Open Shortest Path First (OSPF), 534open system authentication (OSA), 623open systems, 372

See also closed systemsOpen Systems Interconnection reference

model. See OSI modeloperating system fingerprinting, 1080operating systems, architecture,

287–294, 310–311Operation French Fry, 26operational goals, 66operations security, 1027–1028

accountability, 1032–1033administrative management,

1028–1031asset identification and management,

1036–1037assurance levels, 1034clipping levels, 1033clustering, 1064–1065configuration management,

1045–1048contingency planning, 1070data leakage, 1054–1055deviations from standards,

1035–1036Direct Access Storage Devices,

1060–1061environmental controls, 1070grid computing, 1065–1066Hierarchical Storage Management

(HSM), 1067–1069input and output controls,

1040–1041licensing, 1043MAID, 1063mainframes, 1070–1072mean time between failures

(MTBF), 1057

mean time to repair (MTTR), 1058media controls, 1048–1053network and resource availability,

1056–1070RAID, 1061–1062RAIT, 1063remote access security, 1044security and network personnel,

1031–1032single points of failure,

1058–1060Storage Area Networks (SANs),

1063–1064system controls, 1037–1038system hardening, 1042–1044trusted recovery, 1038–1040unexplained or unusual

occurrences, 1035unscheduled initial program loads

(rebooting), 1036See also backups

Orange Book, 49, 355–356, 357–358

Division A, 361Division B, 360–361Division C, 359Division D, 359and the Rainbow Series, 361–362Red Book, 362–364

ORBs, 970–971order of concepts, 63Organisation for Economic Co-operation

and Development (OECD), 50–51guidelines and transborder

information flow rules, 128, 845

organizational security model, 65–67CobiT, 69–72COSO framework, 69–70frameworks, 69–73operational planning, 66



1134


private industry requirements vs. military requirements, 80

security governance, 73–75security program components,

67–69security program development,

76–79strategic planning, 66tactical planning, 66

organizational security policy, 110–112Orthogonal Frequency-Division

Multiplexing (OFDM), 621, 624OSI model, 483

application layer, 487, 494–495data link layer, 492–494, 496functions and protocols, 494–496network layer, 491–492, 495physical layer, 494, 496presentation layer, 487–489, 495protocol, 483–486session layer, 489–490, 495transport layer, 490–491, 495tying the layers together, 496where devices and protocols appear

within, 47

PPpacket switching, 590–591packet-filtering firewalls, 550–551page frames, 306paging, 306palm scans, 182

See also biometricsPAP, 614–615, 616parameter validation, 989–992partitioning, 929passive attacks, 753passphrases, 190–191Password Authentication Protocol. See PAPpassword sniffing, 885–886passwords, 184

accessing password files, 185aging, 187assisted password reset,

172–173cognitive, 160, 187cracking, 1085hashing and encryption,

186–187limiting logon attempts, 187management, 171, 184–185one-time, 187–190password checkers, 186password-guessing attacks, 205self-service password reset, 172synchronization, 171–172

patch management, 1006–1007best practices, 1009limitations to patching,

1008–1009steps, 1007–1008

patent, 851patrol force, 467–468Payment Card Industry Data Security

Standards (PCI DSS), 858–859PBXs, 547–548penetration testing, 1090–1094perimeter security, 233, 446–447

dogs, 468external boundary protection

mechanisms, 455–464facility access control, 447–454locks, 448–454patrol force and guards,

467–468personnel access controls,

454–455See also intrusion detection

systems (IDSs)permanent virtual circuits (PVCs), 593permissions, 1097Persian Gulf War, 28


