CISSP:

Certified InformationSystems Security Professional

Study Guide

2nd Edition

4335cFM.fm Page i Wednesday, June 16, 2004 4:01 PM

4335cFM.fm Page ii Wednesday, June 16, 2004 4:01 PM

San Francisco • London

CISSP

®

:

Certified InformationSystems Security Professional

Study Guide

2nd Edition

Ed TittelJames Michael Stewart

Mike Chapple

4335cFM.fm Page iii Wednesday, June 16, 2004 4:01 PM

Associate Publisher: Neil EddeAcquisitions and Developmental Editor: Heather O’ConnorProduction Editor: Lori NewmanTechnical Editor: Patrick BassCopyeditor: Judy FlynnCompositor: Craig Woods, Happenstance Type-O-RamaGraphic Illustrator: Happenstance Type-O-RamaCD Coordinator: Dan MummertCD Technician: Kevin LyProofreaders: Laurie O’Connell, Nancy RiddioughIndexer: Ted LauxBook Designer: Bill Gibson, Judy FungCover Designer: Archer DesignCover Photographer: Victor Arre, Photodisc

Copyright © 2004 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written per-mission of the publisher.

First edition copyright © 2003 SYBEX Inc.

Library of Congress Card Number: 2003115091

ISBN: 0-7821-4335-0

SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries.

Screen reproductions produced with FullShot 99. FullShot 99 © 1991–1999 Inbit Incorporated. All rights reserved.

FullShot is a trademark of Inbit Incorporated.

The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997–1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com.

This study guide and/or material is not sponsored by, endorsed by or affiliated with International Information Systems Security Certification Consortium, Inc. (ISC)

2

® and CISSP® are registered service and/or trademarks of the International Information Systems Security Certification Consortium, Inc. All other trademarks are the prop-erty of their respective owners.

TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer.

The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book.

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

4335cFM.fm Page iv Wednesday, June 16, 2004 4:01 PM

To Our Valued Readers:

Thank you for looking to Sybex for your CISSP exam prep needs. We at Sybex are proud of our reputation for providing certification candidates with the practical knowledge and skills needed to succeed in the highly competitive IT marketplace. Certification candidates have come to rely on Sybex for accurate and accessible instruction on today’s crucial technologies. For the second year in a row, readers such as you voted Sybex as winner of the “Best Study Guides” category in the 2003 CertCities Readers Choice Awards.

The author and editors have worked hard to ensure that the new edition of the

CISSP®: Cer-tified Information Systems Security Professional Study Guide

you hold in your hands is com-prehensive, in-depth, and pedagogically sound. We’re confident that this book will exceed the demanding standards of the certification marketplace and help you, the CISSP certification candidate, succeed in your endeavors.

As always, your feedback is important to us. If you believe you’ve identified an error in the book, please send a detailed e-mail to

support@sybex.com.

And if you have general com-ments or suggestions, feel free to drop me a line directly at

nedde@sybex.com.

At Sybex we’re continually striving to meet the needs of individuals preparing for certification exams.

Good luck in pursuit of your CISSP certification!

Neil EddeAssociate Publisher—CertificationSybex, Inc.

4335cFM.fm Page v Wednesday, June 16, 2004 4:01 PM

Software License Agreement: Terms and Conditions

The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the “Software”) to be used in connection with the book. SYBEX hereby grants to you a license to use the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Soft-ware will constitute your acceptance of such terms.

The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the “Owner(s)”). You are hereby granted a single-user license to use the Software for your personal, noncommercial use only. You may not repro-duce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media.In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or war-ranties (“End-User License”), those End-User Licenses supersede the terms and conditions herein as to that par-ticular Software component. Your purchase, accep-tance, or use of the Software will constitute your acceptance of such End-User Licenses.By purchase, use or acceptance of the Software you fur-ther agree to comply with all export laws and regula-tions of the United States as such laws and regulations may exist from time to time.

Software Support

Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material, but they are not sup-ported by SYBEX. Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate read.me files or listed elsewhere on the media.Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility. This notice concerning support for the Software is provided for your information only. SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s).

Warranty

SYBEX warrants the enclosed media to be free of phys-ical defects for a period of ninety (90) days after pur-chase. The Software is not available from SYBEX in any other form or media than that enclosed herein or posted to

www.sybex.com

. If you discover a defect in the media

during this warranty period, you may obtain a replace-ment of identical format at no charge by sending the defective media, postage prepaid, with proof of pur-chase to:

SYBEX Inc.Product Support Department1151 Marina Village ParkwayAlameda, CA 94501Web:

http://www.sybex.com

After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX.

Disclaimer

SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fit-ness for a particular purpose. In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequen-tial, or other damages arising out of the use of or inabil-ity to use the Software or its contents even if advised of the possibility of such damage. In the event that the Soft-ware includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting.The exclusion of implied warranties is not permitted by some states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state. The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agree-ment of Terms and Conditions.

Shareware Distribution

This Software may contain various programs that are distributed as shareware. Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights. If you try a share-ware program and continue using it, you are expected to register it. Individual programs differ on details of trial periods, registration, and payment. Please observe the requirements stated in appropriate files.

Copy Protection

The Software in whole or in part may or may not be copy-protected or encrypted. However, in all cases, reselling or redistributing these files without authoriza-tion is expressly forbidden except as specifically pro-vided for by the Owner(s) therein.

4335cFM.fm Page vi Wednesday, June 16, 2004 4:01 PM

Acknowledgments

Thanks to Neil Edde and Jordan Gold at Sybex for helping us hook up with this project; thanks also to Rodnay Zaks for numerous fine gastronomic experiences and for an even greater number of good ideas. But Neil wins the “great gastronomy prize” for taking me to Chez Panisse for lunch the last time I visited Sybex’s Alameda offices. Thanks to my mom and dad for providing me with the basic tools to become a writer and trainer: an inquiring mind, plus good verbal and debating skills. Thanks to Dina Kutueva, not just for marrying me and com-pleting my life, but also for her magnificent efforts and sacrifices in delivering our beautiful son, Gregory E. Tittel, in February 2004. You rule my world! And finally, thanks to the whole his-torical LANWrights gang—Dawn, Mary, Kim, Bill, Chelsea, Natanya, and Michael—for 10 great years of camaraderie, collaboration, and the occasional success. You guys are the greatest; I couldn’t have done it without you! I'm sorry we haven't all been able to stay together, but I'll always value our time together and our continuing friendships.

—Ed Tittel

Thanks to Ed Tittel and LANWrights, Inc. for allowing me to contribute to the revision of this book. Working with you guys is and always has been a pleasure. Thanks to my editor Dawn Rader for putting up with my bad grammar. Thanks to my third co-author, Mike Chapple, for helping make this book all it could be. To my parents, Dave and Sue, thanks for your love and consistent support. To my sister Sharon and nephew Wesley, it’s great having family like you to spend time with. To Mark, it’s time we bolth got a life. To HERbert and Quin, it’s great hav-ing two furry friends around the house. And finally, as always, to Elvis—where did you get that shiny gold suit? I want to wear it around town to blind anyone who gazes in my direction.

—James Michael Stewart

I’d like to thank Ed Tittel, Dawn Rader, and the team at LANWrights, Inc. for their assis-tance with this project. I also owe a debt of gratitude to the countless technical experts in gov-ernment and industry who’ve patiently answered my questions and fueled my passion for security over the years. Above all, I’d like to thank my wife Renee for her undying patience as I worked on this book. Without her support, this never would have been possible.

—Mike Chapple

4335cFM.fm Page vii Wednesday, June 16, 2004 4:01 PM

Contents at a Glance

Introduction xxiii

Assessment Test xxx

Chapter 1

Accountability and Access Control 1

Chapter 2

Attacks and Monitoring 31

Chapter 3

ISO Model, Network Security, and Protocols 55

Chapter 4

Communications Security and Countermeasures 99

Chapter 5

Security Management Concepts and Principles 129

Chapter 6

Asset Value, Policies, and Roles 149

Chapter 7

Data and Application Security Issues 179

Chapter 8

Malicious Code and Application Attacks 219

Chapter 9

Cryptography and Private Key Algorithms 253

Chapter 10

PKI and Cryptographic Applications 287

Chapter 11

Principles of Computer Design 317

Chapter 12

Principles of Security Models 361

Chapter 13

Administrative Management 395

Chapter 14

Auditing and Monitoring 421

Chapter 15

Business Continuity Planning 449

Chapter 16

Disaster Recovery Planning 475

Chapter 17

Law and Investigations 507

Chapter 18

Incidents and Ethics 541

Chapter 19

Physical Security Requirements 563

Glossary

591

Index 649

4335cFM.fm Page viii Wednesday, June 16, 2004 4:01 PM

4335cFM.fm Page ix Wednesday, June 16, 2004 4:01 PM

Contents

Introduction xxiii

Assessment Test xxx

Chapter 1 Accountability and Access Control 1

Access Control Overview 2Types of Access Control 2Access Control in a Layered Environment 4The Process of Accountability 5

Identification and Authentication Techniques 7Passwords 7Biometrics 10Tokens 13Tickets 14

Access Control Techniques 15Access Control Methodologies and Implementation 17

Centralized and Decentralized Access Control 17RADIUS and TACACS 18

Access Control Administration 19Account Administration 19Account, Log, and Journal Monitoring 20Access Rights and Permissions 20

Summary 21Exam Essentials 22Review Questions 24Answers to Review Questions 28

Chapter 2 Attacks and Monitoring 31

Monitoring 32Intrusion Detection 33

Host-Based and Network-Based IDSs 33Knowledge-Based and Behavior-Based Detection 35