Index

1135


personnelaccess controls, 454–455employee controls, 138hiring practices, 136–138privacy issues, 859–861responsibilities, 135termination, 138–139See also responsibility

pharming, 267–268phisher scams, 27phishing, 265–267phreakers, 548physical layer, 494, 496physical location restrictions, 196physical security, 401–404

activity support, 415auditing physical access,

468–469computer and equipment rooms,

424–428construction, 418–421Crime Prevention Through

Environmental Design (CPTED), 409–414

designing a physical security program, 414–428

doors and windows, 421–423, 424electric power, 430–436environmental issues, 436–438facilities, 416–417fire prevention, detection and

suppression, 438–446internal compartments, 423natural access control, 410–412natural surveillance, 413planning, 404–408protecting assets, 428–429safes, 429security zones, 411–412territorial reinforcement,

413–414

testing and drills, 469–470ventilation, 438See also perimeter security

piggybacking, 455ping of death, 1086piracy, 852–853PKI. See public key infrastructureplaintext, 665, 671

chosen-plaintext attacks, 754known-plaintext attacks,

753–754planning horizon, 67plenum areas, 442plenum space, 523point of presence (PoP), 611Point-to-Point Protocol. See PPPpolitics and laws, 49–51polling, 529polyinstantiation, 930–931polymorphic viruses, 997polymorphism, 964–965POP, 1075port address translation (PAT), 578port scanning, 1081–1082ports, well-known, 501, 557positive drains, 436postmortem review, 1097PPP, 610–611PPTP, 612–613preemptive multitasking, 289premapped I/O, 320presentation layer, 487–489, 495President’s Commission on Critical

Infrastructure Protection (PCCIP), 32, 406

Pretty Good Privacy (PGP), 739–740

primary key, vs. foreign key, 922–924

privacy, 853–854Basel II Accord, 858



1136


Computer Fraud and Abuse Act, 856–857

Computer Security Act of 1987, 859Economic Espionage Act of

1996, 859employee issues, 859–861Federal Privacy Act, 853, 857–858Gramm-Leach-Bliley Act (GLBA), 856Health Insurance Portability and

Accountability Act (HIPAA), 856laws, directives and regulations,

854–855Payment Card Industry Data Security

Standards (PCI DSS), 858–859Sarbanes-Oxley Act of 2002 (SOX),

855–856Privacy-Enhanced Mail (PEM), 738–739Private Branch Exchange. See PBXsprivate keys, 190, 681Privileged Attribute Certificates

(PACs), 205privileged mode, 285problem state, 285procedures, 114–115

for classification, 121See also security policies

process activation, 324–325process activity, 294–296process enhancement, 380process isolation, 294–295process management, 287–292process owners, responsibilities, 133process scheduling, 293–294processors, 288product line managers,

responsibilities, 134profile update, 176–177profile-based systems, 254program counter registers, 283program status word (PSW), 285programmable I/O, 319programmable ROM, 301

project sizing, 84PROM, 301protection profiles, 367–368protection rings, 308–310protocol anomaly–based IDSs, 254–255protocols, 237, 483–486

authentication, 614–616LAN networking, 529–532routing, 532–536tunneling, 609–614

prototyping, 953provisioning, 175–176proxy firewalls, 552–557public algorithms, vs. secret

algorithms, 754public key cryptography, 683, 689, 709public key infrastructure, 709, 725–726

certificate authorities, 726–729certificates, 729, 730Registration Authority (RA), 729steps, 730–732

public keys, 190, 681public-switched telephone network

(PSTN), 598purging, 1049

QQqualitative risk analysis, 98–101

vs. quantitative risk analysis, 100–101

Quality of Service (QoS), 595–596quantitative risk analysis, 92–93

vs. qualitative risk analysis, 100–101quantum cryptography, 741–742query language (QL), 922

RRrace condition, 159, 383, 1096–1097radio frequency interference (RFI),

432, 433RADIUS, 223–224, 227


Index

1137


RAID, 1061–1062rainbow tables, 185RAIT, 1063RAM, 299–300random access memory (RAM),

299–300Rapid Application Development

(RAD), 952RBAC, 214–215, 217

core, 215hierarchical, 215–216

RC4, 705RC5, 705RC6, 705read-only memory (ROM),

300–301ready state, 290rebooting, 1038receipt, 671recertification, requirements, 9–10Red Book, 362–364redundant array of independent tapes.

See RAITreference monitor, 327–328references, checking as part of hiring

practices, 136–137referential integrity, 925Registration Authority (RA), 729regulatory policies, 112relational data model, 915relative addresses, 303remote access, 603

administration, 1044cable modems, 606–608DSL, 606guidelines, 616–617ISDN, 604–606Remote Access Service (RAS),

603–604security, 1044xDSL, 607

Remote Access Trojans (RATs), 1001

Remote Authentication Dial-In User Service (RADIUS), 223–224, 227

remote bridges, 537remote journaling, 805repeaters, 536replay attacks, 185, 756residual risk, 106responsibility, 122–123, 134–135

application owners, 132audit committee, 130auditors, 134board of directors, 123–124,

125–126change control analysts, 132–133Chief Executive Officer (CEO),

124–125Chief Financial Officer (CFO), 125Chief Information Officer (CIO),

126–127Chief Information Security Officer

(CISO), 129Chief Privacy Officer (CPO), 127Chief Security Officer (CSO),

128–129data analysts, 133data custodians, 131data owners, 130, 131international requirements, 128personnel, 135process owners, 133product line managers, 134security administrators,

131–132security analysts, 132security steering committee, 129solution providers, 133structure, 135–136supervisors, 132system owners, 131users, 134

retina scans, 182See also biometrics



1138


Reverse Address Resolution Protocol (RARP), 531

ring topology, 509RISC chips, 281risk

accepting, 96, 107–108defined, 62handling, 107–108See also information risk

management (IRM)risk analysis, 83–84, 938–940

annualized loss expectancy (ALE), 95–97

annualized rate of occurrence (ARO), 96

automated methods, 93–94costs that make up the value of

information and assets, 86–87countermeasure selection,

102–103Delphi technique, 100exposure factor (EF), 96Failure Modes and Effect Analysis

(FMEA), 89–92fault tree analysis, 91–92functionality and effectiveness of

countermeasures, 104–105handling risk, 107–108identifying threats, 87–88methodologies, 88–89ownership of risk, 85protection mechanisms, 102–105qualitative risk analysis, 98–101quantitative risk analysis, 92–93,

100–101results, 97single loss expectancy (SLE), 95–97steps of, 94–97, 105–106team, 84–85total vs. residual risk, 106uncertainty, 98

value of information and assets, 85–86

See also risk assessmentrisk assessment

CRAMM, 89FRAP, 88–89NIST SP 800-30 and 800-66, 88OCTAVE, 89Spanning Tree Analysis, 89See also risk analysis

risk avoidance, 107risk mitigation, 107risk ownership, 85Roaming Operations (ROAMOPS), 228role-based access control (RBAC),

214–215, 217core, 215hierarchical, 215–216

roles, 195rollback, 925–926ROM, 300–301rootkits, 643–644ROT13, 662rotation of duties, 138route flapping, 533routers, 539–540Routing Information Protocol (RIP), 534routing protocols, 532–536RSA, 708–711rule-based access control, 217–218rule-based IDSs, 255–257rule-based programming, 976running key ciphers, 673–674running state, 290

SSSABSA, 378safe harbor requirements, 128, 845safeguards

defined, 62See also countermeasures


Index

1139


safes, 429salami attacks, 884salts, 186SAM databases, 186–187sandboxes, 316, 993Sarbanes-Oxley Act of 2002 (SOX), 51,