IDS-Related Tools 36Penetration Testing 37Methods of Attacks 37

Brute Force and Dictionary Attacks 38Denial of Service 40Spoofing Attacks 43Man-in-the-Middle Attacks 43Sniffer Attacks 44

4335cFM.fm Page x Wednesday, June 16, 2004 4:01 PM

Contents

xi

Spamming Attacks 44Crackers 45

Access Control Compensations 45Summary 45Exam Essentials 46Review Questions 49Answers to Review Questions 53

Chapter 3 ISO Model, Network Security, and Protocols 55

OSI Model 56History of the OSI Model 56OSI Functionality 57Encapsulation/Deencapsulation 58OSI Layers 59TCP/IP Model 63

Communications and Network Security 64Network Cabling 65LAN Technologies 68Network Topologies 71TCP/IP Overview 73

Internet/Intranet/Extranet Components 78Firewalls 78Other Network Devices 81

Remote Access Security Management 82Network and Protocol Security Mechanisms 83

VPN Protocols 83Secure Communications Protocols 84E-Mail Security Solutions 84Dial-Up Protocols 85Authentication Protocols 85Centralized Remote Authentication Services 85

Network and Protocol Services 86Frame Relay 87Other WAN Technologies 87

Avoiding Single Points of Failure 88Redundant Servers 88Failover Solutions 89RAID 89

Summary 91Exam Essentials 91Review Questions 93Answers to Review Questions 97

4335cFM.fm Page xi Wednesday, June 16, 2004 4:01 PM

xii

Contents

Chapter 4 Communications Security and Countermeasures 99

Virtual Private Network (VPN) 100Tunneling 100How VPNs Work 101Implementing VPNs 102

Network Address Translation 103Private IP Addresses 103Stateful NAT 103

Switching Technologies 104Circuit Switching 104Packet Switching 104Virtual Circuits 105

WAN Technologies 105WAN Connection Technologies 106Encapsulation Protocols 108

Miscellaneous Security Control Characteristics 108Transparency 108Verifying Integrity 109Transmission Mechanisms 109

Managing E-Mail Security 109E-Mail Security Goals 110Understanding E-Mail Security Issues 111E-Mail Security Solutions 111

Securing Voice Communications 113Social Engineering 113Fraud and Abuse 114Phreaking 115

Security Boundaries 115Network Attacks and Countermeasures 116

Eavesdropping 116Second-Tier Attacks 117Address Resolution Protocol (ARP) 117

Summary 118Exam Essentials 120Review Questions 122Answers to Review Questions 126

Chapter 5 Security Management Concepts and Principles 129

Security Management Concepts and Principles 130Confidentiality 130Integrity 131Availability 132Other Security Concepts 133

4335cFM.fm Page xii Wednesday, June 16, 2004 4:01 PM

Contents

xiii

Protection Mechanisms 135Layering 136Abstraction 136Data Hiding 136Encryption 137

Change Control/Management 137Data Classification 138Summary 140Exam Essentials 141Review Questions 143Answers to Review Questions 147

Chapter 6 Asset Value, Policies, and Roles 149

Employment Policies and Practices 150Security Management for Employees 150

Security Roles 153Policies, Standards, Baselines, Guidelines, and Procedures 154

Security Policies 155Security Standards, Baselines, and Guidelines 155Security Procedures 156

Risk Management 157Risk Terminology 157Risk Assessment Methodologies 159Quantitative Risk Analysis 161Qualitative Risk Analysis 163Handling Risk 165

Security Awareness Training 166Security Management Planning 167Summary 167Exam Essentials 169Review Questions 172Answers to Review Questions 176

Chapter 7 Data and Application Security Issues 179

Application Issues 180Local/Nondistributed Environment 180Distributed Environment 182

Databases and Data Warehousing 186Database Management System (DBMS) Architecture 186Database Transactions 188Multilevel Security 189Aggregation 190Inference 190

4335cFM.fm Page xiii Wednesday, June 16, 2004 4:01 PM

xiv

Contents

Polyinstantiation 191Data Mining 191

Data/Information Storage 192Types of Storage 192Storage Threats 193

Knowledge-Based Systems 193Expert Systems 194Neural Networks 195Security Applications 195

Systems Development Controls 195Software Development 196Systems Development Life Cycle 198Life Cycle Models 201Change Control and Configuration Management 205Security Control Architecture 206Service Level Agreements 208

Summary 209Exam Essentials 210Written Lab 211Review Questions 212Answers to Review Questions 216Answers to Written Lab 218

Chapter 8 Malicious Code and Application Attacks 219

Malicious Code 220Sources 220Viruses 221Logic Bombs 226Trojan Horses 226Worms 227Active Content 228Countermeasures 229

Password Attacks 230Password Guessing 230Dictionary Attacks 231Social Engineering 231Countermeasures 232