124, 855–856satellites, 640–641savepoints, 926screened hosts, 561screened subnets, 561–563, 564script kiddies, 842script viruses, 998scrubbing, 246SDLC, 596–597SDRAM, 300secondary storage, 306secret algorithms, vs. public

algorithms, 754Secure Electronic Transaction (SET),

745–747Secure European System for Applications

in a Multi-vendor Environment. See SESAME

Secure HTTP, 745secure message format, 682Secure MIME (S/MIME), 738Secure Shell (SSH), 748–749Secure Socket Layer. See SSLSecureID, 188security

areas of, 22–23availability, 59–60and companies, 29–31confidentiality, 60–61education, 51–52history of, 19–22integrity, 60layered approach to, 44–45politics and laws, 49–51principles of, 59–61, 156–158

relationships among security components, 63

terminology, 61–62through obscurity, 63–64and the U.S. government, 31–33See also corporate security; physical

security; software securitySecurity Accounts Management (SAM)

databases, 186–187security administration, 56–59security administrators, responsibilities,

131–132security analysts, responsibilities, 132security architecture, 322security domains, 206–208

See also CBK security domainssecurity effectiveness, 380security evaluation. See evaluationsecurity governance, 73–75security kernel, 327–328security management, 53–54

administrative controls, 57example, 58physical controls, 57responsibilities, 54–55technical controls, 57top-down approach to building a

security program, 55–56See also organizational security model

security model, 279–280, 330–331Bell-LaPadula model,

333–336, 338Biba model, 336–338Brewer and Nash model, 348–349Chinese Wall model, 348–349Clark-Wilson model, 338–342formal models, 331Graham-Denning model, 349Harrison-Ruzzo-Ulman model, 349information flow model,

342–344



1140


lattice model, 346–347noninterference model, 345and security policies, 330state machine models, 331–333See also organizational security model

security modes of operation, 351compartmented security mode,

352–353dedicated security mode, 352multilevel security mode, 353system high-security mode, 352

security officer, 56, 67–68security parameter index (SPI), 751security perimeter, 326–327security policies, 110–112, 279–280,

328–329baselines, 113–114due care and due diligence, 116guidelines, 114implementation, 115–116procedures, 114–115and security models, 330standards, 112–113

security program development, 76–79security standards, 112–113

See also security policiessecurity zones, 381, 411–412security-awareness training,

139–140, 232evaluating programs, 141–142specialized security training, 142types of, 140–141

segments, 503self-garbling viruses, 997semantic integrity, 925sensitivity labels, 213–214separation of duties, 135–136

and the Clark-Wilson model, 340–341

dynamic separation of duties (DSD) relations through RBAC, 216

static separation of duty (SSD) relations through RBAC, 216

system development, 945Service Set ID (SSID), 622, 623SESAME, 205–206session hijacking, 1084session keys, 692–695session layer, 489–490, 495session management, 992SET, 745–747SHA, 720shared key authentication (SKA), 623Sherwood Applied Business Security

Architecture (SABSA), 378shielded twisted pair (STP) cabling,

46, 520shoulder surfing, 61S-HTTP, 745side-channel attacks, 193–194,

755–756SIG-CS, 8signature dynamics, 182–183

See also biometricssignature-based detection, 1001signature-based IDSs, 251–252simple integrity axiom, 337simple security rule, 334, 336simplex, 490single loss expectancy (SLE), 95–97single sign-on technologies, 198–200

legacy single sign-on, 173Six Sigma, 92slamming, 1087SLE. See single loss expectancy (SLE)smart cards, 191–193

attacks, 193–194interoperability, 194

SMDS, 596smoke-activated fire detectors,

440–441SMTP, 1074


Index

1141


smurf attacks, 1010–1011sniffers, 262–263, 1083–1084social engineering, 61, 185SOCKS, 555–556software, importance of, 905–906software architecture, 966–967software attacks, 194software backups, 796–797software development, 944–946

Capability Maturity Model (CMM), 955–956

change control, 953–955computer-aided software engineering

(CASE), 952configuration management, 954methodologies, 957–969methods, 950–952prototyping, 953

software escrow, 957software piracy, 852–853Software Protection Association (SPA), 852software security, 906–907

complexity of functionality, 909data types, format and length, 910in different environments, 908environment vs. application,

908–909failure states, 912implementation and default issues,

910–912See also database management; patch

managementsolution providers, responsibilities, 133SONET, 581–582, 585source routing, 538, 565SOX. See Sarbanes-Oxley Act of

2002 (SOX)spam detection, 1004–1005Spanning Tree Algorithm (STA), 538Spanning Tree Analysis, 89SPARC processors, 281

Special Interest Group for Computer Security. See SIG-CS

special registers, 283Spectrum, Information Technologies and

Telecommunications (SITT), 482spiral development method, 952split knowledge, 138spoofing, 563spoofing at logon, 265spread spectrum, 619

Direct Sequence Spread Spectrum (DSSS), 620–621

Frequency Hopping Spread Spectrum (FHSS), 619–620, 621

Orthogonal Frequency-Division Multiplexing (OFDM), 621

spyware, 645SRAM, 299SSL, 47SSO. See single sign-on technologiesstacks, 284, 386standards, 112–113

See also security policiesstar topology, 510state machine models, 331–333state-based IDSs, 252–253stateful firewalls, 551–552static analysis, 1002static electricity, preventing, 437static mapping, 578static RAM (SRAM), 299static routing protocol, 533statistical anomaly–based IDSs,

253–254statistical attacks, 757statistical time-division multiplexing

(STDM), 588stealth viruses, 997steering committee, responsibilities, 129steganography, 674–675Storage Area Networks (SANs), 1063–1064



1142


storage devices, 317star integrity axiom (*-integrity

axiom), 337star property rule (*-property rule),

334, 336strategic alignment, 379strategic goals, 66stream ciphers, 687–688

vs. one-time pads, 689strong authentication, 161strong star property rule, 334, 336subjects, defined, 155substitution ciphers, 660, 676, 677subsystems, 311supercomputers, 1072

See also mainframessupervisor mode, 285supervisors, responsibilities, 132surge, 434surveillance devices, 460swap space, 306switched environments, 258Switched Multimegabit Data Service.

See SMDSswitched virtual circuits (SVCs), 593switches, 541–542

Layer 3 and 4 switches, 542–543

switching, 590–591symbolic links, 1096symmetric algorithms, 679

types of, 695–705symmetric mode, 286–287Symmetrical DSL (SDSL), 607SYN floods, 1011–1012SYN proxies, 982synchronous communication,

507, 525Synchronous Data Link Control.

See SDLCsynchronous DRAM (SDRAM), 300

Synchronous Optical Networks. See SONETsynchronous token device, 188–189system architecture, 321–330system authentication, 717system development, 935–936

design specifications, 942–944disposal, 947functional design analysis and

planning, 940–942garbage collection, 949installation/implementation, 946life-cycle phases, 936–950managing development, 936operation and maintenance, 947postmortem review, 949project initiation, 937–938risk analysis, 938–940risk management, 938separation of duties, 945software development, 944–946testing types, 947–949verification vs. validation, 945

system hardening, 1042–1044system high-security mode, 352system owners, responsibilities, 131system-specific policies, 112

TTTACAS, 224–227TACAS+. See TACAStactical goals, 66tape vaulting, 805–806T-carriers, 586–587TCP, 498–502

TCP handshake, 502TCP/IP, 497–498teardrop attacks, 1012–1013, 1087telecommunications

defined, 482evolution of, 583–586

Tempest, 249


Index

1143


temporal isolation (time-of-day restrictions), 196

Terminal Access Controller Access Control System (TACAS), 224–227

termination, 138–139terminology, 61–62, 918

evolution of, 314–315territorial reinforcement, 413–414terrorism, 28–29testing, physical security, 469–470testing schedule, 1098theft, 428–429thin clients, 209–210thrashing, 300thread management, 292–293threat agents, defined, 62threats

defined, 61–62identifying, 87–88relationship of threats and

vulnerabilities, 87thunking, 316Tiger, 720time multiplexing, 295time-of-day restrictions (temporal

isolation), 196time-of-check/time-of-use attacks,

383–384TKIP, 630–631token device, 187–188

asynchronous, 189–190synchronous, 188–189

token passing, 526, 527Token Ring, 516topologies

bus topology, 510mesh topology, 510–511ring topology, 509star topology, 510

Total Quality Management (TQM), 92total risk, 106

trade secrets, 849–850trademark, 850–851traffic analysis, 1087traffic anomaly–based IDSs, 255traffic-flow security, 735training, security-awareness,