Denial of Service Attacks 232SYN Flood 232Distributed DoS Toolkits 234Smurf 234Teardrop 236Land 237DNS Poisoning 237Ping of Death 238

4335cFM.fm Page xiv Wednesday, June 16, 2004 4:01 PM

Contents

xv

Application Attacks 238Buffer Overflows 238Time-of-Check-to-Time-of-Use 239Trap Doors 239Rootkits 239

Reconnaissance Attacks 240IP Probes 240Port Scans 240Vulnerability Scans 240Dumpster Diving 241

Masquerading Attacks 241IP Spoofing 241Session Hijacking 242

Decoy Techniques 242Honey Pots 242Pseudo-Flaws 243

Summary 243Exam Essentials 244Written Lab 245Review Questions 246Answers to Review Questions 250Answers to Written Lab 252

Chapter 9 Cryptography and Private Key Algorithms 253

History 254Caesar Cipher 254American Civil War 255Ultra vs. Enigma 255

Cryptographic Basics 256Goals of Cryptography 256Concepts 257Cryptographic Mathematics 258Ciphers 262

Modern Cryptography 266Cryptographic Keys 266Symmetric Key Algorithms 267Asymmetric Key Algorithms 268Hashing Algorithms 270

Symmetric Cryptography 271Data Encryption Standard (DES) 271Triple DES (3DES) 272International Data Encryption Algorithm (IDEA) 273Blowfish 274Skipjack 274Advanced Encryption Standard (AES) 275

4335cFM.fm Page xv Wednesday, June 16, 2004 4:01 PM

xvi

Contents

Key Distribution 275Key Escrow 277

Summary 277Exam Essentials 278Written Lab 279Review Questions 280Answers to Review Questions 284Answers to Written Lab 286

Chapter 10 PKI and Cryptographic Applications 287

Asymmetric Cryptography 288Public and Private Keys 288RSA 289El Gamal 291Elliptic Curve 291

Hash Functions 292SHA 293MD2 293MD4 294MD5 294

Digital Signatures 294HMAC 295Digital Signature Standard 296

Public Key Infrastructure 297Certificates 297Certificate Authorities 298Certificate Generation and Destruction 298Key Management 300

Applied Cryptography 300Electronic Mail 301Web 303E-Commerce 304Networking 305

Cryptographic Attacks 307Summary 308Exam Essentials 309Review Questions 311Answers to Review Questions 315

Chapter 11 Principles of Computer Design 317

Computer Architecture 319Hardware 319Input/Output Structures 337Firmware 338

4335cFM.fm Page xvi Wednesday, June 16, 2004 4:01 PM

Contents

xvii

Security Protection Mechanisms 338Technical Mechanisms 338Security Policy and Computer Architecture 340Policy Mechanisms 341Distributed Architecture 342

Security Models 344State Machine Model 344Bell-LaPadula Model 345Biba 346Clark-Wilson 347Information Flow Model 348Noninterference Model 348Take-Grant Model 349Access Control Matrix 349Brewer and Nash Model (a.k.a. Chinese Wall) 350Classifying and Comparing Models 350

Summary 351Exam Essentials 352Review Questions 355Answers to Review Questions 359

Chapter 12 Principles of Security Models 361

Common Security Models, Architectures, and Evaluation Criteria 362

Trusted Computing Base (TCB) 363Security Models 364Objects and Subjects 366Closed and Open Systems 367Techniques for Ensuring Confidentiality,

Integrity, and Availability 367Controls 368IP Security (IPSec) 369

Understanding System Security Evaluation 370Rainbow Series 371ITSEC Classes and Required Assurance and Functionality 375Common Criteria 376Certification and Accreditation 379

Common Flaws and Security Issues 380Covert Channels 380Attacks Based on Design or Coding Flaws and

Security Issues 381Programming 384Timing, State Changes, and Communication Disconnects 384Electromagnetic Radiation 385

4335cFM.fm Page xvii Wednesday, June 16, 2004 4:01 PM

xviii

Contents

Summary 385Exam Essentials 386Review Questions 388Answers to Review Questions 392

Chapter 13 Administrative Management 395

Antivirus Management 396Operations Security Concepts 397

Operational Assurance and Life Cycle Assurance 397Backup Maintenance 398Changes in Workstation/Location 398Need-to-Know and the Principle of Least Privilege 399Privileged Operations Functions 399Trusted Recovery 400Configuration and Change Management Control 400Standards of Due Care and Due Diligence 401Privacy and Protection 402Legal Requirements 402Illegal Activities 402Record Retention 403Sensitive Information and Media 403Security Control Types 405Operations Controls 406

Personnel Controls 408Summary 409Exam Essentials 411Review Questions 414Answers to Review Questions 418

Chapter 14 Auditing and Monitoring 421

Auditing 422Auditing Basics 422Audit Trails 424Reporting Concepts 425Sampling 426Record Retention 426External Auditors 427