139–142tranquility principle, 335transaction-type restrictions, 196transformation procedures (TPs), 338transient noise, 433translation bridges, 537transmission

analog and digital, 505–506asynchronous and synchronous, 507broadband and baseband,

507–508transparent bridging, 537–538transport adjacency, 610transport layer, 490–491, 495transposition ciphers, 676–679Triple-DES (3DES), 703Trojan horses, 1000–1001trust, 355–356Trusted Computer System Evaluation

Criteria (TCSEC). See Orange Booktrusted computing base (TCB), 322,

323–326, 327Trusted Network Interpretation (TNI).

See Red Booktrusted path, 323trusted recovery, 1038–1040trusted shell, 323tumbler locks, 449–451tunneling protocols, 609–614tunneling viruses, 998twisted-pair cable, 520–521two-factor authentication, 161two-phase commits, 926–927Type I and Type II errors, 179, 180



1144


UUUDP, 498–502unauthorized disclosure of information,

247–248uncertainty, 98unconstrained data items (UDIs), 339unicast transmission, 524–525uninterruptible power supplies. See UPSsUnited States v. Jeansonne, 26unshielded twisted pair (UTP) cabling,

520, 521Unspecified Bit Rate (UBR), 595UPSs

online UPS systems, 430–431standby, 431

U.S. government, and security, 31–33user errors, 88user managers, responsibilities, 132user mode, 285user provisioning, 175users, 338

responsibilities, 134

VVvalue of information and assets, 85–86

costs that make up the value, 86–87value-added networks (VAN), 580vandalism, 980Variable Bit Rate (VBR), 595ventilation, 438verification 1:1, 160–161video cards, RAM, 318virtual circuits, 593virtual directories, 167Virtual LANs (VLANs), 543, 544–545virtual machines, 315

Java Virtual Machine (JVM), 316virtual mapping, 295–296virtual memory, 306–307virtual private networks. See VPNs

viruses, 996–997antivirus software, 1001–1004immunizers, 1002

visual recording devices, 461–464Voice over IP (VoIP), 598–599, 600voice prints, 183

See also biometricsvoltage regulators, 434VPNs, 608–609vulnerabilities

buffer overflows, 1096defined, 61file and directory permissions, 1097file descriptor attacks, 1096kernel flaws, 1095race conditions, 1096–1097relationship of threats and

vulnerabilities, 87symbolic links, 1096

vulnerability testing, 1087–1090penetration testing, 1090–1094schedule, 1098

WWWAM. See web access management (WAM)WANs, 46, 583

CSU/DSU, 589dedicated links, 586–587protocols, 583T-carriers, 586–587telecommunications evolution,

583–586WAP, 635–636

gap in the WAP, 636war driving for WLANs, 639–640wardialing, 264, 603–604, 1086,

1094–1095watchdog timers, 227, 292water sprinklers, 445–446waterfall development method, 952


Index

1145


The Web, 37, 38vulnerabilities, 43–44See also Internet

web access management (WAM), 168–171Web security, 979–980

administrative interfaces, 984–985authentication and access control,

985–986configuration management,

986–987denial-of-service attacks, 981financial fraud, 980firewalls, 982information gathering,

983–984input validation, 987–989intrusion prevention systems

(IPSs), 982parameter validation, 989–992privileged access, 980–981quality assurance process, 982session management, 992SYN proxies, 982theft of intellectual property, 981theft of transaction information, 981vandalism, 980