Monitoring 428Monitoring Tools and Techniques 428

Penetration Testing Techniques 430War Dialing 431Sniffing and Eavesdropping 431Radiation Monitoring 432Dumpster Diving 432

4335cFM.fm Page xviii Wednesday, June 16, 2004 4:01 PM

Contents

xix

Social Engineering 433Problem Management 433

Inappropriate Activities 434Indistinct Threats and Countermeasures 434

Errors and Omissions 435Fraud and Theft 435Collusion 435Sabotage 435Loss of Physical and Infrastructure Support 435Malicious Hackers or Crackers 436Espionage

436

Malicious Code 436Traffic and Trend Analysis 436Initial Program Load Vulnerabilities 437

Summary 438Exam Essentials 439Review Questions 443Answers to Review Questions 447

Chapter 15 Business Continuity Planning 449

Business Continuity Planning 450Project Scope and Planning 450

Business Organization Analysis 451BCP Team Selection 451Resource Requirements 452Legal and Regulatory Requirements 453

Business Impact Assessment 455Identify Priorities 456Risk Identification 456Likelihood Assessment 457Impact Assessment 457Resource Prioritization 458

Continuity Strategy 459Strategy Development 459Provisions and Processes 460Plan Approval 461Plan Implementation 462Training and Education 462

BCP Documentation 462Continuity Planning Goals 463Statement of Importance 463Statement of Priorities 463Statement of Organizational Responsibility 463Statement of Urgency and Timing 464Risk Assessment 464

4335cFM.fm Page xix Wednesday, June 16, 2004 4:01 PM

xx

Contents

Risk Acceptance/Mitigation 464Vital Records Program 464Emergency Response Guidelines 465Maintenance 465Testing 465

Summary 465Exam Essentials 466Review Questions 468Answers to Review Questions 472

Chapter 16 Disaster Recovery Planning 475

Disaster Recovery Planning 476Natural Disasters 477Man-Made Disasters 481

Recovery Strategy 485Business Unit Priorities 485Crisis Management 485Emergency Communications 486Work Group Recovery 486Alternate Processing Sites 486Mutual Assistance Agreements 489Database Recovery 489

Recovery Plan Development 491Emergency Response 491Personnel Notification 492Backups and Offsite Storage 493Software Escrow Arrangements 494External Communications 495Utilities 495Logistics and Supplies 495Recovery vs. Restoration 495

Training and Documentation 496Testing and Maintenance 496

Checklist Test 497Structured Walk-Through 497Simulation Test 497Parallel Test 497Full-Interruption Test 498Maintenance 498

Summary 498Exam Essentials 498Written Lab 499Review Questions 500Answers to Review Questions 504Answers to Written Lab 506

4335cFM.fm Page xx Wednesday, June 16, 2004 4:01 PM

Contents

xxi

Chapter 17 Law and Investigations 507

Categories of Laws 508Criminal Law 508Civil Law 509Administrative Law 510

Laws 510Computer Crime 511Intellectual Property 514Licensing 519Import/Export 520Privacy 521

Investigations 526Evidence 526Investigation Process 528

Summary 530Exam Essentials 530Written Lab 532Review Questions 533Answers to Review Questions 537Answers to Written Lab 539

Chapter 18 Incidents and Ethics 541

Major Categories of Computer Crime 542Military and Intelligence Attacks 543Business Attacks 543Financial Attacks 544Terrorist Attacks 544Grudge Attacks 545“Fun” Attacks 545Evidence 546

Incident Handling 546Common Types of Incidents 547Response Teams 549Abnormal and Suspicious Activity 549Confiscating Equipment, Software, and Data 550Incident Data Integrity and Retention 551Reporting Incidents 551

Ethics 552(ISC)

2

Code of Ethics 552Ethics and the Internet 553

Summary 554Exam Essentials 555Review Questions 557Answers to Review Questions 561

4335cFM.fm Page xxi Wednesday, June 16, 2004 4:01 PM

xxii

Contents

Chapter 19 Physical Security Requirements 563

Facility Requirements 564Secure Facility Plan 565Physical Security Controls 565Site Selection 565Visibility 565Accessibility 566Natural Disasters 566Facility Design 566Work Areas 566Server Rooms 567Visitors 567

Forms of Physical Access Controls 568Fences, Gates, Turnstiles, and Mantraps 568Lighting 568Security Guards and Dogs 569Keys and Combination Locks 570Badges 570Motion Detectors 571Intrusion Alarms 571Secondary Verification Mechanisms 571

Technical Controls 572Smart Cards 572Proximity Readers 572Access Abuses 573Intrusion Detection Systems 573Emanation Security 574

Environment and Life Safety 575Personnel Safety 575Power and Electricity 575Noise 576Temperature, Humidity, and Static 577Water 577Fire Detection and Suppression 578

Equipment Failure 580Summary 581Exam Essentials 581Review Questions 584Answers to Review Questions 588

Glossary

591

Index 649

4335cFM.fm Page xxii Wednesday, June 16, 2004 4:01 PM

Introduction

The

CISSP: Certified Information Systems Security Professional Study Guide, 2nd Edition

offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam.