Weisburd, Aaron, 29well-known ports, 501, 557Wells Fargo Bank, 36white noise, 249wide area networks. See WANswindows, 421–423, 424Wired Equivalent Privacy (WEP), 623, 695Wireless Application Protocol. See WAPwireless communications, 618

Bluetooth, 634current implementations, 626–627Direct Sequence Spread Spectrum

(DSSS), 620–621dynamic keys, 629–631Frequency Hopping Spread Spectrum

(FHSS), 619–620, 621

i-Mode, 636–637initialization vectors, 629–631spread spectrum, 619standards, 623–634third generation, 641–642Wireless Application Protocol (WAP),

635–636See also mobile phone security;

satellites; WLANswireless LANs. See WLANsWireless Transport Layer Security

(WTLS), 635wiretapping, 887–888WLANs

ad hoc WLANs, 622components, 621–623infrastructure WLANs, 622war driving for, 639–640

work area separation, 234work factor, 671wormhole attacks, 535worms, 999–1000

XXX.25, 594xDSL, 607XML, 47, 921

YYYahoo, 27

ZZZachman Architecture Framework,

376–378zero knowledge proof, 713zeroization, 1049zombies, 563, 839zone transfers, 570zones, 569


All-in-1 / CISSP All-in-One Exam Guide, Fourth Edition / Harris / 787-0/ blind folio: 1146


[ ]

VISIT MHPROFESSIONAL.COM TO READ SAMPLE CHAPTERS AND LEARN MORE.

THE BEST in Microsoft Certification Prep



LICENSE AGREEMENT

THIS PRODUCT (THE “PRODUCT”) CONTAINS PROPRIETARY SOFTWARE, DATA AND INFORMATION (INCLUDINGDOCUMENTATION) OWNED BY THE McGRAW-HILL COMPANIES, INC. (“McGRAW-HILL”) AND ITS LICENSORS. YOURRIGHT TO USE THE PRODUCT IS GOVERNED BY THE TERMS AND CONDITIONS OF THIS AGREEMENT.

LICENSE: Throughout this License Agreement, “you” shall mean either the individual or the entity whose agent opens this package. Youare granted a non-exclusive and non-transferable license to use the Product subject to the following terms:(i) If you have licensed a single user version of the Product, the Product may only be used on a single computer (i.e., a single CPU). If youlicensed and paid the fee applicable to a local area network or wide area network version of the Product, you are subject to the terms of thefollowing subparagraph (ii).(ii) If you have licensed a local area network version, you may use the Product on unlimited workstations located in one single buildingselected by you that is served by such local area network. If you have licensed a wide area network version, you may use the Product onunlimited workstations located in multiple buildings on the same site selected by you that is served by such wide area network; provided,however, that any building will not be considered located in the same site if it is more than five (5) miles away from any building included insuch site. In addition, you may only use a local area or wide area network version of the Product on one single server. If you wish to use theProduct on more than one server, you must obtain written authorization from McGraw-Hill and pay additional fees.(iii) You may make one copy of the Product for back-up purposes only and you must maintain an accurate record as to the location of theback-up at all times.

COPYRIGHT; RESTRICTIONS ON USE AND TRANSFER: All rights (including copyright) in and to the Product are owned byMcGraw-Hill and its licensors. You are the owner of the enclosed disc on which the Product is recorded. You may not use, copy, decompile,disassemble, reverse engineer, modify, reproduce, create derivative works, transmit, distribute, sublicense, store in a database or retrievalsystem of any kind, rent or transfer the Product, or any portion thereof, in any form or by any means (including electronically or otherwise)except as expressly provided for in this License Agreement. You must reproduce the copyright notices, trademark notices, legends and logosof McGraw-Hill and its licensors that appear on the Product on the back-up copy of the Product which you are permitted to make hereunder.All rights in the Product not expressly granted herein are reserved by McGraw-Hill and its licensors.