This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you. The purpose of this book is to adequately prepare you to pass the CISSP exam.

Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary 4 years of experience (or 3 years plus a college degree) in one of the 10 domains covered by the CISSP exam. If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently prepared to use this book to study for the CISSP exam. For more information on (ISC)2, see the next section.

(ISC)

2

The CISSP exam is governed by the International Information Systems Security Certification Consortium, Inc. (ISC)

2

organization. (ISC)

2

is a global not-for-profit organization. It has four primary mission goals:�

Maintain the Common Body of Knowledge for the field of information systems security�

Provide certification for information systems security professionals and practitioners�

Conduct certification training and administer the certification exams�

Oversee the ongoing accreditation of qualified certification candidates through continued education

The (ISC)

2

is operated by a board of directors elected from the ranks of its certified practi-tioners. More information about (ISC)

2

can be obtained from its website at

www.isc2.org

.

CISSP and SSCP

(ISC)

2

supports and provides two primary certifications: CISSP and SSCP. These certifications are designed to emphasize the knowledge and skills of an IT security professional across all industries. CISSP is a certification for security professionals who have the task of designing a security infra-structure for an organization. System Security Certified Practitioner (SSCP) is a certification for security professionals who have the responsibility of implementing a security infrastructure in an organization. The CISSP certification covers material from the 10 CBK domains:

1.

Access Control Systems and Methodology

2.

Telecommunications and Network Security

4335cINTRO.fm Page xxiii Thursday, June 10, 2004 5:38 AM

xxiv

Introduction

3.

Security Management Practices

4.

Applications and Systems Development Security

5.

Cryptography

6.

Security Architecture and Models

7.

Operations Security

8.

Business Continuity Planning and Disaster Recovery Planning

9.

Law, Investigations, and Ethics

10.

Physical Security

The SSCP certification covers material from 7 CBK domains:�

Access Controls�

Administration�

Audit and Monitoring�

Cryptography�

Data Communications�

Malicious Code/Malware�

Risk, Response, and Recovery

The content for the CISSP and SSCP domains overlap significantly, but the focus is different for each set of domains. CISSP focuses on theory and design, whereas SSCP focuses more on implementation. This book focuses only on the domains for the CISSP exam.

Prequalifications

(ISC)

2

has defined several qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least 4 years’ experience or with 3 years’ experience and a college degree. Professional experience is defined as security work performed for salary or commission within one or more of the 10 CBK domains.

Second, you must agree to adhere to the code of ethics. The CISSP Code of Ethics is a set of guidelines the (ISC)

2

wants all CISSP candidates to follow in order to maintain professionalism in the field of information systems security. You can find it in the Information section on the (ISC)

2

website at

www.isc2.org

.(ISC)

2

has created a new program known as an Associate of (ISC)

2

. This program allows someone without any or enough experience to take the CISSP exam and then obtain experience afterward. They are given 5 years to obtain 4 years of security experience. Only after providing proof of experience, usually by means of endorsement and a resume, does (ISC)

2

award the indi-vidual the CISSP certification label.

To sign up for the exam, visit the (ISC)

2

website and follow the instructions listed there on reg-istering to take the CISSP exam. You’ll provide your contact information, payment details, and security-related professional experience. You’ll also select one of the available time and location settings for the exam. Once (ISC)

2

approves your application to take the exam, you’ll receive a confirmation e-mail with all the details you’ll need to find the testing center and take the exam.

4335cINTRO.fm Page xxiv Thursday, June 10, 2004 5:38 AM

Introduction

xxv

Overview of the CISSP Exam

The CISSP exam consists of 250 questions, and you are given 6 hours to complete it. The exam is still administered in a booklet and answer sheet format. This means you’ll be using a pencil to fill in answer bubbles.

The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure. It is very broad but not very deep. To successfully complete the exam, you’ll need to be familiar with every domain but not necessarily be a master of each domain.

You’ll need to register for the exam through the (ISC)

2

website at

www.isc2.org

.(ISC)

2

administers the exam itself. In most cases, the exams are held in large conference rooms at hotels. Existing CISSP holders are recruited to serve as proctors or administrators over the exams. Be sure to arrive at the testing center around 8:00 a.m., and keep in mind that abso-lutely no one will be admitted into the exam after 8:30 a.m.

CISSP Exam Question Types

Every single question on the CISSP exam is a four-option multiple choice question with a single correct answer. Here’s an example:

1.

What is the most important goal and top priority of a security solution?

A. Prevention of disclosure

B. Maintaining integrity

C. Human safety

D. Sustaining availability

You must select the one correct or best answer and mark it on your answer sheet. In some cases, the correct answer will be very obvious to you. In other cases, there will be several answers that seem correct. In these instances, you must choose the best answer for the question asked. Watch for general, specific, universal, superset, and subset answer selections. In other cases, none of the answers will seem correct. In these instances, you’ll need to select the least incorrect answer.

Advice on Taking the Exam

There are two key elements to the CISSP exam. First, you need to know the material from the 10 CBK domains. Second, you must have good test-taking skills. With 6 hours to complete a 250-question exam, you have just under 90 seconds for each question. Thus, it is important to work quickly, without rushing but without wasting time.

A key factor to keep in mind is that guessing is better than not answering a question. If you skip a question, you will not get credit. But if you guess, you have at least a 25-percent chance of improving your score. Wrong answers are not counted against you. So, near the end of the sixth hour, be sure an answer is selected for every line on the answer sheet.

You can write on the test booklet, but nothing written on it will count for or against your score. Use the booklet to make notes and keep track of your progress. We recommend circling each answer you select before you mark it on your answer sheet.

4335cINTRO.fm Page xxv Thursday, June 10, 2004 5:38 AM

xxvi

Introduction

To maximize your test-taking activities, here are some general guidelines:

1.

Answer easy questions first.

2.

Skip harder questions and return to them later. Consider creating a column on the front cover of your testing booklet to keep track of skipped questions.

3.

Eliminate wrong answers before selecting the correct one.

4.

Watch for double negatives.

5.

Be sure you understand what the question is asking.

Manage your time. You should try to keep up with about 50 questions per hour. This will leave you with about an hour to focus on skipped questions and double-check your work.

Be very careful to mark your answers on the correct question number on the answer sheet. The most common cause of failure is making a transference mistake from the test booklet to the answer sheet.

Study and Exam Preparation Tips

We recommend planning out a month or so for nightly intensive study for the CISSP exam. Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits:�

Take one or two evenings to read each chapter in this book and work through its review material.

�

Take all the practice exams provided in the book and on the CD.�

Review the (ISC)

2

’s study guide from

www.isc2.org

.�

Use the flashcards found on the CD to reinforce your understanding of concepts.

Completing the Certification Process

Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification label. That final step is known as endorsement. Basically, this involves getting someone familiar with your work history to sign and submit an endorsement form on your behalf. The endorsement form is sent to you as an attachment on the e-mail notifying you of your achievement in passing the exam. Simply send the form to a manager, supervisor, or even another CISSP along with your resume. The endorser must review your resume, ensure that you have sufficient experience in the 10 CISSP domains, and then submit the signed form to (ISC)

2

via fax or snail mail. You must have completed endorsement files with (ISC)

2

within 90 days after receiving the confirmation of passing e-mail. Once (ISC)

2

receives your endorsement form, the certification process will be completed and you will be sent a welcome packet via snail mail.

Post CISSP Concentrations

(ISC)

2

has added three concentrations to its certification lineup. These concentrations are offered only to CISSP certificate holders. The (ISC)

2

has taken the concepts introduced on the

4335cINTRO.fm Page xxvi Thursday, June 10, 2004 5:38 AM

Introduction

xxvii

CISSP exam and focused on specific areas; namely, architecture, management, and engineering. The three concentrations are as follows:�

ISSAP (Information Systems Security Architecture Professional)�

ISSMP (Information Systems Security Management Professional)�

ISSEP (Information Systems Security Engineering Professional)

For more details about these concentration exams and certifications, please see the (ISC)

2

website at

www.isc2.org

.

Notes on This Book’s Organization

This book is was designed to cover each of the 10 CISSP Common Body of Knowledge (CBK) domains in sufficient depth to provide you with a clear understanding of the material. The main body of this book comprises 19 chapters. The first 9 domains are each covered by 2 chapters, and the final domain (Physical Security) is covered in Chapter 19. The domain/chapter break-down is as follows:

Chapters 1 and 2

Access Control Systems and Methodology

Chapters 3 and 4

Telecommunications and Network Security

Chapters 5 and 6

Security Management Practices

Chapters 7 and 8

Applications and Systems Development Security

Chapters 9 and 10

Cryptography

Chapters 11 and 12

Security Architecture and Models

Chapters 13 and 14

Operations Security

Chapters 15 and 16

Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)

Chapters 17 and 18

Law, Investigation, and Ethics

Chapter 19

Physical Security

Each chapter includes elements to help you focus your studies and test your knowledge. These include exam essentials, key terms, and review questions. The exam essentials point out key topics to know for the exam. Unique terminology is presented in the chapter, and then each key term is also later defined in the glossary at the end of the book for your convenience. Review questions test your knowledge retention for the material covered in the chapter.

There is a CD included that offers many other study tools, including lengthy practice exams (over 700 questions) and a complete set of study flashcards.

The Elements of this Study Guide

You’ll see many recurring elements as you read through the study guide. Here’s a description of some of those elements.