TERM: This License Agreement is effective until terminated. It will terminate if you fail to comply with any term or condition of thisLicense Agreement. Upon termination, you are obligated to return to McGraw-Hill the Product together with all copies thereof and to purgeall copies of the Product included in any and all servers and computer facilities.

DISCLAIMER OF WARRANTY: THE PRODUCT AND THE BACK-UP COPY ARE LICENSED “AS IS.” McGRAW-HILL, ITSLICENSORS AND THE AUTHORS MAKE NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE RESULTS TO BE OBTAINEDBY ANY PERSON OR ENTITY FROM USE OF THE PRODUCT, ANY INFORMATION OR DATA INCLUDED THEREIN AND/ORANY TECHNICAL SUPPORT SERVICES PROVIDED HEREUNDER, IF ANY (“TECHNICAL SUPPORT SERVICES”).McGRAW-HILL, ITS LICENSORS AND THE AUTHORS MAKE NO EXPRESS OR IMPLIED WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT TO THE PRODUCT.McGRAW-HILL, ITS LICENSORS, AND THE AUTHORS MAKE NO GUARANTEE THAT YOU WILL PASS ANYCERTIFICATION EXAM WHATSOEVER BY USING THIS PRODUCT. NEITHER McGRAW-HILL, ANY OF ITS LICENSORS NORTHE AUTHORS WARRANT THAT THE FUNCTIONS CONTAINED IN THE PRODUCT WILL MEET YOUR REQUIREMENTS ORTHAT THE OPERATION OF THE PRODUCT WILL BE UNINTERRUPTED OR ERROR FREE. YOU ASSUME THE ENTIRE RISKWITH RESPECT TO THE QUALITY AND PERFORMANCE OF THE PRODUCT.

LIMITED WARRANTY FOR DISC: To the original licensee only, McGraw-Hill warrants that the enclosed disc on which the Product isrecorded is free from defects in materials and workmanship under normal use and service for a period of ninety (90) days from the date ofpurchase. In the event of a defect in the disc covered by the foregoing warranty, McGraw-Hill will replace the disc.

LIMITATION OF LIABILITY: NEITHER McGRAW-HILL, ITS LICENSORS NOR THE AUTHORS SHALL BE LIABLE FOR ANYINDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS BUT NOT LIMITED TO, LOSS OF ANTICIPATED PROFITSOR BENEFITS, RESULTING FROM THE USE OR INABILITY TO USE THE PRODUCT EVEN IF ANY OF THEM HAS BEENADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL APPLY TO ANY CLAIM ORCAUSE WHATSOEVER WHETHER SUCH CLAIM OR CAUSE ARISES IN CONTRACT, TORT, OR OTHERWISE. Some states donot allow the exclusion or limitation of indirect, special or consequential damages, so the above limitation may not apply to you.

U.S. GOVERNMENT RESTRICTED RIGHTS: Any software included in the Product is provided with restricted rights subject tosubparagraphs (c), (1) and (2) of the Commercial Computer Software-Restricted Rights clause at 48 C.F.R. 52.227-19. The terms of thisAgreement applicable to the use of the data in the Product are those under which the data are generally made available to the general publicby McGraw-Hill. Except as provided herein, no reproduction, use, or disclosure rights are granted with respect to the data included in theProduct and no right to modify or create derivative works from any such data is hereby granted.

GENERAL: This License Agreement constitutes the entire agreement between the parties relating to the Product. The terms of any PurchaseOrder shall have no effect on the terms of this License Agreement. Failure of McGraw-Hill to insist at any time on strict compliance withthis License Agreement shall not constitute a waiver of any rights under this License Agreement. This License Agreement shall be construedand governed in accordance with the laws of the State of New York. If any provision of this License Agreement is held to be contrary to law,that provision will be enforced to the maximum extent permissible and the remaining provisions will remain in full force and effect.



Date post:	22-May-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

All-in-1 / CISSP All-in-One Exam Guide, Fourth...

Documents