Key Terms and Glossary

In every chapter, we’ve identified

key terms,

which are important for you to know. You’ll also find these key terms and their definitions in the glossary.

4335cINTRO.fm Page xxvii Thursday, June 10, 2004 5:38 AM

xxviii

Introduction

Summaries

The summary is a brief review of the chapter to sum up what was covered.

Exam Essentials

The Exam Essentials highlight topics that could appear on one or both of the exams in some form. While we obviously do not know exactly what will be included in a par-ticular exam, this section reinforces significant concepts that are key to understanding the body of knowledge area and the test specs for the CISSP exam.

Chapter Review Questions

Each chapter includes 20 practice questions that have been designed to measure your knowledge of key ideas that were discussed in the chapter. After you finish each chapter, answer the questions; if some of your answers are incorrect, it’s an indication that you need to spend some more time studying that topic. The answers to the practice questions can be found after each question in each chapter.

What’s on the CD?

We worked really hard to provide some essential tools to help you with your certification process. All of the following gear should be loaded on your workstation when studying for the test.

The All-New Sybex Test Preparation Software

The test preparation software, made by experts at Sybex, prepares you for the CISSP exam. In this test engine, you will find all the review and assessment questions from the book, plus four additional bonus exams that appear exclusively on the CD. You can take the assessment test, test yourself by chapter, take the practice exams, or take a randomly generated exam compris-ing all the questions. Finally, you can be graded by topic area so you can assess the areas in which you need further review.

Electronic Flashcards for PCs and Palm Devices

Sybex’s electronic flashcards include hundreds of questions designed to challenge you further for the CISSP exam. Between the review questions, practice exams, and flashcards, you’ll have more than enough practice for the exam!

CISSP Study Guide

in PDF

Sybex offers the

CISSP Study Guide

in PDF format on the CD so you can read the book on your PC or laptop, so if you travel and don’t want to carry a book, or if you just like to read from the computer screen, Acrobat Reader 5 is also included on the CD.

How to Use This Book and CD

This book has a number of features designed to guide your study efforts for the CISSP cer-tification exam. It assists you by listing the CISSP body of knowledge at the beginning of each chapter and by ensuring that each of them is fully discussed within the chapter. The practice questions at the end of each chapter and the practice exams on the CD are designed to assist you in testing your retention of the material you’ve read to make you are aware of

4335cINTRO.fm Page xxviii Thursday, June 10, 2004 5:38 AM

Introduction xxix

areas in which you should spend additional study time. Here are some suggestions for using this book and CD:

1. Take the assessment test before you start reading the material. This will give you an idea of the areas in which you need to spend additional study time, as well as those areas in which you may just need a brief refresher.

2. Answer the review questions after you’ve read each chapter; if you answer any incorrectly, go back to the chapter and review the topic, or utilize one of the additional resources if you need more information.

3. Download the flashcards to your hand-held device and review them when you have a few minutes during the day.

4. Take every opportunity to test yourself. In addition to the assessment test and review ques-tions, there are four bonus exams on the CD. Take these exams without referring to the chapters and see how well you’ve done—go back and review any topics you’ve missed until you fully understand and can apply the concepts.

Finally, find a study partner if possible. Studying for, and taking, the exam with someone else will make the process more enjoyable, and you’ll have someone to help you understand topics that are difficult for you. You’ll also be able to reinforce your own knowledge by helping your study partner in areas where they are weak.

About the Authors

Ed Tittel is the VP of content development and delivery for Capstar LLC, whose former LAN-Wrights organization still roots the Texas arm of Capstar fully and completely. Ed’s been writ-ing computer books since 1987 and has over 100 to his credit; he also writes about information security topics and teaches them regularly.

James Michael Stewart teaches CISSP boot camps and has coauthored numerous books on Microsoft and security certification and administration. He has written articles for numerous print and online publications and developed certification courseware and training materials as well as pre-sented these materials in the classroom. He is also a regular speaker at Networld+Interop and COM-DEX. Michael holds the following certifications: CISSP, ISSAP, TICSA, CIW SA, Security+, CTT+, MCT, CCNA, MCSE+Security Windows 2000, MCSE NT & W2K, MCP+I, and iNet+.

Mike Chapple, CISSP, currently serves as chief information officer of the Brand Institute, a Miami-based marketing consultancy. He formerly served as an information security researcher with the National Security Agency developing cutting-edge network intrusion detection systems and as a computer security officer with the U.S. Air Force. Mike’s other books include the GSEC Prep Guide and the TICSA Training Guide. His academic creden-tials include an undergraduate degree in computer science from the University of Notre Dame and an M.S. in secure and trusted computing from the University of Idaho. He’s a fre-quent contributor to the SearchSecurity and About.com websites and is a technical editor for Information Security Magazine.

4335cINTRO.fm Page xxix Thursday, June 10, 2004 5:38 AM